The Shopify Privacy Playbook
Whether you’ve just started your ecommerce store or you're already making millions, this playbook will help you build a trusted privacy experience.
Chapters
Playbook Overview
Welcome to the Shopify Privacy Playbook!
Building brand trust is hard, but keeping it is even harder.
Whether you’ve just started your eCommerce store or are making millions in revenue, following data privacy best practices is vital to running a trusted online business of any size.
Why? Privacy laws like the EU's General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and upcoming regulations such as Canada’s Consumer Privacy Protection Act (CPPA) require businesses to protect and handle their customers’ information with care.
Did we mention that these privacy laws are constantly changing? See what’s happening in the United States.
Buyers are more concerned about their data privacy than ever before. In a global study of more than 5,000 consumers worldwide, PWC discovered that 83% of them want more control over their data.
These terms and stats might make data privacy sound complicated, but it doesn’t have to be. In this playbook, we’ll break down the small business data privacy process into clear and simple steps, so you can proactively protect both your business and your customers.
Ready to take your customer privacy experience to the next level? Let’s go!
Audit your stores' privacy practices
First things first—let’s look over your current privacy practices to find areas for improvement.
Update your policy pages
When is the last time you updated your privacy policy? 🤔
If the answer is when you first launched your store, then it's time for a review.
You need to have an up-to-date privacy policy page, terms and cookie policy (if applicable) so your customers have a clear understanding of how your store collects and handles data. Not only are these pages legally required, but they help communicate that your business cares about their customers and that they can trust shopping on your site.
5 quick tips for better policy pages:
-
Up-to-date and accurate
-
Easy to find on your store website
-
Formatted for easy readability (and accessibility)
-
Available in the native languages your customers understand
-
Representative of the regulations for your location and your customers’ locations
Small Store Example — LAC swim
The average privacy policy page looks like a giant wall of text. It's hard to read, understand and find the information you're looking for. LAC swim has opted for an organized, accordion-style layout using the Enzuzo Shopify App, in which customers can click into the different elements of their policy.
What's working for LAC swim:
- A styled privacy policy page that matches the store design.
- Organized, accordion-style dropdowns which make it easy to read.
- Built-in data request button so that customers can make requests like marketing unsubscribes directly from the privacy policy.
You can get the privacy policy example above for your store! Other robust privacy features like a cookie consent banner and more for free with Enzuzo.
What's working for Skims:
- Privacy, terms, cookie and accessibility policies.
- CCPA request page with a form so customers can make data requests. (Get this feature free with the Enzuzo App)
- Unsubscribe page so customers can quickly opt-out of marketing communications.
Review third-party apps & tools
If you are one of the 87% of Shopify merchants that use third-party apps or themes for your eCommerce store, you'll need to check their privacy practices.
Your customers' personal information is scattered throughout the many tools and apps you've integrated with your store, which is why it's important to vet these platforms in advance to protect your customers' privacy and minimize risk.
Shopify requires all third-party apps and themes to have a privacy policy, which you should review before installing to know what data they collect and to ensure they're compliant.
Did you know the average Shopify store has 6 apps installed?
You should also delete any apps you're no longer using. Not only do they slow down your Shopify store speed, but they will continue to store your data, which might include personal information from your customers.
Below is an example of what information a third-party app could have access to after installation. In the example, Stamped.io would have access to order details, among other data, which includes your customers' personal information.
As a merchant, this screen is visible right before you install a Shopify App, and by clicking the "Install App" button, you agree to the Shopify Terms of Service.
Best-in-class Shopify Apps should only request access to the information required for their app's features to function well—not everything. This isn't always the case, so we recommend not blindly skipping this step and reviewing the list items before making a decision.
As you can see at the bottom of the example, within 48-hours of removing a Shopify App from your store, your customers' personal information will be erased from their application. If you want to confirm this, you can contact the third-party app directly and make a data request to guarantee completion.
Review sales channels & payment gateways
If you use an affiliate service or additional sales channels like Google or Facebook, look into their privacy practices to ensure they're in compliance with applicable laws. This principle also applies to payment gateways like Shopify Pay and PayPal.
Some sales channels also have data collection and privacy requirements for you to use their services. For example, Google Shopping ads have specific expectations for their users' data collection and use.
Shopify Sales Channels include:
- Buy Button
- Shopify Point of Sale
- TikTok
- eBay
and more, available in the Shopify App Store.
When adding Sales Channels, the same process applies for installation as it does Apps. You will see a screen listing the data that the particular sales channel will have access to, as shown in the example below.
Designing a trusted customer experience
Strengthening your store’s privacy goes beyond security — it also improves the customer experience through enhanced data transparency and trust.
Follow these simple principles to promote a customer-friendly data privacy experience.
Clearly communicate marketing consent
Marketing and communications tools can help you stay top of mind for your customers, but not at the cost of their privacy rights.
When your customers consent to your cookies or marketing communications, they should have a clear idea of what they’re agreeing to and give their consent freely.
Design your opt-in forms, pop-ups, cookie bar and other ways that you gather consent with:
-
Clear and specific messaging
-
Links to your terms of service and privacy policy pages
-
Compliance with global, national and local opt-in laws
-
A breakdown of what your customer can expect to receive from opting-in
Tips from our friends from
Marketing consent is everything for a healthy, legally compliant marketing program. When it comes to email marketing, capturing consent sets the right expectations between brand and consumers.
This consent helps keep messages from being marked as spam, which ultimately impacts email deliverability for all subscribers. For SMS, it's a no-brainer. There may be no easier way to harm a customer relationship than by sending an unwanted SMS marketing message.
Example — Cookie Banner Opt-in
This cookie banner opt-in clearly communicates why they need consent, a link to their privacy policy page, and a link where customers can manage the types of cookies they want to allow. Here's some more cookie banner examples you might want to check out.
👉 Get a FREE Cookie Banner for your Shopify store today!
Example — Marketing Communications Opt-in
Mejuri's marketing communication opt-in's are by the book—they're following all of the best practices.
They have a two-step opt-in process for both Email and SMS. On each step of the form, they are very explicit in what the customer agrees to.
Not only do they link to Terms and Privacy, but they also include contact information like their address and email address.
If you're not capturing consent, you're never going to have a fully optimized, sustainable, and increasingly profitable marketing program.
Greg Zakowicz | Omnisend
Give customers more control over their data
You should make it as simple as possible for your customers to request a copy of their data, have their data deleted or make general inquiries about their personal information through your privacy policy page.
Tools like Enzuzo have a data request form built-in to your privacy page, meaning you’ll never miss a request. What is Enzuzo?
Once you set up a channel for customer privacy requests, consider creating a dedicated email address like privacy@yourcompany.com. This practice benefits both you and your customers — you’ll have quick access to data requests for easier inquiry management, and your customers will appreciate the faster turnaround times.
Example — Gymshark
Gymshark has a customer data-dedicated email mentioned at multiple points in their privacy policy, including in the first section:
Be respectful
Once you have your customers' data, please treat it with the same respect you would like your own. Fast Company calls this practice "data etiquette."
Aka, don't spam your customers!
By collecting only the data your company needs and using it within the terms your customer agreed to, you can deliver a better customer experience, build trust, and stay compliant with upcoming data laws in advance.
Poor Steve just wanted a piece of furniture, not to be spammed for life. Please, brands, don't do this.
Building privacy workflows
Now that you understand what you should do to follow best practices for eCommerce data privacy, how do you do it? It takes a team effort.
Establish a data privacy workflow
A team that prioritizes customer privacy is proactive. Set your team up for success with a workflow to follow, so they know how to handle situations like privacy requests or policy changes by answering these questions:
-
How do we handle privacy questions or requests?
-
How do we confirm that we’ve addressed a privacy question or request?
-
How do we follow the timelines of all of the privacy laws we need to follow?
List the personal information you collect
A list of all of the information you collect from your visitors and customers will provide you with an easy reference for compliance updates and customer data requests. Include the data collected through these channels:
-
Your store website
-
Your third-party apps and themes
-
Your sales channels
-
Your payment gateways
We also recommend that you ask yourselves and document the following questions:
Designate a “data privacy officer”
Agree on a team member who will become the dedicated person responsible for data privacy compliance for your store. This “data privacy officer” should:
-
Review data privacy regulations routinely
-
Develop policies and processes to support new regulations
-
Stay accountable to their duties with consequences if they neglect them
Have a data breach response plan
When you experience a data breach, you need to act fast. An established data breach response plan will provide the guidance you need to reduce the impact of a data breach and maintain customer trust in the aftermath. Signifyd recommends including these steps in an eCommerce data breach action plan:
-
Confirm and investigate the breach
-
Document all initial evidence of the breach
-
Designate team members to investigate and monitor the breach
-
Request outside help such as law enforcement when necessary
-
Alert any customers who have compromised data
-
Perform a post-mortem of the incident to find areas of improvement in your privacy practices
Create a data retention policy
Implement a policy that defines how long you should keep customer data in your system. Once that period ends, securely and permanently remove the data.
Data retention policies offer two advantages to eCommerce businesses. First of all, you won’t have to worry about your data monitoring needs increasing over time. Second, laws like the GDPR require you to keep data for no longer than you need it.
Protect your business & minimize risk
Keeping privacy top of mind to protect your business & stay compliant. Managing customer data privacy is an ongoing effort. After following the previous steps in this playbook, you need to continuously keep your business compliant and trustworthy with these healthy privacy habits.
Stay up-to-date on privacy laws
You must stay updated on relevant privacy laws to maintain a business that complies with them.
Easier said than done, right? Actually, it doesn’t have to be. Forbes suggests taking these actions to stay on top of privacy regulations:
-
Creating Google Alerts for privacy laws that impact your store
-
Staying in touch with a lawyer familiar with privacy laws (if you can afford it)
-
Keeping up with industry publications like Infosecurity Magazine, SC Media, and IAPP
-
Subscribe to the Enzuzo newsletter to get monthly information on privacy trends
Review your websites and policies at least every year
As you stay educated on your region’s privacy laws, remember to compare them to your current privacy habits on at least a yearly basis. You should also keep an eye out for privacy updates to your third-party channels, such as plug-ins, payment gateways and sales channels.
Pro Tip: Add a Google Calendar Event for an Internal Privacy Audit to remind yourself or the team.
Give privacy updates to your customers
Whenever you change your privacy policies or practices, your customers should be some of the first people to know. After updating your store’s privacy, notify your customers through the channels they’ve opted into.
Software companies, like Figma in the below example, update their customers all the time when they make significant privacy or terms changes, so why not your brand?
As our Enzuzo team member, Chris, nicely put it. Not only is it the right thing to do, but it also helps differentiate your store from the competition.
You'll build stronger and more memorable customer relationships and experiences. Don't see it as a chore, but as an opportunity to continue strengthening brand trust.
Make privacy a priority
All of the points we discussed in this playbook come back to a single concept: Make data privacy a priority in your business. Like your products, operations, and marketing activities, data privacy is a critical element of your eCommerce store.
Plus, just as those priorities have tools available to make their upkeep easier, so does privacy. A privacy platform like Enzuzo has powerful features to help small businesses manage everything related to their privacy experience. With everything in one tool, you can streamline your privacy measures to provide a better experience for your team and your customers.
Leave a comment
Data privacy for Shopify, simplified.
Free forever plan available—no credit card required.