Privacy Policy Updates & GDPR Compliance

May 25, 2018

Details:

Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.
Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
Prepared a whitepaper to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.

Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.
Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

Updated App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.
Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.

In addition to the preparations listed above, Shopify will also roll out the following features before May 25:

Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.
More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.