GDPR for Shopify: What Shopify Doesn't Configure For You

What Shopify Actually Handles

Shopify maintains a DPA with you (available in your admin under Settings → Legal), has EU data residency options for some plans, handles PCI compliance for payment processing, and provides the infrastructure for customer data deletion requests via their Customer Privacy API.

They also provide a basic privacy policy template and have built-in support for cookie consent notifications. The keyword is "support" — they provide the infrastructure. The compliance is your responsibility.

Cookie Consent: Shopify's Banner Isn't Enough

Shopify has a built-in cookie consent banner that you can enable under Online Store → Preferences → Customer privacy. For EU and UK visitors it shows a banner. But there are two problems with the default setup.

First, Shopify's default banner is an opt-out model in many theme implementations — it informs users rather than requiring active consent before loading tracking scripts. Second, it doesn't integrate with third-party apps you've installed. If you've added Klaviyo, Meta Pixel, or Google Analytics via a Shopify app, those may load regardless of the consent state.

The proper fix is a dedicated consent management platform (CMP) app. CookieYes, Cookiebot, and Axeptio all have Shopify integrations that properly gate third-party script loading. Budget around €10–30/month.

Marketing Email Consent at Checkout

Shopify's checkout has an optional "Email me with news and offers" checkbox. By default this is unchecked, which is correct — it's opt-in. But there are two things to verify in your admin.

Go to Settings → Checkout → Customer contact and confirm that "Show a sign-up option at checkout" is set to show the checkbox (not pre-ticked). Also check Settings → Notifications — if you're using Klaviyo or Omnisend, ensure their integration only subscribes customers who ticked the marketing checkbox, not all customers who complete a purchase.

Some Klaviyo + Shopify integrations default to subscribing all customers with an "implied consent" configuration. This is non-compliant for EU customers who didn't tick the box.

Customer Data Deletion Requests

Shopify has a built-in customer data deletion tool, but it's not automatic. To use it: go to Customers → find the customer → click the three-dot menu → "Erase personal data." This removes their personal data from your Shopify store.

It does not automatically delete their data from Klaviyo, Mailchimp, Gorgias, or any other app you've connected. You need to manually delete from each system, or set up a workflow that triggers deletion across all your tools. You have 30 days from the request date.

Third-Party Apps: Your Biggest Exposure

Every app you install in your Shopify store that touches customer data needs a DPA. Most major apps (Klaviyo, Recharge, Gorgias) have DPAs available on their websites or in their privacy settings. Smaller apps often don't — check before installing.

More importantly: apps that inject tracking scripts (loyalty apps, heatmap tools, review widgets) often add their scripts to your storefront theme directly. These scripts may fire before consent. Audit your theme's code or use a tool like fixGDPR to see what's loading on page load.