Privacy Policy for Shopify Stores

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

January 20, 2022

Generate a Free Privacy Policy

A privacy policy lets your customers know how you use their data and why you’re collecting their personal information. Having a well-written privacy policy for Shopify isn’t just the right thing to do — it’s also required by law. So, you need to make sure you have one before publishing your Shopify store.

In this post, you’ll learn how to create a Shopify store privacy policy, how to post it on your store and how to link to it properly.

Table of Contents
  1. Is a Shopify Store Privacy Policy Required?
  2. How To Generate a Shopify Privacy Policy
  3. What To Include in Your Shopify Store’s Privacy Policy
  4. How To Add a Privacy Policy Page to Your Shopify Store
  5. How To Link to Your Shopify Store Privacy Policy
  6. Good Examples of Shopify Store Privacy Policies
  7. Summary

Is a Shopify Store Privacy Policy Required?

Yes, you need a privacy policy for your Shopify store because it’s required by law.

According to laws such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act, websites with users in certain regions and states must abide by certain rules and standards when creating privacy policies. We’ll cover these requirements in more detail later in this article.

Having a privacy policy for your store is also required by Shopify’s own privacy policy.

Under the “Your customers’ information” section, Shopify’s privacy policy states that you are responsible for ensuring that your customers know how you collect and process their personal information.


You can do this by posting a privacy policy that lays out the personal information you collect, whom you share it with, and how you use it.

You should also have a privacy policy for Shopify because:

  • It builds trust with customers: One of the best reasons you need a privacy policy — especially for Shopify stores — is to show your customers that you care about their safety and want them to know their rights. Having one indicates that you’re a transparent company that prioritizes ethics and compliance over profits.
  • It limits your legal liability: You can get into legal trouble if you don’t have a valid privacy policy because various regulations around the world require it.
  • It’s the right thing to do: Finally, having a privacy policy for Shopify is the right thing to do. Users deserve to know what you’ll be doing with their data and how they can modify, change, or delete information they’ve already given you.

How To Generate a Shopify Privacy Policy

There are three main ways to create a Shopify store privacy policy.

Managed Solution (Recommended)

If you don’t have much time on your hands — or don’t want to worry about getting things right — consider using our privacy policy generator.

We will automatically generate a privacy policy for you to put on your Shopify store. Instead of writing clauses from scratch, all you have to do is answer questions about how your business handles and uses your customers’ data.

Create a Privacy Policy for Shopify With Termly

Here’s how you can use Termly’s generator to create a comprehensive privacy policy for your Shopify store:

Step 1: Go to Termly’s privacy policy generator.

Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”


Step 3: Once you’ve filled in everything and you are satisfied with the preview, click “Publish.” You will then be prompted to create an account on Termly so you can save and edit your privacy policy further.

Use a Template

If you have more time on your hands and want to write some clauses or language from scratch, you can check out and use our privacy policy template.

This template comes with all of the sections you need to create a privacy policy for Shopify. However, you’re not limited to what’s already in the template.

You can add, remove, and edit existing language and clauses in Microsoft Word or Google Docs, so the policy says what you want it to say. On the other hand, if you like what’s in the template, you don’t have to change, add, or remove anything.

Do It Yourself (Not Recommended)

Finally, if you want complete control over the privacy policy creation process, consider adopting the do-it-yourself approach. You’ll be able to create a privacy policy that says what you want it to say, but if you don’t know what it needs to say, then stay away from this option.

If you want to go this route, read our guidelines below on how to write your Shopify privacy policy.

What To Include in Your Shopify Store’s Privacy Policy

You need to cover several things in your Shopify store’s privacy policy. First, let’s look at what Shopify itself requires you to have in your policy.

What Shopify Requires You To Include in Your Privacy Policy

According to Shopify, you need to mention the following. Some of these may overlap with what the law requires you to include anyway.

1. How you collect personal information

This should be one of the first sections of your privacy policy. Mention what personal information you collect and how you collect this data.

To include all the information you gather from your users, go through your Shopify store’s registration process yourself and make a list of the pieces of information you’re required to fill in, such as:

  • Names
  • Email addresses
  • Billing addresses
  • Shipping addresses
  • Phone numbers
  • Credit card details

Your Shopify store also probably collects other personal information from visitors, such as:

  • Browser type
  • IP address
  • Device ID
  • Cookie data
  • What website led a user to your store

Some of this data may not strike you as particularly “personal,” but it is defined as “personal data” by the GDPR and other privacy legislation. As such, you need to research how Shopify processes and collects this kind of personal information on your behalf.

2. How you use personal information

You also need to disclose how your website uses personal information. Discuss, in detail, why you collect your users’ personal information and make sure you’re gathering only the information you need to gather.

For example, you may be gathering personal information for the following reasons as an ecommerce shop:

  • Email addresses for updating customers on their orders and sending marketing emails
  • Shipping addresses for shipping customers’ orders
  • Payment card details, names, and billing addresses for processing payments
  • Cookie data for targeted advertising and security purposes

3. Your customers’ privacy rights

Almost all privacy laws require you to outline your customers’ privacy rights.

Make sure to mention the following:

  • What users can do to change, modify, or delete their personal information
  • What users can do to opt out of cookies and other tracking methods
  • Whom users can contact if they have any questions about their privacy rights

What the Law Requires You Have In Your Shopify Privacy Policy

You also need to make sure your Shopify privacy policy complies with data privacy laws.

You should consider including language that covers all of the requirements below regardless of where you and your users are located because anyone from any country can access your website.

General Data Protection Regulation (GDPR)

The GDPR sets an extremely high bar for privacy regulation. By referring to it for your privacy policy, you’ll be able to cover most, if not all, of your bases.

You need to comply with the GDPR as long as you deal with the personal data of EU residents. This means that even if you’re located in the US  — and most of your customers are from the US — as long as you have one user from the EU, you need to create a GDPR-compliant privacy policy.

Here’s what you need to add to your Shopify privacy policy to make it GDPR compliant:

  • Your Shopify site’s contact details: List your shop’s representative’s name and contact information.
  • Your data protection officer’s contact details: The GDPR requires you to appoint a DPO in certain circumstances. If your Shopify store falls under one of these categories, you need to include your DPO’s contact details in your privacy policy.
  • Your EU representative’s contact details: If you’re a data controller located outside the EU, you may need to appoint an EU representative for your Shopify site. Include your EU representative’s name and contact information in your privacy policy so your EU users can contact them as needed.
  • Whether you’re using an automated decision-making system and how you’re using it: This probably doesn’t apply to most Shopify stores. However, if you’re using such a system for your Shopify site, talk about how you set it up and the possible consequences of using this system.

California Online Privacy Protection Act (CalOPPA)

CalOPPA is a less comprehensive version of the GDPR. However, there are two requirements that are unique to it.

First, CalOPPA requires you to tell your customers whenever you update your store’s privacy policy. You need to put the last effective date of your privacy policy at the top of your privacy policy webpage so people know what version of the policy they’re reading. You also need to tell your customers how they can receive updates about your privacy notice.

Second, Section 22577 of the law requires you to put a link to your privacy policy in a conspicuous area:


To comply with CalOPPA, you need to make sure that your privacy policy hyperlink:

  • Has the word “privacy” in it
  • Stands out from the surrounding text (i.e., it uses a different color, size, or font)

Children’s Online Privacy Protection Act (COPPA)

If your Shopify store collects personal information from children under the age of 13, make sure that your privacy policy complies with the Children’s Online Privacy Protection Act.

COPPA is a US law, but it applies to every company or website that collects information from children in the US who are under the age of 13.

For your store’s privacy policy to comply with COPPA regulations, it should have a section that explains how you collect and handle children’s personal data. You also need to outline the rights that their parents have over their data.

California Consumer Privacy Act (CCPA)

An office or physical presence is not required in California (or the United States) for a business to fall under the CCPA scope — so you must comply with the CCPA if your company collects data from California residents and meets at least one of the following thresholds:

  • You have annual gross revenues of at least $25 million.
  • You derive 50% or more of your annual revenues from selling Californian consumers’ personal information.
  • You annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of over 50,000 consumers, households, or devices in California.

Writing a CCPA-compliant privacy policy for Shopify is a lot like drafting a GDPR-compliant privacy notice. The main difference is that you don’t have to appoint an EU representative. Just modify the language to fit the CCPA requirements. Otherwise, you should cover the same points.

The CCPA gives California consumers the right to request that you delete their personal information and request that you provide them with a copy of their personal information.

Shopify has built-in features to allow you to do this, and a dedicated page that explains how to use their services in CCPA compliant way.

How To Add a Privacy Policy Page to Your Shopify Store

After you’ve created a privacy policy, it’s time to add it to your Shopify store.

Here’s how you can add a privacy policy page to Shopify step-by-step:

Step 1: Log in to Shopify and click “Online Store” on the navigation bar on the left.


Step 2: Click on “Pages.” Then, click on the green “Add Page” button in the top right-hand corner.


Step 3: Type “Privacy Policy” into the title field of the new page. Then, paste your privacy policy into the content field.


Step 4: When you’re done, click “Save.” Your store’s privacy policy will now be added to your Shopify dashboard, which means you’ll be able to link to it throughout your shop.


Most ecommerce privacy polices are linked to from within a website footer.

Here’s how you can add a link to your privacy policy on your Shopify store:

Step 1: Go to “Navigation” on the navigation bar on the left.


Step 2: Click “Footer menu” under “Menus” because you want to add your privacy policy to your footer.


Step 3: Then, click “Add menu item.”


Step 4: A sidebar will pop up from the right. Type “Privacy Policy” as the name and search for your recently published privacy policy page. Click “Add” at the bottom, and you’re done!


Good Examples of Shopify Store Privacy Policies

Here are some great examples of Shopify store privacy policies you can reference.

Partake Foods

Partake Foods, a snack company, has an easy-to-access link to its privacy policy in its footer:


The actual privacy policy covers a lot of information, but it’s easy to absorb because everything is sorted into sections.

Here’s an example of a well-organized section that tells users why and how the website is collecting their information and what types of personal information it’s collecting:


Hiut Denim Co.

Hiut Denim Co. is a U.K.-based clothing retailer. It has a minimalistic footer with a clear link to its privacy policy:


Like the footer, the privacy policy is also quite simple. However, it’s just as comprehensive as Partake Foods’ privacy policy. Instead of writing everything out in full sentences, Hiut Denim uses lists:


This is a great choice on the company’s part because lists require less time to read and can be concise. They’re also less intimidating, which means users are more likely to read and absorb the information in this privacy policy.


Before you publish your Shopify store, make sure you have a valid privacy policy for it. A privacy policy is required by Shopify itself and data privacy laws worldwide, such as the GDPR, CalOPPA, CCPA and COPPA.

Another reason you should include a privacy policy on your Shopify store is that it’s the right thing to do. Your customers deserve to know what information you’ll be collecting from them and what rights they have to delete or change the information they’ve given you.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Related Articles

Explore more resources