14 min read•Checklist

Shopify GDPR Compliance Checklist

GDPR compliance is not optional if you sell to EU or UK customers. Use this 67-point checklist to protect your customers and your business.

67 items8 sections

Why GDPR Matters

GDPR applies if you process data from EU or UK customers, regardless of where your business operates. Non-compliance carries fines up to 20 million euros or 4% of annual turnover. Important: This checklist provides general guidance, not legal advice. Consult privacy lawyers for advice specific to your circumstances.

0 of 67 completed

Cookie Consent

0 of 9 completed

Cookie banner displayed to EU/UK visitors

Banner blocks non-essential cookies until consent

Clear options to accept or reject cookies

Granular consent options (analytics, marketing, etc.)

Easy way to change preferences later

Cookie policy explains each cookie's purpose

Consent recorded and auditable

No pre-ticked consent boxes

Essential cookies clearly identified

Data Collection & Consent

0 of 8 completed

Only collect data that's necessary

Marketing opt-in is separate from account creation

Newsletter signup uses double opt-in

Consent is freely given, specific, and informed

Record of consent stored (timestamp, what agreed to)

Checkout marketing opt-in is not pre-ticked

Clear explanation of what subscribers will receive

Easy unsubscribe in every marketing email

Customer Rights

0 of 8 completed

Process for customers to access their data

Process for customers to correct their data

Process for customers to delete their data

Process for customers to export their data

Respond to requests within 30 days

Verify identity before fulfilling requests

Document all data requests and responses

Train staff on handling data requests

Third-Party Apps & Services

0 of 8 completed

Audit all apps that access customer data

Ensure apps have GDPR-compliant privacy policies

Have data processing agreements with vendors

List all third parties in privacy policy

Review data retention policies of third parties

Understand where third parties store data

Remove apps that don't need customer data

Review app permissions regularly

Email Marketing Compliance

0 of 8 completed

Only email customers who have opted in

Include unsubscribe link in every email

Honour unsubscribe requests promptly

Include physical address in emails

Don't purchase email lists

Segment by consent type

Re-permission old lists if consent unclear

Document consent for email subscribers

Data Security

0 of 8 completed

SSL certificate active (Shopify default)

Strong passwords required for staff accounts

Two-factor authentication enabled

Staff access limited to necessary data only

Regular review of who has data access

Process for reporting data breaches

Breach notification plan in place (72 hours)

Data encrypted in transit and at rest

Documentation & Training

0 of 8 completed

Data processing activities documented

Legal basis for each processing activity recorded

Staff trained on GDPR requirements

Data protection officer appointed (if required)

Regular compliance reviews scheduled

Keep records of compliance efforts

Update policies when practices change

Stay informed of regulatory updates

Beyond Compliance: GDPR as Competitive Advantage

While many stores view GDPR as burdensome regulation, forward-thinking retailers recognise it as an opportunity. Research shows 86% of consumers report privacy concerns, and 78% consider a company's privacy practices when making purchase decisions.

GDPR Core Principles

Lawfulness

You need legal basis for processing data

Transparency

Customers must understand what you do with their data

Purpose Limitation

Use data only for stated purposes

Data Minimisation

Collect only what is necessary

The Business Case for Compliance

✓Higher quality email lists from explicit consent requirements
✓Reduced tracking bloat from auditing which tools actually add value
✓Increased trust that improves conversion rates
✓Future-proofing against expanding global privacy regulations

Key Penalties

20M euros

Maximum fine

Of annual global turnover

Essential First Steps

Start with these fundamental compliance requirements:

1. Install a cookie consent banner

Block non-essential cookies until visitors consent. Many Shopify apps provide compliant solutions.

2. Update your privacy policy

Clearly explain what data you collect, why, and who you share it with. Link it from every page.

3. Fix your email consent

Remove pre-ticked marketing checkboxes at checkout and newsletter signups. Consent must be explicit.

4. Audit your apps

List all apps that access customer data. Check their GDPR compliance and add them to your privacy policy.

Related Checklists

Combine GDPR compliance with broader best practices:

Launch Checklist →

Include compliance from day one

Security Checklist →

Protect the data you collect

Email Marketing →

Compliant email practices

Analytics Checklist →

Privacy-compliant tracking setup

Frequently Asked Questions

GDPR applies if you sell to customers in the EU or UK, regardless of where your business is located. If you ship to Europe, accept European payment methods, or advertise to European audiences, you must comply. Non-compliance can result in fines up to 20 million euros or 4% of annual global turnover, whichever is higher. Even small stores face enforcement risk, so compliance is essential.

Essential cookies are strictly necessary for your store to function (shopping cart, checkout, security, load balancing). These do not require consent. Non-essential cookies include analytics (Google Analytics), marketing (Facebook Pixel), personalisation, and third-party embeds. These require explicit consent before loading. Cookie consent banners must give users genuine choice to reject non-essential cookies.

Yes, if you sell to EU or UK customers. GDPR applies based on where your customers are located, not where your business operates. A US-based store selling to UK customers must implement cookie consent for those visitors. Use geolocation to show consent banners only to EU/UK traffic if preferred, though many stores find universal consent banners simpler to maintain.

No. GDPR requires active, explicit consent. Pre-ticked boxes do not constitute valid consent. Users must take deliberate action (ticking an empty box, clicking a button) to opt in to marketing. This applies at checkout, account creation, and newsletter signups. Document when and how consent was obtained for compliance audits. This requirement reduces list size but dramatically improves list quality and engagement.

You must delete their personal data within 30 days unless you have legitimate legal grounds to retain it (e.g., tax requirements, fraud prevention, defending legal claims). Shopify lets you redact customer data whilst preserving necessary business records. Inform the customer when deletion is complete. Also notify any third parties who received the data. Keep documentation of the request and your response.

Not automatically. Each app's compliance depends on its developer. Before installing apps that access customer data, review their privacy policy, check for GDPR compliance statements, ensure they have data processing agreements (DPAs), and understand where they store data. Many reputable apps are compliant, but it is your responsibility to verify. List all data-processing apps in your privacy policy.

Need Compliance Help?

We can help implement cookie consent, privacy policies, and GDPR-compliant processes on your Shopify store.

Get Help Talk to Us

Shopify GDPR Compliance Checklist

Why GDPR Matters

Privacy Policy

Cookie Consent

Data Collection & Consent

Customer Rights

Third-Party Apps & Services

Email Marketing Compliance

Data Security

Documentation & Training

Beyond Compliance: GDPR as Competitive Advantage

GDPR Core Principles

Lawfulness

Transparency

Purpose Limitation

Data Minimisation

The Business Case for Compliance

Key Penalties

Essential First Steps

1. Install a cookie consent banner

2. Update your privacy policy

3. Fix your email consent

4. Audit your apps

Related Checklists

Launch Checklist →

Security Checklist →

Email Marketing →

Analytics Checklist →

Frequently Asked Questions

Need Compliance Help?