Shopify Guide

Shopify Privacy Policy: GDPR & CCPA Compliance for Your Store (2026)

Shopify provides a basic privacy policy template — but it's missing critical GDPR-required disclosures that can get stores fined. Here's what you actually need and how to add it in under 30 minutes.

Updated March 2026 · 8 min read · Privacy policy guide →

Does Shopify Give You a Privacy Policy?

Yes — and no. Shopify's built-in policy generator creates a basic privacy policy template when you set up your store. The problem is that it's a generic starting point, not a finished compliant document. It notably lacks:

Specific data retention periods — required under GDPR
Legal basis for each processing activity — required under GDPR
List of subprocessors (Shopify itself, Stripe, shipping carriers) — required under GDPR
CCPA-specific disclosures for California residents
UK GDPR compliance if you sell to UK customers post-Brexit
Cookie consent mechanism — separate from the policy, but equally required

⚠ Important: Policy ≠ Cookie Consent

A privacy policy and a cookie consent banner are two separate legal requirements. Having a policy does not make your cookie usage compliant. Under GDPR, tracking cookies must be blocked until the user actively accepts them — a native Shopify feature doesn't do this by default.

What Shopify Store Owners Must Comply With

Your compliance obligations depend on where your customers are located — not where you are based. A US-based Shopify store with EU customers is subject to GDPR. A store with California customers above certain thresholds faces CCPA. In practice, most Shopify stores doing any meaningful volume need to cover both.

GDPR (EU/UK customers)

Privacy policy with all required Article 13 disclosures
Cookie consent banner blocking non-essential scripts before opt-in
Right to erasure ("right to be forgotten") mechanism
Data Processing Agreements with Shopify and all apps you use
72-hour breach notification plan

CCPA (California customers)

Privacy notice at or before point of data collection
"Do Not Sell or Share My Personal Information" link (if you share data with ad platforms)
Right to know and right to delete request process
Non-discrimination provision in your policy

Step-by-Step: Getting Your Shopify Store Compliant

Audit what data your store collects List every data point: customer name, email, shipping address, phone, payment info, browsing behavior, purchase history, IP address. Also include data from every installed Shopify app — review apps, email marketing apps, loyalty programs, etc. Each app that processes customer data needs a DPA.
Generate a jurisdiction-specific privacy policy Replace Shopify's default template with a policy that explicitly states your legal basis for each processing activity, specific retention periods (e.g., "order data retained 7 years"), and lists Shopify, Stripe, and your installed apps as subprocessors. Our generator handles this automatically based on your selected jurisdiction.
Add the policy to your store Go to Shopify Admin → Settings → Policies and paste your generated policy into the Privacy Policy field. This automatically links it in your store footer. Also link it from your checkout page and any email signup forms.
Install a proper cookie consent banner The generated cookie banner from our kit is a lightweight vanilla JS snippet. Add it to your Shopify theme by going to Online Store → Themes → Edit Code → theme.liquid and paste it before the closing </body> tag. It will block Google Analytics and Meta Pixel until the customer accepts.
Set up a data deletion request process Add a privacy contact email to your policy (e.g., privacy@yourdomain.com). When a customer requests deletion, you must remove their data from Shopify (Settings → Customers → request erasure) and from any connected apps within 30 days.
Sign Data Processing Agreements Shopify has a standard DPA available in your Merchant Agreement. For each installed app, check the app developer's website for their DPA — reputable apps publish these. Keep records of signed DPAs.

Installing the Cookie Banner in Shopify

The cookie consent script generated by our kit is framework-agnostic vanilla JavaScript. Here's how to add it to your Shopify theme:

<!-- Paste in theme.liquid before </body> -->
<script src="{{ 'cookie-banner.js' | asset_url }}" defer></script>

Or inline the script directly:

Go to Online Store → Themes → Edit Code
Open Layout/theme.liquid
Find the closing </body> tag
Paste the generated script immediately before it
Save — the banner appears immediately on your store

Important for GDPR: The cookie banner must load and block tracking scripts before Shopify's analytics scripts run. The generated banner uses a script-blocking technique that intercepts Google Analytics and Meta Pixel execution until consent is given.

The Compliance Checklist for Shopify Stores

✓ Privacy Policy — Jurisdiction-specific, with legal basis, retention periods, and subprocessor list
✓ Cookie Consent Banner — Blocks non-essential scripts before consent, equal accept/reject buttons
✓ Terms of Service — Defines user relationship, limits liability, sets dispute resolution
✓ Refund Policy — Required under Shopify's policies and EU consumer law
✓ DPA with Shopify — Available in Merchant Agreement settings
✓ Privacy email address — Listed in your policy for data subject requests
✓ Checkout consent checkbox — "I agree to the Privacy Policy" linked at checkout

What About Shopify's Built-in Cookie Consent?

Shopify Dawn and recent themes include a basic cookie consent banner. However, it has significant limitations for GDPR compliance:

It does not block scripts before consent — it only adds an opt-out mechanism
GDPR requires opt-in (explicit consent before tracking), not opt-out
It doesn't provide granular consent categories (analytics vs. marketing)
It doesn't log consent records (required for GDPR audit trail)

For California (CCPA) customers, opt-out is technically sufficient, but EU customers require opt-in. If you sell globally, opt-in is the safer standard to implement once.

Common Mistakes Shopify Store Owners Make

Using Shopify's default template unedited. It doesn't include legal basis, retention periods, or a complete subprocessor list.
Installing marketing apps without checking their data practices. Each app that processes EU customer data needs a DPA and disclosure in your policy.
Not having a deletion request workflow. When a customer emails asking for their data to be deleted, you need a documented process to respond within 30 days.
Assuming Shopify handles compliance for you. Shopify provides infrastructure; you are responsible for the legal documents on your store.

Generate your Shopify compliance pack in minutes

Get a jurisdiction-specific privacy policy, cookie consent banner, and terms of service ready to drop into your Shopify store. One payment, no subscription, instant download.

Generate My Shopify Pack — $6.99

GDPR · CCPA · PIPEDA · UK · Australia · No subscription required

This guide is for informational purposes only and does not constitute legal advice. Shopify platform details may change; verify against current Shopify documentation. For legal advice specific to your situation, consult a qualified attorney.