June 09, 2018

What Does GDPR Mean For Your Ecommerce Store?

By Veronica Jeans
What Does GDPR Mean For Your Ecommerce Store? | veronicajeans.com

By now you should be moving away from these privacy related tasks:

  • Not telling your subscribers what they can expect from being on your email list
  • Sharing data with more people than intended and informed about. For example, sharing email addresses with the brand sponsoring a giveaway.
  • Automatic opt-in forms
  • Not having a ‘confirmation of subscription’ email being sent out to your subscribers
  • Adding people to your email list without asking (you shouldn’t be doing this to begin with)
  • And finally, you should not be sharing brand contacts without permission

Luckily, most applications and software you are using where you are potentially collecting data (your shopping platform, your payment gateway, your email software or fulfillment software) are most likely way ahead of you on this. I'm sure you've seen the slew of emails with information on how they are ensuring compliance with the GDPR. This is a good thing!

Here we distinguish what you are - Controller vs. Processor

The GDPR separates data protection responsibilities into two categories: controllers and processors.

Controller: The party that determines for what purposes and how personal data is processed.

Processor: The party that processes personal data on behalf of the controller. Under the GDPR, in most cases the merchant collects information from their buyers as a controller. Generally, Shopify acts as a processor for the merchant with respect to such buyer personal data (or, if the merchant acts as a processor, Shopify acts as a subprocessor):

Processor obligations To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller. Where Shopify is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks 'fulfill items', they give Shopify the instruction to process the data necessary to perform that action. Similarly, when a merchant selects a particular payment processor, or installs an application through the Shopify app store, they give Shopify the instruction to transmit data to the relevant party. The GDPR also places several other responsibilities on the processor, discussed below:

Subprocessing Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to: ● Store platform data ● Operate the forums and other portions of Shopify's website ● Respond to and manage support inquiries When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. A list of subprocessors is available upon request.


Compile a list of apps, software and plugins you are currently collecting information about your customers, readers or followers. For anybody that has a website, this will commonly be your email list and your comments software. If you are an ecommerce site/store, you have a lot more information and responsibilities to your customers. You are responsible where you store data, to ensure that every single of these is in compliance with the GDPR.

Make sure you have a cookie warning. If you are using cookies on your website -you know, the little pop-up that a reader has to either dismiss, agree with, or click ‘OK?’ These 'cookies' are used in Facebook Ads pixel and Google analytics tracking, so chances are; you are using cookies. Make sure you have a warning indicating you use them!

Go through ALL of your email list forms and landing pages. This ensures that you are in compliance with the GDPR. This includes;

  • Explicitly saying what information you will be storing and for what purposes it will be used for
  • Ensure that you are getting their active consent in receiving this information, either by having a checkbox, a clear notice that their email addresses will be added to your list, or a double opt-in.

Check with your email marketing software to see what they are doing! I am using MailChimp, who have added the settings you see below, in order to help you comply with the GDBR as an ecommerce store.

Update your privacy policy. Make sure your privacy policy is as explanatory and transparent as possible. Include what data you are collecting from your readers and how you are using it. Also tell which third-party vendors you share their info with (if at all). Last, tell your audience how they can view their data.


As learning about the GDPR it's import to highlight website owners of all ilk. Please share this information wherever you think it may be relevant! Use the links below to share, pin, tweet or post.

Check Your Theme's Privacy Policies

For example, while 'Out of the Sandbox' theme code does not directly process or store personal information submitted via the forms included in themes (this is handled by Shopify), including email newsletter sign up, back in stock notification requests and contact forms, you may want to review the header and description text around each form to ensure that it clearly outlines the purpose of each form and that personal information is collected, stored and used for marketing purposes.

To change this text, you can edit your theme language file or edit the page text where the form appears. Search for the term you'd like to edit and modify the text field that appears that corresponds to what you'd like to update.

For more information about GDPR and email marketing, please consult your email marketing provider's documentation (MailChimp's information can be found here).

In all 'Out of the Sandbox' themes, a cookie is also used, if enabled, to store information about when a user last visited a site to determine when to display popup windows. This cookie expires after a set number of days, as defined by the store owner.

By default, these cookies are not associated with any personally identifiable information, though third-party tracking or other apps may add this functionality. Contact your app developers for further details on GDPR compliance.

These cookies may also be deleted by the user at any time, though theme functionality associated with them may be limited.

If applicable under GDPR, it is the store owner's responsibility to include notices about these cookies through compliant notifications, privacy policy notices or other methods.

Default Opt-in on Checkout page

The obvious implication is getting valid GDPR consent will halve your list growth.

Doing more to sell the reason to opt-in will help reduce the impact.

  • Provide visual focus. Whilst pre-ticked opt-ins are often in small font, with light colors and placed so they are easily overlooked, do the opposite. Use large fonts, draw people’s attention to the option with icons, arrows or other elements that attract and guide the eye.
  • Use benefit based language, rather than focus on function, ‘notify me’, give the benefit of getting the notifications.
When asking for consent, you should check your current forms meet the following criteria:
  • Consent isn’t bundled with other T&Cs – it must stand alone
  • Records are kept of how and when consent was captured
  • The information provided at time of capture is recorded for audit purposes
  • Consent must be freely given
  • The person must be informed about their choice and to what is being consented must be specific
  • Consent requires a positive affirmative action, which means no use of pre-ticked boxes. Though that doesn’t mean a default to no consent should be used.
  • The checklist includes the following items.
  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give individual (‘granular’) options to consent separately to different purposes and types of processing.
  • We name our organisation and any third party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

  • MailChimp: https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
  • https://kb.mailchimp.com/accounts/management/about-mailchimp-the-eu-swiss-privacy-shield-and-the-gdpr