We have easy-to-use eCommerce platforms like Shopify to thank for making it possible for small business owners to reach a worldwide audience in just a few clicks!
The beauty of Shopify is in all the possibilities that it offers: from being able to get a store online in a matter of minutes by using an existing theme to using the services of a professional to create a fully custom website, the options are endless.
Whether you are an eCommerce newbie or an experienced online seller, you need to make sure that you remain compliant with all applicable laws, including the ones protecting the privacy of your potential and existing customers.
Table of Contents
PRO TIP: Take the hassle of writing your own privacy policy away with our privacy policy generator trusted by over 200,000 businesses. It’ll save you hours of work and possible costly legal mistakes.
Why Do You Need a Privacy Policy For Your Shopify Store?
If you operate a transactional website, such as a Shopify store, you are no doubt processing personal information – whether you realize it or not.
From the moment a potential customer lands on your website and signs up to your email list to receive a promotional offer to when that person finally checks out and provides you with their name, shipping address, and credit card details, you have collected information that could be used to identify them and thus can be considered personal.
Required by Law
Nowadays, most countries have enacted privacy laws that provide guidelines as to how businesses should go about informing, collecting, handling, and processing the personal information of their residents.
While you likely have a target market for your products, chances are that you will get some visitors and potential customers from other countries – even if they don’t purchase right away, they might decide to sign up to your newsletter or create an account to save their favorite items for later.
These are all ways in which you can be involuntarily collecting personal information from international customers, thus the need to have a privacy policy that takes into account global laws that may apply to your business, and not just the laws of the country in which your business is based.
Europe
The General Data Protection Regulation (GDPR) applies to businesses that either operate in the European Economic Area (EEA) or that process the data of people located in the EEA.
Under the GDPR, those businesses have to have a privacy policy that is easily accessible and understandable in order to obtain affirmative and clear consent from users before collecting any personal information. To be GDPR-compliant, a privacy policy must fulfill some basic requirements and contain all the essential elements mentioned in this piece of legislation.
Failure to comply with the GDPR can have some serious implications, notably in the form of monetary penalties. Have a look at our article How to Write a GDPR Compliant Privacy Policy to learn more.
United States
In the United States, while there is to date no privacy legislation at the federal level, the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) should be taken into account.
While the CalOPPA requires that any commercial website that collects personal information from California residents have a conspicuously placed privacy policy that explains how it is collected, used, and shared, the CCPA requires that users be served with a notice at the collection at or before personal information is collected (this notice needs to be linked to a privacy policy that is to be updated on a yearly basis).
Australia
If you’re a bigger business with an annual turnover of more than $3 million (or are a smaller organization that buys or sells personal information, provides health services, or is otherwise targeted by this piece of legislation), you will need to comply with Australia’s Privacy Act of 1988 and its Australian Privacy Principles.
This means that you will need to have an updated and clearly expressed privacy policy available free of charge, in an appropriate format and that contains all the information required under the law.
Worldwide
Many other countries other than the ones mentioned above require that businesses take steps to protect the personal information that they collect from their residents and require privacy policies to provide constituents with transparency and control over the data that they share.
Before you start doing business online, stop and take a moment to consider which laws apply to you (i.e. where your customers could potentially be located) and make sure that you have an all-encompassing privacy policy before collecting personal information from your website visitors.
Required by Shopify
Now, if the fact that a privacy policy is required by law isn’t enough for you, Shopify itself requires that you have one in its terms of service, which includes their privacy policy and a section that is applicable to merchants.
This section specifies that because you, as a Shopify store owner, ultimately decide what information is collected from your customers and how it will be used, you have the responsibility to let them know how both you and Shopify treat their personal information.
It specifically mentions that you should do so by “at a minimum” having a privacy policy on your store. It also states that this privacy policy should address: what information both you (and Shopify on your behalf) collect, how you use the information collected and who you share it with (likely third-party integrations such as payment processing service providers and marketing analytics tools).
Shopify reserves the right to suspend or terminate accounts at any time, without notice, and for any reason; failing to comply with their terms of service by not having a privacy policy on your store could potentially give them a reason to cancel your account and if this is the only eCommerce platform that you use, your business. Don’t risk it!
How To Write a Privacy Policy For Your Shopify Store?
First things first, you will want to analyze your website and consider all the ways in which you may be collecting personal information from your website visitors.
This could include collecting their:
- IP address when someone lands on your homepage
- Name and email address when they sign up for your email list or create an account
- Home address and telephone number when they make a purchase and enter their shipping information
- Credit card details when they proceed to make a payment
- Usage data, gender, and location if you use marketing analytics tool such as Google Analytics
Additionally, consider all the plug-ins or applications that you have added to your Shopify store. Whether it be a payment processing provider, a currency conversion tool or a shipping tool that integrates with your store, the personal information of your customers is likely being shared with these third parties as it would be necessary for them to be able to provide their services.
Then, you can think about writing a privacy policy that will provide transparency to your future customers, make them trust you, and give them a way to contact you should they have any questions in regards to your data collection practices.
This privacy policy should notably address:
- What personal information you collect
- How you collect that personal information
- How you use that personal information
- If and why you share that information with third parties (payment processors, shipping providers, etc.)
- How long you will be holding on to that data and how you will protect it from unauthorized access
- If you use cookies and other similar tracking technologies
- Your contact information
- Any other elements required by the various privacy laws that may be applicable to your business (the lawful basis for processing, rights of the data subjects, contact information for your data protection officer, etc.)
Whether you choose to retain the services of an attorney to draft your privacy policy or use a privacy policy generator, you should be reviewing it regularly to make sure that it remains relevant and compliant with ever-changing privacy laws – our generator provides you with automatic updates so that you can focus your attention on your online store.
How To Add a Privacy Policy on Shopify?
Adding a privacy policy to your Shopify store couldn’t be easier!
1. Log in to your Shopify account and, from the admin screen, navigate to Settings – click on Legal.
2. Copy and paste the privacy policy that you have generated in the box:
3. Hit Save and voilà, you have just added a privacy policy to your Shopify store!
Alternatively, you could choose to manually create a new page in your Shopify admin menu by clicking on Online Store and Pages.
Click Add page, enter the title and text of your privacy policy and hit Save.
Note: if you have an additional or temporary policy such as for Black Friday, holidays, or a pandemic, manually adding a page could be the way to go.
Where To Display Your Privacy Policy?
You should make your privacy policy easily accessible and hard to miss.
By following the steps above, a link to your privacy policy will automatically be added to your checkout page’s footer. However, you will want to add a reference to it in other places – most importantly your website footer.
In addition, it is good practice to make reference to your privacy policy anytime you collect personal information from your customers: at the time of account creation, during the checkout process, when filling out a customer service request, with any pop-up that prompts users to share their email address, etc.
To add your privacy policy to your store’s menus:
1. Go to your Online Store and click on Navigation
2. Select the menu in which you want to add your privacy policy (such as the Footer menu)
3. Click on Add menu item, type in Privacy Policy
4. Click on Link and Policies – select your privacy policy from the drop-down or, if you chose to create a new page, add the link to the page that hosts your privacy policy.
5. Click on Add and Save menu
Shopify Privacy Policy Examples
Crabtree & Evelyn
Body care and fragrance retailer Crabtree & Evelyn’s website is powered by Shopify.
As soon as new website visitors land on its homepage, they are served with this pop-up offering 15% off their first order in exchange for their email address:
Notice that the retailer mentions under the sign-up button that “by providing your email address, you agree to our Privacy Policy and Terms of Service”.
Said privacy policy is accessible through the website footer under Terms & Conditions:
There, visitors can see all policies at a glance: the terms of sale, privacy policy, cookie policy, terms of use, and promotions and competitions are all hosted on one page, which makes it easy to navigate.
The privacy policy is fairly straightforward and addresses both the personal information collected by Crabtree & Evelyn as volunteered by the customer under the circumstances below:
And the one collected automatically by the retailer:
Crabtree & Evelyn addresses the measures taken to protect the personal information of their customers:
The retailer mentions that it shares information with service providers, such as shipping, customer service, and fraud detection companies, and specifically mentions its use of Google Analytics, which collects personal data from website visitors.
This is a good reminder, as a Shopify store owner, to check the terms of use of the third-party services that you use; some, such as Google Analytics, require that users have a privacy policy in place in order to be able to use their services.
Bailey Nelson
Eyewear retailer Bailey Nelson sells optical and sunglasses both online and through brick and mortar locations. Like many retailers, Bailey Nelson has chosen Shopify as its eCommerce platform.
Its privacy policy is accessible through its website footer:
And is also referenced during the checkout process, where shoppers have to confirm having read, understood, and agreed to the terms of use and privacy policy:
Bailey Nelson makes it clear to shoppers what types of personal information may be collected about them:
Note that the mention of sensitive information is very specific to this retailer, as it holds deeply personal data about its customers such as prescriptions, medical histories, and medication regimes.
This is the UK version of Bailey Nelson’s privacy policy, thus the reference to its legal basis for processing information – consent and performance of a contract – under the GDPR.
When explaining how it shares information with third parties, Bailey Nelson specifically mentions Shopify:
It is common practice to do so and to explain for what purposes, as well as to link to those third parties’ respective privacy policies.
Outdoor Voices
US-based activewear retailer Outdoor Voices has a significant online presence and has chosen Shopify to sell direct-to-consumer.
Scrolling down to the footer of the website, one can see that the privacy policy and terms are made accessible, next to the email newsletter sign-up form:
Customers are also reminded of its existence during the checkout process when prompted to give their phone number, which is optional:
The privacy policy itself is easy to navigate as the clickable table of contents allows shoppers to see everything at first glance and read the sections that are of particular interest to them.
Outdoor Voices does a good job of explaining what information it collects from website visitors by using plain language and bullet points:
Being based in the United States, Outdoor Voices likely has a good number of Californian customers. For that reason, its privacy policy includes a section dedicated to the CCPA:
It specifically mentions the right of California residents to request details about how their information is shared with third parties for direct marketing purposes:
As you can see, there is no one-size-fits-all privacy policy. The location of your customer base needs to be taken into account in order to ensure that you are complying with all international privacy laws that may apply to your Shopify store.
Final Words
Whether you have already started selling online or are just in the planning phases of your eCommerce business, it’s never too late to start thinking about your privacy policy or to give it a bit of a refresh.
Note that while you have the option to generate a privacy policy directly in Shopify, you do remain responsible for its content and for ensuring that all elements pertaining to your business, privacy practices, and applicable legislation are included.
And ensuring that’s the case doesn’t have to be complicated. Once you have identified where you operate, where your potential customers could be located, which privacy laws apply to you, and which third-party services and plug-ins you will be using (as well as their respective requirements) give our privacy policy generator a try – it will ask you easy-to-answer questions and generate a custom privacy policy for your Shopify store in a matter of minutes.
For more information, read our detailed guide on privacy policies.
