The Shopify Privacy Playbook
Whether you’ve just started your ecommerce store or you're already making millions, this playbook will help you build a trusted privacy experience.
Welcome to the Shopify Privacy Playbook!
Building brand trust is hard, but keeping it is even harder.
Whether you’ve just started your eCommerce store or are making millions in revenue, following data privacy best practices is vital to running a trusted online business of any size.
Why? Privacy laws like the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and upcoming regulations such as Canada’s Consumer Privacy Protection Act (CPPA) require businesses to protect and handle their customers’ information with care.
Did we mention that these privacy laws are constantly changing? See what’s happening in the United States.
Buyers are more concerned about their data privacy than ever before. In a global study of more than 5,000 consumers worldwide, PWC discovered that 83% of them want more control over their data.
These terms and stats might make data privacy sound complicated, but it doesn’t have to be. In this playbook, we’ll break down the small business data privacy process into clear and simple steps, so you can proactively protect both your business and your customers.
Ready to take your customer privacy experience to the next level? Let’s go!
First things first—let’s look over your current privacy practices to find areas for improvement.
Update your policy pages
If the answer is when you first launched your store, then it's time for a review.
5 quick tips for better policy pages:
Up-to-date and accurate
Easy to find on your store website
Formatted for easy readability (and accessibility)
Available in the native languages your customers understand
Representative of the regulations for your location and your customers’ locations
Small Store Example — LAC swim
What's working for LAC swim:
- Organized, accordion-style dropdowns which make it easy to read.
What's working for Skims:
- Privacy, terms, cookie and accessibility policies.
- CCPA request page with a form so customers can make data requests. (Get this feature free with the Enzuzo App)
- Unsubscribe page so customers can quickly opt-out of marketing communications.
Review third-party apps & tools
If you are one of the 87% of Shopify merchants that use third-party apps or themes for your eCommerce store, you'll need to check their privacy practices.
Your customers' personal information is scattered throughout the many tools and apps you've integrated with your store, which is why it's important to vet these platforms in advance to protect your customers' privacy and minimize risk.
Did you know the average Shopify store has 6 apps installed?
You should also delete any apps you're no longer using. Not only do they slow down your Shopify store speed, but they will continue to store your data, which might include personal information from your customers.
Below is an example of what information a third-party app could have access to after installation. In the example, Stamped.io would have access to order details, among other data, which includes your customers' personal information.
As a merchant, this screen is visible right before you install a Shopify App, and by clicking the "Install App" button, you agree to the Shopify Terms of Service.
Best-in-class Shopify Apps should only request access to the information required for their app's features to function well—not everything. This isn't always the case, so we recommend not blindly skipping this step and reviewing the list items before making a decision.
As you can see at the bottom of the example, within 48-hours of removing a Shopify App from your store, your customers' personal information will be erased from their application. If you want to confirm this, you can contact the third-party app directly and make a data request to guarantee completion.
Review sales channels & payment gateways
If you use an affiliate service or additional sales channels like Google or Facebook, look into their privacy practices to ensure they're in compliance with applicable laws. This principle also applies to payment gateways like Shopify Pay and PayPal.
Some sales channels also have data collection and privacy requirements for you to use their services. For example, Google Shopping ads have specific expectations for their users' data collection and use.
When adding Sales Channels, the same process applies for installation as it does Apps. You will see a screen listing the data that the particular sales channel will have access to, as shown in the example below.
Strengthening your store’s privacy goes beyond security — it also improves the customer experience through enhanced data transparency and trust.
Follow these simple principles to promote a customer-friendly data privacy experience.
Clearly communicate marketing consent
Marketing and communications tools can help you stay top of mind for your customers, but not at the cost of their privacy rights.
When your customers consent to your cookies or marketing communications, they should have a clear idea of what they’re agreeing to and give their consent freely.
Design your opt-in forms, pop-ups, cookie bar and other ways that you gather consent with:
Clear and specific messaging
Compliance with global, national and local opt-in laws
A breakdown of what your customer can expect to receive from opting-in
Marketing consent is everything for a healthy, legally compliant marketing program. When it comes to email marketing, capturing consent sets the right expectations between brand and consumers.
This consent helps keep messages from being marked as spam, which ultimately impacts email deliverability for all subscribers. For SMS, it's a no-brainer. There may be no easier way to harm a customer relationship than by sending an unwanted SMS marketing message.
Example — Cookie Banner Opt-in
👉 Get a FREE Cookie Banner for your Shopify store today!
Example — Marketing Communications Opt-in
Mejuri's marketing communication opt-in's are by the book—they're following all of the best practices.
They have a two-step opt-in process for both Email and SMS. On each step of the form, they are very explicit in what the customer agrees to.
Not only do they link to Terms and Privacy, but they also include contact information like their address and email address.
If you're not capturing consent, you're never going to have a fully optimized, sustainable, and increasingly profitable marketing program.
Greg Zakowicz | Omnisend
Give customers more control over their data
Tools like Enzuzo have a data request form built-in to your privacy page, meaning you’ll never miss a request.
Once you set up a channel for customer privacy requests, consider creating a dedicated email address like email@example.com. This practice benefits both you and your customers — you’ll have quick access to data requests for easier inquiry management, and your customers will appreciate the faster turnaround times.
Once you have your customers' data, please treat it with the same respect you would like your own. Fast Company calls this practice "data etiquette."
Aka, don't spam your customers!
By collecting only the data your company needs and using it within the terms your customer agreed to, you can deliver a better customer experience, build trust, and stay compliant with upcoming data laws in advance.
Poor Steve just wanted a piece of furniture, not to be spammed for life. Please, brands, don't do this.
Now that you understand what you should do to follow best practices for eCommerce data privacy, how do you do it? It takes a team effort.
Establish a data privacy workflow
A team that prioritizes customer privacy is proactive. Set your team up for success with a workflow to follow, so they know how to handle situations like privacy requests or policy changes by answering these questions:
How do we handle privacy questions or requests?
How do we confirm that we’ve addressed a privacy question or request?
How do we follow the timelines of all of the privacy laws we need to follow?
List the personal information you collect
A list of all of the information you collect from your visitors and customers will provide you with an easy reference for compliance updates and customer data requests. Include the data collected through these channels:
Your store website
Your third-party apps and themes
Your sales channels
Your payment gateways
We also recommend that you ask yourselves and document the following questions:
Designate a “data privacy officer”
Agree on a team member who will become the dedicated person responsible for data privacy compliance for your store. This “data privacy officer” should:
Review data privacy regulations routinely
Develop policies and processes to support new regulations
Stay accountable to their duties with consequences if they neglect them
Have a data breach response plan
When you experience a data breach, you need to act fast. An established data breach response plan will provide the guidance you need to reduce the impact of a data breach and maintain customer trust in the aftermath. Signifyd recommends including these steps in an eCommerce data breach action plan:
Confirm and investigate the breach
Document all initial evidence of the breach
Designate team members to investigate and monitor the breach
Request outside help such as law enforcement when necessary
Alert any customers who have compromised data
Perform a post-mortem of the incident to find areas of improvement in your privacy practices
Create a data retention policy
Implement a policy that defines how long you should keep customer data in your system. Once that period ends, securely and permanently remove the data.
Data retention policies offer two advantages to eCommerce businesses. First of all, you won’t have to worry about your data monitoring needs increasing over time. Second, laws like the GDPR require you to keep data for no longer than you need it.
Keeping privacy top of mind to protect your business & stay compliant. Managing customer data privacy is an ongoing effort. After following the previous steps in this playbook, you need to continuously keep your business compliant and trustworthy with these healthy privacy habits.
Stay up-to-date on privacy laws
You must stay updated on relevant privacy laws to maintain a business that complies with them.
Easier said than done, right? Actually, it doesn’t have to be. Forbes suggests taking these actions to stay on top of privacy regulations:
Creating Google Alerts for privacy laws that impact your store
Staying in touch with a lawyer familiar with privacy laws (if you can afford it)
Keeping up with industry publications like Infosecurity Magazine, SC Media, and IAPP
Subscribe to the Enzuzo newsletter to get monthly information on privacy trends
Stay up-to-date on changing privacy laws and news. 👇
Review your websites and policies at least every year
As you stay educated on your region’s privacy laws, remember to compare them to your current privacy habits on at least a yearly basis. You should also keep an eye out for privacy updates to your third-party channels, such as plug-ins, payment gateways and sales channels.
Pro Tip: Add a Google Calendar Event for an Internal Privacy Audit to remind yourself or the team.
Give privacy updates to your customers
Whenever you change your privacy policies or practices, your customers should be some of the first people to know. After updating your store’s privacy, notify your customers through the channels they’ve opted into.
Software companies, like Figma in the below example, update their customers all the time when they make significant privacy or terms changes, so why not your brand?
As our Enzuzo team member, Chris, nicely put it. Not only is it the right thing to do, but it also helps differentiate your store from the competition.
You'll build stronger and more memorable customer relationships and experiences. Don't see it as a chore, but as an opportunity to continue strengthening brand trust.
All of the points we discussed in this playbook come back to a single concept: Make data privacy a priority in your business. Like your products, operations, and marketing activities, data privacy is a critical element of your eCommerce store.
Plus, just as those priorities have tools available to make their upkeep easier, so does privacy. A privacy platform like Enzuzo has powerful features to help small businesses manage everything related to their privacy experience. With everything in one tool, you can streamline your privacy measures to provide a better experience for your team and your customers.