10 min read
If your Shopify business collects any type of personal user data, then you must have a privacy policy. But it’s not as simple as adding your contact information to a privacy policy template. To ensure compliance with privacy laws, you need to adapt it to your actual data processing practices.
In this guide, we’ll break down how to write a privacy policy for any Shopify store to make it transparent, compliant, and ensure user trust in your brand.
Customizable cookie bannerCookie scannerWhat is a privacy policy?
A privacy policy is a legal document that outlines how a business collects and processes the personal data of users. It can apply to users who visit the website, use the app, or use the service of the business.
Having a privacy policy is required under most data privacy laws around the world. It must explain how a company collects personal data, the legal basis for processing, user rights, retention periods, and the purposes of processing.
Why is a privacy policy important for Shopify stores?
Most Shopify stores collect personal data at least to some extent, especially if using third-party integrations, payment processors, or ad or analytics platforms. So, here are the main reasons why using a privacy policy is important:
- Legal compliance. Having a privacy policy is crucial for Shopify stores to ensure compliance with applicable data privacy laws. Regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require having a privacy policy if personal data is collected.
- Prevent penalties. A privacy policy helps ensure compliance so that your store doesn’t get penalized for wrongful practices. For example, without a privacy policy, you can get GDPR fines, which can reach up to €20 million (roughly $22 million), or 4% of the firm’s global annual revenue.
- Transparency. A privacy policy ensures that site visitors can familiarize with your exact data handling practices, such as the personal data you collect, why, and for how long.
- Consumer trust. Your site visitors will trust your brand more if they know how their personal data is handled. A study by Cisco found that 95% of organizations in 2024 believed that their customers wouldn’t buy from them if their data wasn’t properly protected.
Ways to create a Shopify privacy policy
Shopify merchants can create a privacy policy for their website using a privacy policy generator, adapting another store’s policy to your own, or writing it from scratch. All methods can help you ensure compliance if used correctly.
Privacy policy generators or competitor privacy policies can help guide you with the structure and main sections, while writing your own policy takes more time but lets you cover all the nuances.
Privacy policy generator
Shopify offers a free privacy policy generator that you can use for your store. It customizes the policy for your store, adding your company information in placeholders and helping you save time for other tasks.
When we tried it, the privacy policy was generated in a matter of seconds. It includes all the sections that are usually required for privacy law compliance.
However, Shopify places a disclaimer that they aren’t responsible for any inaccuracies or non-compliance. So, you have to review and customize the privacy policy to your needs so that no issues would arise.
We recommend using privacy policy generators for businesses that need the basics covered quickly. However, you must review the final result in depth, so you know that the text is accurate.
Adapting a competitor’s policy
We’ve noticed that some Shopify store owners decide to copy their competitor’s privacy policies. You can definitely do it, but it should be adapted to your actual data collection and processing practices.
The privacy policy of your competitor may be written for a different jurisdiction, which may not meet the compliance requirements that apply to your business.
Still, if you take the time to map out your data and know exactly what your website collects, you can definitely save more time than when writing from scratch.
Writing a privacy policy manually
Writing a privacy policy manually takes longer than simply generating a document, but it helps cover all the nuances for compliance.
Instead of editing templates, each section is written based on your Shopify site’s actual data collection and processing practices.
We’d recommend this method for Shopify stores who have complex data handling practices and are familiar with privacy laws.
Which privacy laws require a Shopify privacy policy?
Most privacy laws around the world require stores to have a privacy policy if they collect data from users. The privacy laws that apply to your business depend on where your users are located. Here are common privacy laws around the world:
| Privacy law | Who it applies to |
|---|---|
|
GDPR |
Businesses that collect or process personal data of people located in the European Union |
|
Businesses that collect or process personal data of people located in the United Kingdom |
|
|
CCPA / CPRA |
For-profit businesses that collect data of California residents (have to meet at least one: $25M+ annual revenue, data on 100,000+ consumers/households, or 50%+ revenue from selling personal data.) |
|
PIPEDA (Personal Information Protection and Electronic Documents Act) |
Private-sector organizations across Canada that collect, use, or disclose personal data |
|
LGPD (Lei Geral de Proteção de Dados) |
Businesses that process the personal data of Brazilian residents (or where the processing occurs in Brazil) |
|
APPI (Act on the Protection of Personal Information) |
Businesses that process the personal data of Japanese residents |
When auditing Shopify stores for compliance, we notice that many website owners don’t understand that data privacy laws are extraterritorial. It means that they apply based on where your users are located, not the business itself.
Plus, multiple privacy laws can apply to your Shopify website. If you’re unsure, consult a compliance specialist.
How to write a privacy policy for Shopify step by step
A privacy policy should provide transparent information on what data is collected and what it's used for. To write a privacy policy that’s compliant with data privacy laws, you should write the following information:
1. Explain what personal data you collect
You should start your privacy policy by providing users information about the exact personal data your site collects.
If you’re unsure what personal data is, review the definition in applicable privacy laws. For example, under the GDPR, “personal data are any information which are related to an identified or identifiable natural person.”
Personal data can be details about a user like:
- Name
- Age
- Email address
- Phone number
- Billing address
- IP address
- Device ID
If you aren’t aware what data your website collects, start from data mapping: mapping out what user data you collect and where it’s collected.
Manual data mapping can be time-consuming and is prone to human error, so we’d recommend opting for data mapping tools, like Osano.
However, if you’re on a budget, you can still map out information manually.
For starters, review every part of your website, such as cookies, purchases, payments, and user accounts, to know what data could be collected and where from.
2. Disclose how and why you collect the personal data
Most privacy laws require disclosing how you collect personal information and the reasons behind it.
For example, under the GDPR Article 6, there are 6 legal bases: explicit consent, contractual obligation, legal obligation, vital interests, public interest task, and legitimate interests.
Check your data privacy laws to understand when you’re allowed to collect data to ensure complete compliance.
3. Third parties that you share the personal data with
If your Shopify business shares with or even sells personal data to third parties, you must inform users about it.
Here are a few tips to help you out:
- Locate all third parties that you share personal data with (e.g. tools like Google Analytics or apps).
- Determine whether any of the data sharing with third parties can be considered data selling under applicable data laws.
- Create a method for users to opt out of data sharing or selling with third parties.
4. Detail cookie usage and policy
Your privacy policy on Shopify should include a section that provides a brief overview of your cookie policy. It should disclose two main areas:
- The cookie categories your website collects (e.g. strictly necessary/essential, functional, marketing, analytics).
- Whether consent for different cookie categories is needed and how to opt in, opt out, or manage them at a granular level.
It should also include the link to your full cookie policy, which should be written as a separate legal document.
5. Specify data retention periods for different data types
A privacy policy should disclose how long you will keep personal data categories before it’s deleted or anonymized. It’s a legal requirement to be transparent about retention periods, so you have to explain both how long the data is kept and why.
For example, account data might be kept for as long as the account is active (and for a short period after account deletion). Session cookies are deleted when the user closes their browser.
We’ve found that many businesses we audit use vague language when describing retention periods, such as “we use data as long as needed to…” It’s unclear how long the data is retained, so it’s best to provide actual years or conditions.
As an example, you can compare the retention period descriptions of the ASOS clothing brand vs Uber:
The privacy policy of ASOS doesn’t provide actual retention periods, while Uber states specific periods for each data type.
Make sure you apply data minimization to your Shopify website – the minimal possible data should be collected and only until no longer needed for the purposes it was collected.
You should also state what happens after the retention period ends. Specify if or what data is deleted or anonymized.
6. Outline children’s data management and security
Under many privacy laws, the data protection of child users is stricter than that of adult users. If your Shopify website or service is aimed at children, you have to be transparent about how you handle their data.
Ensure you get proper consent based on applicable privacy laws, describing how parents or legal guardians can manage the data collection of their children.
If you’re not targeting children, provide a clear statement that your website is not meant for minors. For example: “Our Services are not directed at children under the age of 18. We do not intentionally collect the personal data of minors.”
The age of consent is different for data privacy laws around the world. Here are some of the privacy laws and their age of consent:
| Privacy law | Age of consent |
|---|---|
|
GDPR |
16 (member states can lower it to 13) |
|
UK GDPR |
13 |
|
CCPA / CPRA |
13 |
|
PIPEDA |
Consent must be appropriate based on the child’s maturity |
|
LGPD |
18 |
|
APPI |
Parental consent generally expected under the age of 15 |
Mishandling children’s data can lead to huge penalties. For example, the TikTok social media platform failed to properly verify user age and provide transparent information about how their data is processed, and got a €345 million (~$400 million) fine.
7. Inform users of their rights and ways to exercise them
Most data privacy laws, including GDPR and CCPA, guarantee some user rights that should be disclosed in the privacy policy. You should not just mention the rights but also create a system on how users can exercise them.
Here are some common user rights, mentioned in GDPR Chapter 3 and CCPA:
- Right to know – users should know what they’re consenting to.
- Right to access – users may request to access the data you hold about them.
- Right to delete – otherwise known as “right to be forgotten,” which means that users can request personal data to be deleted.
- Right to limit – if a user suspects unlawful data practices or disagrees with the accuracy, they can request to restrict data collection.
- Right to data portability – users have a right to request a copy of their personal data to transfer elsewhere.
- Right to object – there are cases when users can object to data processing when it’s used for purposes like marketing.
- Right to opt-out – right to opt out of selling or sharing of personal data (including through Global Privacy Controls)
Some companies create methods for users to exercise their rights and manage data whenever they want. For example, Apple has a Privacy Portal where users can download, correct, or erase their data once logged in. Also, platforms like Spotify enable users to download their data in a JSON-LD format, making data portability easier.
8. Describe your data security practices
In your privacy policy, dedicate a section to explain the data security practices that protect user data from unauthorized access. It doesn’t have to be long, but it should demonstrate that your company takes security seriously.
You can mention that your company ensures confidentiality by encrypting user data, conducting security audits, or employing multi-factor authentication if applicable.
Virtual Private Network (VPN) service providers often communicate data security practices very well. Here’s an example of how the Proton VPN company clearly communicates about data encryption practices and server security:
If you’re using third-party tools or Shopify, you can also disclose that you hold third-party processors to the same security standards as your own company.
9. Notify users about privacy policy updates
Users should be aware of the changes in your privacy policy at all times. Here’s what you can do to help communicate updates clearly:
- Add a “Last updated” section with the date of the latest changes.
- Notify users in advance so they can review the updated version and withdraw consent if needed.
- Notify users through email or your website so they don’t miss it.
When auditing websites, we often notice that small Shopify businesses update privacy policies without letting their users know. Make sure you don’t make this mistake because it undermines transparency.
10. Provide contact information
Your privacy policy should communicate who governs the data in your company, known as a data controller. It can be an employee or an organization that manages how your company collects and uses user data.
Under some privacy laws, like GDPR, you also have to appoint a Data Protection Officer (DPO) and provide their contact information. A DPO is responsible for advising your company on compliance matters.
How to add a privacy policy page to Shopify?
Adding a privacy policy page on Shopify requires creating a separate page and adding content to it. Here’s how you can do it:
- Open Shopify Admin > Settings > Policies.
- Click on Privacy policy and add your privacy policy text.
- Press Save.
Where to place the privacy policy on Shopify?
A privacy policy should be easily accessible to all users who visit your Shopify site. It should be hosted on a dedicated page with a clear URL handle, like /privacy-policy, and linked in an expected place, such as the website footer.
Here’s an example of the Next website’s “Privacy & Cookie Policy” mentioned in the footer:
It ensures that users can find it at all times, since the footer is usually accessible on all pages.
You should also ensure that the link to the privacy policy can be visible in key areas when data is collected, including:
- Cookie banner
- Checkout page (e.g. near the payment section)
- Account registration
- Emails
- Apps (if applicable)
How to link privacy policy in your website footer?
Placing your privacy policy in the footer of your site requires creating a menu item. Just follow these steps:
- In Shopify Admin, go to Content > Menus.
- Open Footer menu.
- Click Add menu item. Type “Privacy policy” as the label.
- Click the “Link” section, go to Policies and press “Privacy policy.”
- Press Save.
General tips for writing a Shopify privacy policy
When writing a privacy policy for your Shopify site, imagine you’re writing for someone who has no idea what data processing is.
According to Pew Research, 61% of US adults believe that their decisions about their personal data don’t really make a difference. So it’s crucial to write a privacy policy that clearly explains how their data is used, encouraging brand trust.
Here are a few tips that can help guide you:
- Use clear and simple language so that any user can understand what they’re consenting to.
- Create a clear structure that would be easy to follow, like using headings, paragraphs, or bullet points to get your point across.
- Make it easy to locate on your website, placing it in the footer of every page or another accessible place.
- Keep it updated and reviewed regularly to ensure information is still applicable. Add a “Last updated” section with the date at the top of the document.
- Include your contact data, such as email address, throughout the article to ensure users can reach out in case they want to exercise their rights.
- Don’t copy a competitor's policy because it may not have the same data handling practices as you.
- Link to other legal pages, such as your cookie policy or terms of service.
- Use actual examples so that users clearly understand what you’re using their data for.
Final thoughts
Shopify businesses of any size can write a privacy policy that’s compliant with applicable laws, such as GDPR or CCPA, without spending any money. The main requirement is to explain your data collection practices using clear and simple language so that users know what they’re consenting to.
The easiest way to write an effective privacy policy is using Shopify’s privacy policy generator. However, if you’re writing it manually, you should note down the exact data you collect, why, for how long, and what you do with the data after the retention period.
Whichever method you choose, make sure you review the privacy policy in depth to ensure that it reflects your actual business practices and no mistakes are left behind.
Frequently asked questions
The common mistake when writing a privacy policy we’ve noticed during Shopify store compliance audits is using a template without adapting it to your actual data processing practices. Other mistakes include using complex language, which undermines transparency, or forgetting to update the privacy policy when data handling practices change.
No, you’re not legally required to get a lawyer to write your privacy policy. You can use online privacy policy templates or generators to craft one, but you have to adapt it to your business practices to make it compliant.
Yes, having a privacy policy on Shopify is legally required if you collect personal user data, such as IP addresses, email addresses, or phone numbers. It’s a legal document that explains how user information is collected and processed, which is required by most privacy laws, including GDPR and CCPA.
A privacy policy doesn’t have a recommended word or character count. It should be as long as needed to cover your data collection and processing practices in a clear and transparent manner.
