Data and user privacy under GDPR
With the General Data Protection Regulations (GDPR) in effect as of May 25, 2018, it is crucial for any developer who works with European merchants, or works with merchants who have European customers, to disclose all data collection and usage through a privacy policy. GDPR clarifies and imposes new obligations on any party that collects, stores, or processes personal data of individuals located in Europe.
We've discussed GDPR in our blog, and how it affects Shopify and our merchants. But GDPR also probably affects most of the developers who are developing Shopify apps.
We want to make sure that you're setting yourself up for GDPR compliance by carefully considering what, if any, personal data your app requires, by subscribing to the mandatory GDPR webhooks, and by creating a privacy policy if required.
The GDPR law is complex, and will apply differently to different apps. If you have any concerns, then we strongly recommend consulting a lawyer about how GDPR specifically applies to you.
This document isn't intended to provide you with legal advice. It's intended to provide you with information about changes that Shopify is making in the Shopify App Store to help merchants prepare for GDPR, and to help you start to think about your data practices in the way that GDPR requires.
App privacy policies
Anchor link to section titled "App privacy policies"To help with GDPR compliance, or to gain merchant trust through clarifying exactly how merchant and buyer data is being used, you must provide a privacy policy and link to it from your Shopify App Store listing. These requirements are the same for both listed and unlisted apps.
One of the things that GDPR requires is for businesses, including app businesses, to provide their customers and users with very specific information about how their app or product collects and uses personal information.
In particular, we recommend that you include the following details in your app privacy policy:
- What information do you collect through Shopify’s APIs?
- What information do you collect directly from the merchant? For example, do you ask them for contact details? Do you generate automated logs relating to their use of your app?
- What information do you collect directly from merchants’ customers? For example, do you drop cookies or use other tracking technologies on their devices? Do you log information relating to how customers visit or navigate particular stores?
- How do you use the information you collect? Do you use this information for any purposes aside from providing your app’s services?
- For how long do you store or retain the data you collect?
- Are you established in Europe? Are you storing or processing information outside of Europe?
- How can merchants contact you if they have additional questions? Note that some jurisdictions require that you also include a physical address.
If you have any concerns about how best to describe your app’s data practices beyond what’s listed above, then we recommend consulting with a lawyer about your specific needs.
Data rights of individuals
Anchor link to section titled "Data rights of individuals"In several jurisdictions, individuals have certain rights to how their data is collected, stored, and used. To make sure your app is operating in an ethical and legal matter, it's crucial to consider the following:
- Under GDPR, European residents have individual rights to access, correct, erase, and restrict how their data is processed. It's therefore important to have a process for how to receive and respond to these requests.
- GDPR also imposes restrictions on transferring data about Europeans outside of Europe, except under certain circumstances. For example, GDPR recognizes that the privacy laws of certain countries might protect information enough to permit transfers, that companies might contractually require recipients of data to protect information, or that companies might publicly commit to protect information in accordance with certain codes of conduct or negotiated agreements, such as the EU-U.S. Privacy Shield Framework.
- If you're transferring data of European residents outside of Europe, then you should only do so in accordance with GDPR.
- If you're processing personal data at scale, then GDPR requires you to have a Data Protection Officer (“DPO”) to advise the company on GDPR compliance.
- You should consider whether you're required to have one, and if you're, whether you want to appoint one internally or if you want to use an outside consultant or firm. Note that there are certain requirements in order to be a DPO, and it's not just the matter of a title.
If you think that any of these restrictions apply to your app, or if you have concerns about how GDPR affects how you currently process and store personal data, then we suggest you consult with a lawyer.
GDPR for marketing apps
Anchor link to section titled "GDPR for marketing apps"If your app provides marketing or advertising related services, then you'll need to consider how GDPR applies to you. GDPR imposes a new set of requirements regarding how companies use data for marketing or advertising purposes. How it applies to you will depend on exactly how your app uses data, but you'll need to consider the following:
- Whether you need to obtain consent in order to provide your service and how you'll obtain that consent. Note that GDPR has a heightened standard for consent.
- If you're using interest-based segments or inferences to target ads or marketing, whether those segments or inferences use "sensitive data" as defined in GDPR.
- Whether you're engaged in "profiling" or "automated decision-making", which have additional regulatory obligations under GDPR.