Protected customer data
Starting with API version 2022-10, we’re introducing updated requirements for apps that use customer data. We're publishing our updated protected customer data requirements before the release of API version 2022-10 to help Partners prepare; existing apps have until July 1, 2023 to migrate to API version 2022-10.
Privacy and data protection are critical foundations for ecommerce and are important to merchants and their customers. The protected customer data requirements focus on data minimization, transparency, and security so that Partners can better support merchants' path towards compliance with privacy and data protection rules.
As of version 2022-10 of the Admin API, published, public apps must meet the protected customer data requirements. When your app uses API version 2022-10 or later, the review process for your public, published app might require action as described in the following table:
|Data Use||Partner actions|
|No protected customer data||No action required|
|Only protected customer data||
|Protected customer data with protected customer fields||
Shopify will approve your app to use protected customer data if he requested data is the minimum needed by your app to provide the merchant with the app functionality. If you're approved for all the data access that you requested, then no code updates are required. If you're not approved for the data access you requested, then you might need to update your app to handle errors or redacted data. For more information, refer to the example API requests for protected customer data.
While we encourage all apps to meet protected customer data requirements, the requirements aren't mandatory for the following apps:
- Unpublished testing apps or apps that are installed only on development stores
- Custom apps
The following table provides our roadmap for implementing API version 2022-10 and the protected customer data requirements:
|June 22, 2022||Announcement of protected customer data requirements.|
|June—August 2022||APIs and reference docs for resources that contain protected customer data are published to the unstable version.|
|October 1, 2022||API version 2022-10 is released. Apps that use API version 2022-10 must meet the protected customer data requirements. The Partner Dashboard is updated to enable configuration of apps and requests for access to protected customer data.|
|April 2, 2023||New apps must use API version 2022-10 or later and meet the protected customer data requirements.|
|July 1, 2023||All apps must use API version 2022-10 or later and meet the protected customer data requirements. Admin API version 2022-10 is the minimum supported version.|
Request protected customer dataAnchor link to section titled "Request protected customer data"
As of API version 2022-10, you'll need to request access to and be approved to use protected customer data before it can be used on any store that isn't a development store. Starting October 1, 2022, you'll be able to use the Partner Dashboard to configure your app to request access to protected customer data and fields.
Protected customer data includes any data that relates directly to a customer or prospective customer, as represented in the API resources. Resources that don't refer to a single customer are not included, such as the product, theme, or inventory resources.
The following image provides a preview of what configuring protected customer data might look like.
Protected customer data API resourcesAnchor link to section titled "Protected customer data API resources"
The following table summarizes the API resources that are considered protected customer data. In August 2022, we'll publish updated API reference docs for the REST Admin API and the GraphQL Admin API that indicate if a resource is protected customer data.
|API Resources||Protected customer data|
|Customers||Data that defines facts about a single customer, including name, address, email and phone number.|
|Checkout||Shipping rates that are related to a single order, which relates to a single customer.|
|Events and Webhooks||Events that relate to a single customer.|
|Orders||Orders, draft orders, abandoned checkouts, refunds, transactions, and other resources that relate to a single customer.|
|Sales channels||Checkout and payments that relate to an order by a single customer.|
|Shipping and fulfillment||Shipping and fulfillment data that relate to orders by a single customer.|
|Tender Transaction||Transactions that relate to a single customer.|
|Online Store||Comments on a store that contain data about the commenter.|
|Plus||Gift cards that are used by a single customer.|
|Metafield||Metafields that contain facts about an order or a single customer.|
Protected customer fieldsAnchor link to section titled "Protected customer fields"
Protected customer fields require individual configuration and approval, in addition to approval for protected customer data. When approved, these fields will appear in the protected customer API resources as usual. For example, if your app is approved for access to protected customer data and only the protected field
name fields will be redacted in API responses.
The following fields are protected customer fields:
- Name: first and last names
- Address: both billing and shipping addresses, including geolocation
Using protected customer dataAnchor link to section titled "Using protected customer data"
After approval for protected customer data access, API requests and webhooks containing protected resources behave normally. Responses will include only approved fields and unapproved fields will be redacted.
API requests to unapproved resources will return an HTTP
403 Forbidden reply.
Example API requests for protected customer dataAnchor link to section titled "Example API requests for protected customer data"
The following examples show API requests and responses for an app that is approved to access protected customer data and the
name protected customer fields. In this scenario, the
address fields are redacted from the REST and GraphQL replies. The GraphQL reply also includes an
errors message with an explanation of redacted fields.
REST requestAnchor link to section titled "REST request"
GraphQL request with approved fieldsAnchor link to section titled "GraphQL request with approved fields"
GraphQL request with unapproved fieldsAnchor link to section titled "GraphQL request with unapproved fields"
Protected customer data requirementsAnchor link to section titled "Protected customer data requirements"
To help apps safely process protected customer data, we require you to implement the following data protection requirements in your development practices and in your apps. Protected customer data requirements reflect the minimum acceptable handling of protected customer data. You'll need to attest to these requirements annually by completing the data protection details for each app in your Partner Dashboard.
Partners using only protected customer data must meet the requirements numbered 1 through 8 below.
Partners using protected customer data and protected customer fields must meet all of the requirements below.
Protected customer data requirements:
Inform merchants what personal data you process and your purposes for processing it. You must tell merchants and Shopify if you change your purposes for processing personal data.
Limit your processing of personal data to the stated purposes.
Where applicable, respect and apply customer consent decisions.
Where applicable, respect and apply customer decisions to opt-out of any data sharing classified as a ‘data sale’ or similar concept under applicable laws or regulations.
If you use personal data for automated decision-making and those decisions may have legal or significant effects, then you allow customers to opt-out.
Make privacy and data protection agreements with your merchants.
Apply retention periods to make sure that personal data isn’t kept for longer than needed.
Encrypt data at rest and in transit.
Protected customer field requirements:
Encrypt your data backups.
Keep test and production data separate.
Have a data loss prevention strategy.
Limit staff access to protected customer data.
Require strong passwords for staff accounts. Strong password requirements include minimum character counts and a mixture of numbers, letters, and special characters.
Keep a log of access to protected customer data.
Implement a security incident response policy.
Data protection reviewAnchor link to section titled "Data protection review"
To help our Partners meet the protected customer data requirements, we might ask for a detailed review of your practices. During this review, you'll need to provide evidence that your app and your practices meet the protected customer data requirements. If we select your app for a data protection review, then we'll contact you with instructions on how to proceed. Data protection reviews can occur after you've implemented the protected customer data requirements.
While any app might be selected, data protection reviews will likely focus on apps that have:
- High number of merchant installs
- High volume of customer records
- More protected customer fields approved
- Long retention of personal data