StoreComplyStoreComply
Start free
GDPR··8 min read

GDPR Compliance Checklist for Shopify Stores

Complete GDPR compliance checklist for Shopify merchants. Covers privacy policies, cookie consent, data requests, DPA records, and app audits for EU customers.

Selling to EU and UK customers from a Shopify store triggers GDPR obligations regardless of where your business is based. Compliance is not a one-time task—it requires the right legal pages, consent mechanisms, data handling processes, and ongoing monitoring of your app stack. Use this checklist to audit your store and close gaps before they become complaints or fines.

Legal Foundation

Start with documentation. GDPR requires transparency about how you process personal data and a lawful basis for each processing activity.

  1. Publish a comprehensive privacy policy linked from every page footer
  2. Create a separate cookie policy listing all cookies with purpose and duration
  3. Publish terms of service and a clear refund policy
  4. Identify your lawful basis for each data processing activity (consent, contract, legitimate interest)
  5. Name a contact email or DPO contact for data protection inquiries
  6. Document your data retention schedule for orders, accounts, and marketing lists

Cookie Consent and Tracking

Cookie compliance is where most Shopify stores fall short. Any non-essential cookie—analytics, advertising, social media—requires opt-in consent before it is placed on a visitor's device.

  • Deploy a cookie banner with Accept, Reject, and granular category controls
  • Block all non-essential scripts until the visitor opts in
  • Enable Google Consent Mode v2 if using Google Analytics or Google Ads
  • Configure Meta Pixel and other ad tags to respect consent signals
  • Provide a persistent link to change or withdraw cookie preferences
  • Log consent records with timestamp and policy version

Shopify channels

Check Settings → Customer events and your Google & YouTube and Facebook sales channels. These inject tracking code that your theme banner may not control without a dedicated compliance tool.

Customer Rights and Data Requests

GDPR grants EU residents the right to access, rectify, erase, restrict, port, and object to processing of their personal data. Your store must have a process to handle these requests within one month.

  1. Set up a data request workflow—Shopify's customer privacy tools help with erasure and export
  2. Train whoever handles support to recognize and escalate GDPR requests
  3. Verify requester identity before disclosing or deleting personal data
  4. Document each request, your response, and the completion date
  5. Honor objections to marketing and remove customers from email lists promptly

Third-Party Apps and Data Processors

Every Shopify app that touches customer data is a data processor or sub-processor. You are responsible for ensuring they handle data appropriately.

  • Audit all installed apps and list them in your privacy policy
  • Review each app's privacy policy and data processing terms
  • Remove apps you no longer use that still have store access
  • Sign data processing agreements (DPAs) with major processors where available
  • Check whether apps transfer data outside the EU and document safeguards

Marketing and Email Compliance

Email marketing to EU contacts requires consent under GDPR, separate from cookie consent. Checkout marketing checkboxes must be unchecked by default. Document when and how each subscriber opted in.

Email checklist items

  • Use unchecked opt-in checkboxes for marketing at checkout and signup forms
  • Include unsubscribe links in every marketing email
  • Sync email platform suppression lists when customers request erasure
  • Avoid buying email lists or adding customers without explicit consent

Security and Breach Preparedness

GDPR requires appropriate technical and organizational security measures. While Shopify handles platform security, you are responsible for account access, app permissions, and breach notification if personal data is compromised through your store's configuration.

Streamlining Compliance with Tools

Working through this checklist manually takes significant time, especially cookie auditing and policy writing. StoreComply generates GDPR-aligned privacy and cookie policies from your store profile, hosts them on stable URLs, and deploys a consent banner with choice logging—covering many of the highest-risk items on this list in a single setup flow.

Ongoing Maintenance

Schedule quarterly reviews. Review your app and marketing stack after installing new apps, launching ad campaigns, or expanding to new markets. Update policies when your data practices change. GDPR compliance is a process, not a checkbox you tick once.

Frequently asked questions

Does GDPR apply to my Shopify store if I am based in the US?
Yes, if you offer goods or services to EU or UK residents. GDPR applies based on where your customers are located, not where your business is registered.
What is the biggest GDPR risk for Shopify stores?
Running analytics and ad tracking cookies without proper consent is the most common violation. Many stores have a banner that does not actually block scripts, creating a false sense of compliance.
How do I handle GDPR data deletion requests on Shopify?
Use Shopify's customer data erasure tools in the admin. Also request deletion from connected apps and email platforms. Document the request and confirm completion to the customer.
Do I need a Data Processing Agreement with Shopify?
Shopify provides a DPA as part of its terms for merchants processing EU customer data. Review it and ensure your app vendors offer DPAs as well.

Skip the template hunt

StoreComply builds privacy policy, terms, and a cookie banner from your store setup — preview policies free, subscribe to publish hosted pages and your live banner.

Generate my policies free →See pricing

No credit card required to preview

Related guides