Protected customer data

Shopify is introducing updated requirements for apps that use customer data. As of version 2022-10 of the Admin API, published, public apps must meet the protected customer data requirements. Existing apps have until August 15, 2023 to migrate to API version 2022-10.

Privacy and data protection are critical foundations for ecommerce and are important to merchants and their customers. The protected customer data requirements focus on data minimization, transparency, and security so that you can better support a merchant's path towards compliance with privacy and data protection rules.

When your app uses API version 2022-10 or later, the review process for your public, published app might require action as described in the following table:

Level Data use Partner actions
0 No customer data No action required
1 Customer data excluding name, address, phone, and email fields
2 Customer data including name, address, phone, or email fields

Shopify will approve your app to use protected customer data if the requested data is the minimum amount required by your app to provide the merchant with the app functionality. If you're approved to access the data that you requested, then code updates aren't required. If you aren't approved to access the data that you requested, then you might need to update your app to handle errors or redacted data. For more information, refer to the example API requests for protected customer data.

While we encourage all apps to meet protected customer data requirements, the requirements aren't mandatory for the following apps:

  • Custom apps
  • Apps that are installed only on development stores

To access customer data in development, select the data and fields you're using in the Partner Dashboard. You don't need to submit a request for review for apps that are installed only on development stores.