Data and user privacy under GDPR
Please note that GDPR is extremely complicated (the law is almost 90 pages long), and will apply differently to different apps. If you have any concerns, then we strongly recommend talking with a lawyer about how GDPR specifically applies to you.
This document is not intended to provide you with legal advice. It is intended to provide you with information about changes that Shopify is making in the Shopify App Store to help merchants prepare for GDPR, and to help you start to think about your data practices in the way that GDPR requires.
App privacy policies
In particular, we recommend that you include:
- What information do you collect through Shopify’s APIs?
- What information do you collect directly from the merchant? For example, do you ask them for contact details? Do you generate automated logs relating to their use of your app?
- What information do you collect directly from merchants’ customers? For example, do you drop cookies or use other tracking technologies on their devices? Do you log information relating to how customers visit or navigate particular stores?
- How do you use the information you collect? Do you use this information for any purposes aside from providing your app’s services?
- For how long do you store or retain the data you collect?
- Are you established in Europe? Are you storing or processing information outside of Europe?
- How can merchants contact you if they have additional questions (note that some jurisdictions require that you include a physical address as well)?
If you have any concerns about how best to describe your app’s data practices beyond what’s listed above, then we recommend consulting with a lawyer about your specific needs.
Data rights of individuals
In several jurisdictions, individuals have certain right to how their data is collected, stored, and used. To make sure your app is operating in an ethical and legal matter, it is crucial to consider the following:
- Under GDPR, European residents have individual rights to access, correct, erase, and restrict how their data is processed. It is therefore important to have a process for how to receive and respond to these requests.
- GDPR also imposes restrictions on transferring data about Europeans outside of Europe, except under certain circumstances. For example, GDPR recognizes that the privacy laws of certain countries might protect information enough to permit transfers, that companies might contractually require recipients of data to protect information, or that companies might publicly commit to protect information in accordance with certain codes of conduct or negotiated agreements (such as the EU-U.S. Privacy Shield Framework).
- If you are transferring data of European residents outside of Europe, then you should consider whether you are doing so in accordance with GDPR.
- If you are processing personal data at scale, then GDPR requires you to have a Data Protection Officer (“DPO”) to advise the company on GDPR compliance.
- You should consider whether you are required to have one, and if you are, whether you want to appoint one internally or if you want to use an outside consultant or firm. Note that there are certain requirements in order to be a DPO, and it is not just the matter of a title.
If you think that any of these restrictions apply to your app, or if you have concerns about how GDPR affects how you currently process and store personal data, then we suggest you consult with a lawyer.
GDPR for marketing apps
If your app provides marketing or advertising related services, then you will need to consider how GDPR applies to you. GDPR imposes a new set of requirements regarding how companies use data for marketing or advertising purposes. How it applies to you will depend on exactly how your app uses data, but you will need to consider the following:
- Whether you need to obtain consent in order to provide your service, and if so, how you would do so (keeping in mind that GDPR has a heightened standard for consent).
- If you are using interest-based segments or inferences to target ads or marketing, whether those segments or inferences use "sensitive data" as defined in GDPR.
- Whether you are engaged in "profiling" or "automated decision-making", which have additional regulatory obligations under GDPR.