GDPR for Shopify Stores: How to Collect Consent, Handle DSARs, and Govern Apps

Altin Gjoni

Written by Altin Gjoni

Content Strategist

Shopify GDPR Compliance

The goal of this article is to translate Shopify GDPR requirements into repeatable store processes and clear the clutter of continuously updated regulations.

You will get free templates and learn how to collect consent, handle data requests, delete data safely, and avoid legal backlash.

The basics: GDPR compliance for Shopify

The General Data Protection Regulation (GDPR) is the European Union's privacy and security law, adopted on May 25, 2018, to protect the personal data of EU citizens. The law covers much more than ‘consent & cookies’, which is what most merchants are often used to seeing.

It is generally considered the toughest privacy law in the world, which often leads to confusion among eCommerce merchants, complex procedures, and historical fines, such as the 2023 1.2 billion-euro fine against Facebook.

Does GDPR affect US-based stores?

Yes, if your store targets or collects data from individuals in the EU/EEA, regardless of your location, so ensure your processes account for this.

What fines are we realistically expecting?

As per the rules, Companies found in violation of any GDPR regulations could face penalties of up to EUR 20 million or 4% of their annual revenue. While the news only covers big companies and bloated fines, the risk is there for any store.

How are Shopify merchants considered by this law?

  • You, the merchant, are the data controller, responsible for the data you collect, share, and use, fostering trust and accountability in your compliance journey.
  • Shopify and third-party apps (let's say an email app) are data processors. They only process the data you give them, but don't collect it directly.
  • One step below are subprocessors, such as the hosting platform your email app uses. Likewise, they only process parts of the data you collect.

What does GDPR indicate merchants should do?

If you process data (which you are if you run any eCommerce activity), you must do so in accordance with the seven principles of protection and accountability outlined in Article 5.1-2 of the GDPR.

Staying GDPR compliant in Shopify

Now that the basics are clear, let's translate the above criteria into actionable steps you can take for your store.

Step 0: Map your data and vendors

First, you need to create a simple data map with what you are collecting, where it lives, and who can access it. At the end, you should have:

  • A list of every system that touches customer/order data
  • The data types each system stores
  • An owner for each system
  • A risk rating, so you know what to review most often
  • a link to the contract/DPA (for higher-risk vendors)

You can check the data that every app can access from the admin dashboard

There’s no single button that maps everything; the closest you can get to automation is using a ready-made toolkit to organize your mapping.

This toolkit helps you map where personal data lives across Shopify and your connected apps/vendors so that you can respond to DSAR (data access) and deletion requests quickly and consistently.

Download our Shopify GDPR Data Map Toolkit Worksheet

Correctly handling consent in your Shopify store means collecting or activating non-essential tracking only when you're allowed to, and being able to prove what the customer chose.

There are two major types of consent you collect from your customers

Cookies

As a merchant, you need to obtain permission to place/read non-essential cookies and run tracking. We are all familiar with Cookies and the policies that accompany them. The main conditions are:

  • Give a clear choice to the visitor: accept, reject, or manage cookies
  • Granular categories (at minimum): necessary, analytics, marketing
  • No tracking before consent where required (especially ads/remarketing)
  • Make cookie consent easy to change later
  • Record the choice in a consent log.


You can edit the cookie banner directly from the Shopify admin, or rely on third parties.

Where does consent usually break in Shopify?

It is not the initial setup that causes breaks in consent. Typically, it's overlapping work done over time or conflicting code/apps that causes harm:

  • Pixels/scripts added directly in theme code
  • Tag Manager containers
  • marketing apps that inject scripts
  • old "just paste this snippet" installs from agencies


Chrome DevTools shows multiple third-party origins loaded by a Shopify storefront (e.g., chat widgets, analytics, ad pixels). Each origin is a potential touchpoint for tracking or data processing that must be governed by consent and app governance.

The next step is to check whether all cookies from all parties are being fired after consent is given. This involves running an audit of your website, which you can pair with an overall site performance and SEO audit. Book a free consultation to learn more.

As with cookies, marketing consent for sending emails, SMS, and other notifications is usually handled automatically by your email marketing tool. The same rules as for cookies, making opt-in and opt-out clear with clear language and visuals, is standard procedure.

The main question here is: Who is responsible for drafting and updating the opt-in and opt-out policy?


Research found that found that 88% of data breaches involve the use of stolen credentials. For your store's safety, it's essential to run a quarterly user role audit to determine who is responsible for what and what data they have access to.

Step 2: Handle data requests (DSAR playbook)

DSAR stands for Data Subject Access Request, and it refers to the process by which a user asks a business for any data it holds about them and requests that it be amended or deleted.

Data mapping is crucial in checking whether the user customer has been removed completely. If a customer requests that their data be removed, GDPR clearly states that it must be removed everywhere.

Apps can help, but ensuring there's nothing left should follow a specific checklist

Step 3: Delete data safely

The crucial part of this step is to remove all the data you are required to delete, keep only the data you need for lawful reasons, restrict access to what remains, and document everything.

There are three actions you can take:

  • Delete = remove personal data from a system entirely.
  • Redact/anonymise = remove identifying fields, but keep the transaction record - crucial for finance and operations
  • Retain = keep limited records when you have a lawful reason (tax/accounting/legal claims), and restrict access.

Keep in mind the following:

  • Uninstalling an app doesn't delete the data it already captured
  • Shipping/3PL systems keep addresses unless you explicitly delete/anonymise them
  • Helpdesk tickets often contain addresses and attachments (labels, invoices)
  • Spreadsheets/exports are the #1 place data survives forever
  • Data warehouses (BigQuery, Snowflake, etc.) need a deletion process too

Customer data deletion workflow

The tool below will serve as a checklist to help you delete customer data step by step whenever you receive a DSAR request.

Step 4: Set a governance framework

To prevent repeating steps 1-3, a framework to work with and a quarterly audit are not simply recommended; they are needed.

  • Assign owners: consent/pixels owner, DSAR owner, app owner, access admin
  • Quarterly audit cadence: apps, access, consent health, DSAR drill
  • Documentation pack: DPAs/contracts, app list, access log, consent log, change log, DSAR log
  • Change control: every pixel/app/script change goes into the Change Log

If you can run these four checks every quarter, you’ll prevent most GDPR issues before they become urgent. Our Governance framework guide will be very helpful in

Download the Shopify GDPR Governance framework

Shopify pages you need to comply with GDPR

Regulations require you to set up the following page:

  • Privacy policy

The privacy policy page can be automatically set up in the Shopify Dashboard. Shopify handles the basics, but it's up to you, the seller, to ensure its accuracy and to update the relevant data.

  • Data subject request page

This page allows users to request the viewing, modification, or erasure of their personal data. There are multiple ways to set it up - the easiest one is to use the Data sharing opt-out page Shopify itself offers.

Compliance is a habit

GDPR compliance, like any other law, is not a one-time setup; it's an ongoing practice that should be part of your business operations.

The path we followed with our customers is to treat GDPR as part of their customer experience, not a legal chore - this sets the foundation for building on their true goals, not simply playing catch-up to changing regulations.

F.A.Qs on Shopify GDPR Compliance
Does Shopify Markets localization take into account GDPR compliance or other local laws?

Shopify Markets localises the shopping experience (currency, language, domains, and regional storefront behaviour), but it doesn’t automatically make your store GDPR-compliant or compliant with every local law.

In Shopify Admin, Customer privacy settings let you manage cookie banners and privacy controls, including region-specific cookie banners and data-sharing settings. If you can run these four checks every quarter, you’ll prevent most GDPR issues before they become urgent.

How to prove consent in Shopify if challenged?

To prove consent in Shopify if you’re challenged, you show exportable “receipts” from the places Shopify ties into, plus a couple of Shopify screenshots.

  • Shopify customer record  Screenshot/export the customer profile showing Email/SMS marketing status and the exact opt-in checkbox wording used on forms/checkout.
  • Email/SMS app: Export the subscriber’s consent history. This is usually your strongest “receipt.”
  • Cookie consent tool: Export the consent log and screenshot the banner settings
  • Tracking proof: Screenshot of GTM (Google Tag Manager) consent triggers/container version showing that analytics/marketing tags fire only after consent.
  • Withdrawal proof: Keep the unsubscribe record and/or updated consent event with timestamps.
Are there any certifications for GDPR compliance?

Yes, there are GDPR certification schemes, but there is no single GDPR-certified badge you can earn specifically for your website.

The certifications generally apply to specific processing operations and products or services. Meanwhile, you still need to keep track GDPR requirements that are valid for your business.

GDPR allows formal certification schemes (Article 42) that can help demonstrate compliance, including “EU Data Protection Seal” style programmes. These are typically assessed through approved schemes and accredited bodies such as Europrivacy.org

Are ADA and GDPR compliance related?

ADA and GDPR compliance are loosely related. They overlap in a few areas, but they address different concerns.

ADA focuses on accessibility. For Shopify and websites, it generally means following WCAG best practices. GDPR focuses on privacy and data protection.

They overlap most on cookie banners, pop-ups, and forms. If these aren’t accessible, you can create ADA risk and also weaken GDPR consent because users can’t properly accept, reject, or manage their preferences.

Altin Gjoni

Content Strategist

Altin Gjoni is a Content Strategist who creates in-depth, actionable content for Shopify and eCommerce merchants. With a background in digital strategy and hands-on experience across multiple industries, he turns complex eCommerce challenges into clear, practical guides that help brands grow, convert, and compete.