Are your themes GDPR compliant?

The European Union's new General Data Protection Regulation, or GDPR, became effective May 25, 2018.

Our themes primarily control the design of your store.  Since this is the case, themes are not directly involved in collecting, processing or storing personal information.  This information is not stored within the theme itself, but within Shopify's servers (or third-party servers in the case of some app integrations).

Below are some useful links about GDPR compliance with relation to Shopify and third-party app developers:

• Learn about Shopify's GDPR compliance
• Learn about server configurations controlled by Shopify
• Apps that offer third-party consent or cookie notices
• For third-party app compliance, please contact the app developer directly

Forms

Our themes do not directly process or store personal information submitted via the forms included in themes.  This functionality is handled by Shopify's servers. You may wish to review the header and description text around each form to ensure that it clearly describes the purpose of each form and that personal information is collected, stored and used for marketing purposes.

This includes these forms:

• Contact forms
• Newsletter sign up forms
• Account creation forms
• New password request forms

To change the text that appears near your forms, you can edit your theme language file, change the text within theme settings, or edit the text on the page where the form appears.

Am I required to add a consent checkbox to forms?

At this time, our themes do not include a "consent" checkbox on any forms that are used within the theme.  It is important to note that Shopify has not required consent checkboxes to be added as part of its own GDPR compliance efforts. We have followed-suit in our themes.

Here are the official statements on consent checkboxes from Shopify's legal team:

"In regard to adding additional checkboxes to the newsletter sign-up form or to the cart page, specifically, the checkbox function is unable to gather or store the information that is required under the GDPR, so it would not provide any meaningful benefit to add it to your site. This means that adding the checkbox remains an unsupported customization under the Shopify design policy.

"Many merchants are getting misinformation from blogs that make scary articles that people click on, or bad advice from lawyers who don't understand technology ... But the checkbox to consent to a newsletter is not necessary. If if was added though, it would need some way to show the merchant a record of the consent they have received."

Instead of a checkbox, you may want to consider including such consent notices in the header and description text of forms. It is also worth considering if the language you use clearly states that personal information is collected and used for marketing and other requirements of GDPR.

It should also be noted that adding a checkbox to any form does not make your store automatically GDPR compliant. There are other areas of your business or theme that may need to be modified in order to be compliant with GDPR.

If you would still like to add a checkbox to such forms, this will require code customization that falls outside the scope of our free theme support and will be subject to quote.  You can contact us if you would like a quote to add this.

Another option is to use your mailing list provider's form builder to create an embedded form that has a required checkbox. All of the major services offer such a form builder, and can provide instructions on how to install it.

What about the "new account" form?

When your customers fill out the account creation form, the "accepts marketing" checkbox is unchecked by default.  So unless the customer specifically checks this box, they will not be automatically enrolled to receive marketing email.

How about checkout?

During the checkout process, you have the option to display a checkbox for a user to opt in to receiving promotional material from you under Settings > Checkout > Order processing.  If you wish to change these settings, here are instructions to do so.

What about cookies?

All of our themes use a cookie in the entry popup feature.  This cookie stores information about when a user last visited your site to determine when or if the popup should appear again for that user. This cookie expires after a set number of days, as defined by the store owner in theme settings.

These cookies are not associated with any personal information and do not contain a unique identifier, though third-party tracking or other apps may add this functionality. Contact your app developers for further details on GDPR compliance.

All of these cookies may also be deleted by the user at any time. If you are concerned over GDPR compliance when using the entry popup feature, it can always be disabled in theme settings.

If you need to add a cookie acceptance feature to your theme, there are many third-party apps you can use, or you can try this free tool. If using the free tool, you will need to paste the code it generates and in the theme.liquid file just before the </head> tag.

Learn more

GDPR may also affect many other areas of your business as well. For details on if these activities are compliant, contact a licensed attorney or see Shopify's GDPR resources.