RGPD
Find out how a robust privacy policy for your Shopify website can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!
Reading time:
7 min
Find out how a robust privacy policy for your Shopify website can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!
It is also a legal requirement in many countries, including the European Union and the United States, whether it is:
The required information is not, however, identical, owing to the categories of data collected and the purpose of such processing.
The privacy policy ensures the protection of your users' personal data and the transparency of your data processing practices in accordance with Article 13 of the GDPR.
This article provides that where personal data are collected from the data subject, the controller must, at the time the data are obtained, provide them with various detailed information.
This information includes the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients of the data, and other details relating to the protection of personal data.
Article 14 of the GDPR sets out similar guidelines for cases where the personal data have not been obtained directly from the data subject.
In this article, we will guide you through the steps to put in place an effective privacy policy for your B2B or B2C website.
The first step in establishing a privacy policy is to understand the data you collect and how you use it through the Shopify platform. This may include contact information, IP addresses, transaction data and other information relevant to your business.
You must also take into account local data protection laws, such as the GDPR in Europe.
Next, you must clearly inform the users of your website (i) about the types of data you collect, (ii) how you collect it and (iii) how you use it. This can be done through a privacy policy accessible from any page of your website under a clear heading ("privacy policy", "privacy page", or "personal data") so as to ensure that your users will understand that information about their connected data is to be found on that page.
Finally, you must ensure that you provide information about the intended processing of the data collected or, where necessary, that you obtain the user's consent before collecting any data. This collection is accompanied by the implementation of appropriate security measures to protect such data.
In many countries, in particular in the European Union and the United States, having a privacy policy is a legal requirement for websites. In France, this obligation stems from the duty of transparency regarding the data collected and the processing purposes for which they are collected, in particular in accordance with Article 13 of the GDPR.
A privacy policy for an e-commerce site must include information about the data you collect during the transaction, such as payment and shipping information. You must also inform users about how you will use this data and how you will protect it. Be sure to also mention your return and exchange policy in your privacy policy.
Unlike a showcase site, the information collected will likely be more extensive and serve other purposes. Moreover, this also means that there will be more points at which such data is gathered on the website.
Please note that if you use third-party providers to deliver your products, run email campaigns or track your users' activity, these providers must be identified as processors in your policy and their contact details provided.
To add your privacy policy, you must click on "Seetings" and then, at the bottom of the list, on "Policies".
Then, you must add your privacy policy on the "Privacy policy" page. You will need to ensure that this page appears at the bottom of each of your pages.
Without being exhaustive, a privacy policy must include the following elements:
The privacy policy must be drafted by the data controller, which may be the company itself or a natural or legal person mandated for that purpose. It may also be your lawyer.
There are several actors who can assist you in drafting your privacy policy, such as Legaltechs, IT providers or a lawyer specialising in internet law.
Please note that, as a reminder, providers other than lawyers must not provide advice on these regulations. Therefore, it is advisable to use a lawyer who will offer you a full review of your GDPR analysis in order to ensure your compliance with French and European law.
When we speak of privacy rules, we are in fact referring to the regulations on the protection of personal data, governed (i) in Europe by the General Data Protection Regulation (GDPR), which entered into force on 25 May 2018 in the European Union, and (ii) in France by the "French Data Protection Act" (initially adopted in 1978, it has undergone several amendments since then, in particular to bring it into line with the EU GDPR).
This regulation aims to strengthen the protection of users' personal data by imposing obligations on companies that collect and process such data. In particular, it imposes the requirement to inform users about how their data is collected, used and stored.
Legal notices and the privacy policy are two pieces of information that websites must make accessible to their users.
To find out more about legal notices, you can read the following article: "Legal notices for an e-commerce site!"
Legal notices serve to describe the identity and legal information of the company, whereas the privacy policy concerns the manner in which users' personal data is collected, processed and stored.
The two pieces of information are therefore complementary but distinct.
In conclusion, the privacy policy for Shopify is an essential element for any website collecting personal data. It must be clear and concise, and contain the essential information regarding data processing.
It is governed by the GDPR and its drafting must be entrusted to a competent data controller. Companies must therefore ensure that they comply with the legal obligations regarding the protection of personal data and inform users about how their data is processed.
If you want to guarantee the protection of your data and the compliance of your website with the GDPR, do not hesitate to get in touch today. Click here for a free audit of your privacy policy and discover how we can support you in navigating the world of personal data protection with complete peace of mind.
To learn more
Yes. As soon as your Shopify store collects personal data (orders, customer accounts, newsletter), the GDPR imposes a duty to inform via a privacy policy. This applies to a showcase site, an e-commerce site or a platform, with content tailored to the data collected.
In accordance with Article 13 of the GDPR: the identity and contact details of the controller, the purposes and legal basis, the recipients of the data, the retention periods and the rights of data subjects. The content varies according to the categories of data and their purposes.
Create a dedicated page in Shopify, draft content that complies with your activity, then add the link in the footer and on the collection forms. The information must be accessible at the time the data is collected.
Shopify offers a generator, but the resulting text remains generic and does not necessarily describe your actual processing operations or all your tools. An effective policy requires you to have mapped your data. It is better to adapt or have the document drafted so that it corresponds to your store.
It depends on the processing: performance of the contract to manage an order, consent for commercial prospecting, legitimate interest or a legal obligation depending on the case. The policy must indicate the legal basis for each purpose, which requires properly characterising your processing operations.
Yes, insofar as these applications process your customers' personal data. Marketing, analytics or payment tools may be recipients or processors. The policy must take this into account and these relationships must be governed in accordance with the GDPR.
A breach of the GDPR's duty to inform exposes you to sanctions from the CNIL and to complaints from customers. A missing or inadequate policy also undermines buyers' trust, a key element for an online store.
Yes, if your store places non-essential cookies (analytics, advertising). The cookie policy is distinct from the privacy policy and is accompanied by a compliant collection of consent. The two documents are complementary for a Shopify store that is in good standing.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin