Shopify 8 min read·

Shopify and GDPR: The 5 Settings to Enable Immediately

Shopify is not GDPR compliant by default. Customer Privacy, Meta Pixel, data retention: 5 settings in your Shopify admin can prevent a CNIL formal notice. Here's exactly where to click.

The 5 Essential Settings

1
Enable Customer Privacy (native consent banner)
Settings > Customer Privacy > Enable privacy banner

Configures consent mode to block marketing pixels (Google Analytics, Meta Pixel, TikTok Pixel) before the Accept click. REQUIRED for stores targeting EU customers.

2
Configure Meta Pixel channel in Conversions API mode
Marketing > Sales channels > Facebook & Instagram > Data sharing settings

Select 'Maximum' to enable server-side Conversions API. This reduces exposure to client cookies while maintaining conversion measurement. Enable Restricted Data Use (RDU) for EU customers.

3
Configure data retention periods
Settings > Customer Privacy > Data retention

Enable automatic anonymization request for inactive customers after 3 years (CNIL recommendation). Billing data is retained 10 years (accounting obligation) but marketing data can be anonymized.

4
Sign and customize the Shopify DPA
Settings > Legal > Data Processing Agreement

Accept the Shopify DPA and download it (keep timestamped copy). Add an amendment if you process special category data (health, minors). This DPA covers Shopify as a sub-processor.

5
Update the privacy policy
Settings > Legal > Privacy Policy

Complete the Shopify template with: list of each third-party app (Klaviyo, Omnisend, etc.) + purpose + country + legal mechanism. Mention DPF for transfers to Shopify USA. Add customer rights (access, erasure, portability) with contact address.

Verify your Shopify pixels are blocked before consent

Even after Customer Privacy configuration, some scripts may still fire. RGPDScan checks in 60 seconds.

Riskiest Shopify Apps for GDPR

KlaviyoHigh

JS tracker depositing cookies before consent if Customer Privacy not configured

OmnisendModerate

DPA available, but configure integration with Customer Privacy mode

HotjarHigh

Session recording = profiling. Must block via cookie banner

Google & YouTubeHigh

Official Shopify channel deposits cookies before consent if not configured

StripeLow

DPF certified, DPA available, EU servers available

Going Further

Frequently Asked Questions

Is Shopify GDPR compliant by default?
No. By default, Shopify enables analytical and marketing tracking before any consent. The Customer Privacy feature must be manually activated in Settings > Customer Privacy. Without it, Google Analytics and Meta Pixel cookies are deposited before consent.
Is Shopify GDPR certified?
Shopify Inc. is a Canadian company with servers in the USA and Canada. Shopify offers an Art. 28-compliant DPA (accessible in Settings > Legal > Data Processing Agreement). Canada has an EU adequacy decision for PIPEDA. Shopify is also DPF-certified for EU-USA transfers.
Can Meta Pixel be used on Shopify in France?
Yes under conditions: enable Customer Privacy to block the Pixel before consent, use server-side Conversions API to reduce client fingerprinting, sign the Meta DPA. Without these configurations, the Pixel fires before consent — CNIL violation.
How long does Shopify retain customer data?
By default, Shopify doesn't automatically delete inactive customer data. CNIL recommends 3 years of inactivity before deletion. Configure in Settings > Customer Privacy > Data anonymization request. Or export then manually delete.
Is the privacy policy generated by Shopify sufficient?
Not completely. The Shopify generator creates a base but doesn't list your specific third-party apps (Klaviyo, Omnisend, Gorgias...). Customize by adding each sub-processor with its purpose, country, and transfer mechanism.
Should unused Shopify apps be uninstalled for GDPR?
Yes. Every installed app can access customer data even if inactive. Uninstalling unused apps = reducing risk surface. Check regularly in Settings > Apps and remove residual access.

Audit your Shopify store in 60 seconds

Pixel detection, cookies before consent, non-compliant apps. Free detailed GDPR report.