Not only are privacy policies legally required, but Shopify states directly in their Privacy for Merchants agreement that they collect personal information about your users to help power your business. At a minimum, they recommend you post one to your website.
- What Are Good Examples of Shopify Store Privacy Policies?
You can use a managed solution, manually fill out a free template, or write one yourself from scratch. Let’s discuss these solutions in a little more detail.
Instead of writing clauses from scratch, all you have to do is answer questions about how your business handles and uses your customers’ data.
See what it looks like in the screenshot below.
Use a Template
You can add, remove, and edit existing language and clauses in Microsoft Word or Google Docs so the policy says what you want it to say.
If you like what’s in the template, you don’t have to change, add, or remove anything.
Below, you can see what it looks like.
Do It Yourself
For this reason, I don’t typically recommend this approach unless you have extensive legal knowledge or access to a lawyer.
To help you determine which ones may apply to your business, I’ve compiled a helpful table explaining the legal threshold for several of the most significant data protection laws worldwide that require entities to post privacy policies.
|Data Privacy Law||Legal Threshold|
|General Data Protection Regulation (GDPR)||Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).|
|The Data Protection Act (UK GDPR)||Any organization offering goods or services to UK citizens that processes their personal data.|
|Amended California Consumer Privacy Rights Act (CCPA/CPRA)||For-profit entities that do business in California and meet one of the following:
|California Online Privacy Protection Act (CalOPPA)||Any website with California visitors falls under the threshold of this law.|
|Virginia Consumer Data Privacy Act (VCDPA)||Entities doing business in Virginia or targeting Virginia residents who meet one of the following:
|Connecticut Data Protection Act (CTDPA)||Any data controller or processor who conducts business in Connecticut or produces products or services targeted at Connecticut consumers and any controller or processor who meets one or more of the following:
|Colorado Privacy Act (CPA)||Controllers that conduct business in Colorado or who produce or deliver commercial products intentionally targeted to Colorado residents that meet one (or both) of the following:
|Children’s Online Privacy Protection Act (COPPA)||Any website or online service that is directed to children under 13 that:
|Personal Information Protection and Electronic Documents Act (PIPEDA)||Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.|
|Australia’s Privacy Act of 1988||Any Australian government entities or organizations that have annual gross revenue of $3 million and small businesses that make less than $3 million who meet any of the following:
|New Zealand’s Privacy Act of 2020||Any person, organization, or business in the public or private sector that collects and holds personal information about other people.|
|South Africa’s Protection of Personal Information Act (PoPIA)||Any entity registered to South Africa that processes personal data or people from any location.
And any entities located outside of the country who outsource their data processing to South Africa.
However, in the next section, I’ve attempted to summarize nearly every relevant clause related to Shopify stores.
What Personal Data You Collect
All privacy policies should explain what personal data your website collects from users in one of the first sections.
Mention what personal information you collect and how you collect this data.
To include all the information you gather from your users, go through your Shopify store’s registration process yourself and make a list of the pieces of information you’re required to fill in, such as:
- Email addresses
- Billing addresses
- Shipping addresses
- Phone numbers
- Credit card details
Your Shopify store also probably collects other personal information from visitors, such as:
- Browser type
- IP address
- Device ID
- Cookie data
- What website led a user to your store
Some of this data may not strike you as particularly “personal,” but it is defined as “personal data” by the GDPR and other privacy legislation. As such, you need to research how Shopify processes and collects this kind of personal information on your behalf.
How and Why You Collect the Personal Data
You must also disclose how and why your website uses the personal information you collect to comply with laws like the GDPR, the CCPA, and others.
Discuss in detail why you collect your users’ personal information and make sure you’re only gathering data necessary to fulfill these purposes.
For example, you may be gathering personal information for the following reasons as an ecommerce shop:
- Email addresses for updating customers on their orders and sending marketing emails
- Shipping addresses for shipping customers’ orders
- Payment card details, names, and billing addresses for processing payments
- Cookie data for targeted advertising and security purposes
The GDPR doesn’t allow you to collect information unless it’s for a legal and specific reason.
If You Share the Data With Third Parties
Your Consumer’s Privacy Rights
Almost all privacy laws require you to outline your customers’ privacy rights.
If you fall under more than one law, consider using appropriately named headers to create clauses specific to users protected by each rule so they can easily find this information.
You should also explain in this clause how your users can follow through on their privacy rights.
Under data privacy laws like the GDPR, the CCPA, the VCDPA, and others, internet cookies qualify as personal information, and your Shopify store relies on them.
Your Data Retention Policy
You can typically only store or keep data for as long as necessary to complete whatever purposes you present to users.
Data Safety and Security
Many data protection laws require you to properly store personal information to protect it from data leaks, breaches, and unauthorized access.
Updates and Changes to the Policy
Under privacy laws like the GDPR and the CCPA, you must inform users about the changes to give them a chance to determine if they still agree to it or not.
See how Allbirds handles this clause in their policy below.
Company Contact Information
Fortunately, this is a straightforward process.
To start, log into Shopify and click “Online Store” on the left navigation bar, as shown below.
Next, click on “Pages.” Then, click the green “Add Page” button in the top right-hand corner. You can see an example in the screenshot below.
Again, there’s a screenshot for you to follow below.
Finally, when you’re done, click “Save.”
Fortunately, this is also a simple process. Just follow these easy steps!
First, go to “Navigation” on the navigation bar in your Shopify dashboard, located on the left. I put a screenshot for you below.
Then click “Footer menu” under “Menus.”
Check out another helpful screenshot below.
Now click “Add menu item”, like in the screenshot below.
We’re at the final step!
Click “Add” at the bottom, and you’re done!
What Are Good Examples of Shopify Store Privacy Policies?
Next, let’s spend some time looking at real-life Shopify store privacy policies so you can reference them when you go to make your own.
You can find it highlighted in the screenshot below.
Below, see an example of their well-organized clause informing users about why and how their website collects personal information.
Hiut Denim Co.
Listing out what personal data you collect is a great way to keep your users informed without overwhelming them with a giant wall of text.