Shopify handles your payments and hosting — but when it comes to GDPR, compliance is your responsibility, not theirs.
The Shopify GDPR Misconception
Here's the mistake most Shopify store owners make: they assume that because they're on Shopify — a big, reputable, well-resourced platform — GDPR compliance is handled for them. It isn't.
Under GDPR, there are two distinct roles. A data processor processes personal data on behalf of someone else. A data controller decides why and how personal data is collected and used. Shopify is your data processor. You — the store owner — are the data controller.
That distinction matters enormously. As the data controller, you are legally responsible for:
- Deciding what data you collect and why
- Ensuring you have a valid legal basis for each type of processing
- Getting proper consent before any non-essential tracking fires
- Maintaining an accurate privacy policy
- Responding to customer data requests within regulatory deadlines
- Ensuring every app and integration on your store has appropriate data protections in place
Being on Shopify does not make you GDPR compliant. It just means Shopify handles the infrastructure. Everything above is still on you.
What Shopify Does Handle
Credit where it's due. Shopify has done real work on privacy compliance, and understanding what they cover helps you focus on the gaps that remain.
Data Processing Agreement (DPA): Shopify offers a DPA that covers their role as your data processor. This is a legal requirement under GDPR. You should have this in place — it's available through Shopify's legal documentation.
Standard Contractual Clauses (SCCs) for EU data transfers: Shopify uses SCCs to legitimize data transfers from the EU to its US-based infrastructure. This covers the transfer mechanism for data that flows through Shopify's own systems.
GDPR-ready checkout: Shopify's checkout includes basic data collection disclosures and links to your store's privacy policy and terms. The checkout flow is designed to meet baseline GDPR requirements for transaction-related data collection.
Customer data export and deletion tools: In your Shopify admin, you can export a customer's personal data and submit deletion requests. Go to Customers → select the customer profile → Actions to find these options. This is the foundation for handling Data Subject Access Requests (DSARs) from the Shopify side.
These are genuine features. But they're the floor, not the ceiling.
What Shopify Doesn't Handle (and You Must)
This is where most Shopify stores have real exposure. Everything below is your responsibility.
Third-party apps that install trackers
Every app you add to your Shopify store potentially installs JavaScript, sets cookies, and sends customer data to external servers. Facebook Pixel, Google Ads, Klaviyo, Hotjar, TikTok Pixel, ReCharge, Gorgias, Yotpo — these are all third-party processors that handle your customers' personal data. Shopify does not manage the consent, disclosure, or data processing agreements for any of them.
Most Shopify stores have between 15 and 30 active trackers when you scan them — many of which the owner has forgotten about or didn't know were running.
Cookie consent before any tracking fires
GDPR requires that non-essential cookies and tracking scripts do not fire until a visitor has actively consented. That means Facebook Pixel, Google Ads, Hotjar recordings, and any analytics tools need to be blocked by default and only load after explicit consent.
Shopify does not handle this for you. If your Pixel fires the moment someone lands on your store, you're not compliant — regardless of what banner you show afterward.
Your privacy policy
You are required to maintain a privacy policy that names every data processor handling your customers' personal data. Shopify's template is a starting point, but it doesn't know which apps you've installed. If you use Klaviyo for email, ReCharge for subscriptions, Gorgias for support, and Stripe for payments, all of those services need to be named in your privacy policy with a description of what data they receive and why.
DSAR handling for all your systems
A customer from the EU or California can request all the data you hold on them and ask you to delete it. Shopify's admin tools help with data stored in Shopify itself — but Klaviyo holds their email history. Your CRM holds their support tickets. ReCharge holds their subscription data. A proper DSAR response covers all of it.
Marketing consent
Under GDPR, email marketing requires explicit opt-in consent. Pre-checked boxes don't count. "By placing your order, you agree to receive marketing" doesn't count either. Customers must actively and unambiguously agree to receive marketing emails, separate from completing their purchase.
Step 1 — Find Out What's Actually on Your Store
Before you change anything, you need a complete picture of what your store is actually doing with visitor data.
The fastest way to get that picture is to run a free scan at app.custodia-privacy.com/scan. The scanner loads your store the way a real visitor would — it doesn't just inspect your app list, it captures every cookie, tracking pixel, third-party connection, and script that fires on page load. Most Shopify store owners find things they didn't know were there.
The scan takes about 60 seconds and gives you a clear list of what needs to be addressed before you go further.
Step 2 — Add a Proper Cookie Consent Banner
Your cookie consent banner is not just a notice. It's a gate. Non-essential tracking scripts must not fire until after a visitor actively clicks "Accept." If your current setup shows a banner but still loads Facebook Pixel and Google Ads immediately on page load, the banner isn't doing its job.
Shopify's native cookie banner is basic. It can display a notice, but it doesn't block third-party scripts before consent. For genuine GDPR compliance — where nothing loads until consent is given — you need a more capable solution.
Your options:
- Custodia ($29/mo): Full-stack compliance — consent management that actually blocks scripts, a privacy policy generated from a real scan of your store, and DSAR handling. Everything in one place.
- Third-party CMPs: Tools like CookieYes, Cookiebot, or Usercentrics can handle consent management on Shopify, though you'll still need to handle your privacy policy and DSARs separately.
- Shopify App Store options: Several consent apps are available, but quality varies significantly. Check that the app you choose genuinely blocks scripts before consent, not just shows a banner.
Whatever you choose, verify that it integrates properly with Google Consent Mode v2 if you run Google Ads or use Google Analytics.
Step 3 — Fix Your Privacy Policy
Shopify gives every new store a privacy policy template. It's better than nothing. But a template doesn't know which apps you've installed, which marketing tools you use, or which payment processors handle your transactions.
Your privacy policy needs to name every service that handles your customers' personal data. For a typical Shopify store, that list might include:
- Shopify — hosting, checkout, order management
- Stripe or Shopify Payments — payment processing
- Klaviyo or Mailchimp — email marketing
- ReCharge — subscription billing
- Gorgias or Zendesk — customer support
- Facebook/Meta — advertising pixels
- Google — Analytics, Ads, or both
- Hotjar — session recordings and heatmaps
- Yotpo or Okendo — reviews
For each processor, your policy should describe what data they receive, why, and where to find their own privacy policy. This list changes every time you add or remove an app — which is why a policy generated from an actual scan of your store is more reliable than a static template.
Step 4 — Handle Marketing Consent Properly
GDPR is unambiguous on email marketing: you need explicit, informed, freely given consent. That means:
- The opt-in checkbox cannot be pre-checked. The customer must actively tick it.
- Consent cannot be bundled with terms of service acceptance. "By placing an order, you agree to receive marketing emails" is not valid consent.
- The purpose must be clear. "Subscribe to our newsletter" is more honest than burying email consent in checkout fine print.
What to check in Klaviyo:
Go to your Klaviyo account → Lists & Segments → your main list → Settings. Make sure "Double opt-in" is enabled for EU subscribers. Also verify your signup forms aren't using pre-checked marketing consent boxes.
What to check in Mailchimp:
In your Mailchimp settings → Account → Compliance. Review how you're capturing consent and ensure EU contacts are flagged and opted in properly.
If you've been collecting email subscribers without explicit GDPR-compliant consent, you may need to run a re-permission campaign before continuing to market to EU contacts.
Step 5 — Set Up DSAR Handling
EU customers have the right to request all personal data you hold on them, and California customers have similar rights under CCPA. Under GDPR, you have 30 days to respond. Under CCPA, 45 days.
What Shopify provides:
In your Shopify admin, navigate to Customers → select the customer → Actions. You'll find options to export customer data (generates a CSV of everything Shopify holds) and to request deletion. This covers data stored within Shopify's systems.
What Shopify doesn't cover:
A complete DSAR response needs to include data from every system that holds the customer's information. That means:
- Klaviyo — email history, open/click data, subscriber profile
- Gorgias or Zendesk — support tickets and conversation history
- ReCharge — subscription records
- Hotjar — session recordings (these must be deleted on request)
- Any CRM or other tool in your stack
You'll need to search each system manually, compile the results, and respond to the customer — all within the regulatory deadline. Setting up a simple tracking spreadsheet (or using a tool like Custodia that handles intake, deadline tracking, and audit records) makes this manageable at scale.
The Fastest Way to Get Your Shopify Store Compliant
Doing all of this manually is genuinely time-consuming. Scanning every app, writing an accurate privacy policy, configuring consent blocking, setting up a DSAR intake process — it adds up. And then you have to repeat it every time you add a new app or run a new campaign.
The practical path for most Shopify store owners:
- Run a free scan at app.custodia-privacy.com/scan to see exactly what's running on your store right now. It takes 60 seconds and costs nothing.
- Use Custodia's full compliance stack to handle the rest: a consent banner that actually blocks scripts, a privacy policy generated from your scan, and DSAR handling with deadline tracking built in. Plans start at $29/month — less than the cost of a single hour of privacy legal advice.
GDPR fines for e-commerce violations are real, and supervisory authorities across the EU have been increasingly active in pursuing complaints. Getting your store compliant isn't just about avoiding risk — it's also about building the kind of trust that makes EU customers comfortable buying from you.
Start with the scan. See what's actually there. Then fix it.
Last updated: March 2026
Top comments (1)
Great practical breakdown of GDPR compliance for e-commerce. One aspect that's often missed in compliance audits is browser-level tracking beyond cookies.
Most privacy tools and consent banners focus on cookie consent, but overlook browser fingerprinting: canvas hash, WebGL renderer, AudioContext signatures, and installed fonts. These signals persist even after users clear cookies and decline tracking — which can create GDPR violations even when you think you're compliant.
For multi-brand Shopify setups especially: if different storefronts share the same analytics session or device fingerprint, you're potentially correlating user data across legal entities without explicit consent.
Practical addition to any compliance checklist: audit whether your pixels are collecting fingerprint data, not just cookie data. Tools like BrowserLeaks can help test what signals your storefront is leaking.