Love it or hate it, the General Data Protection Regulation, or GDPR, is pretty much going to affect anyone in the ecommerce world who sells internationally — in particular to the European Union — but there’s a key point that many Shopify theme users overlook when it comes to compliance.
In case you’re not familiar with GDPR, here’s Shopify's guide to the new law that is effective as of May 25, 2018.
At Out of the Sandbox, we get a lot of questions about GDPR and have a page, which is frequently updated with new information, available here, that outlines all of the information we have on the new law.
However, perhaps one of the most common misconceptions about GDPR is that simply adding some text and a checkbox or two here and there automatically makes you GDPR compliant.
That’s simply not the case.
GDPR has a variety of stipulations, only some of which are touched on in this article, but many of them affect your internal business practices more than your theme.
Put another way, GDPR compliance goes way beyond just changing a few settings on your Shopify theme and how your site looks and operates.
The key concept here is that GDPR not only regulates how you collect data — but also how it is used and retained.
In short, GDPR compliance has more to do with how you run your business and will require some analysis on your part. You’ll likely need to examine nearly every part of your business to see if and how you both collect and use personal data from your customers, and if it meets GDPR regulation.
In many cases, this part of GDPR compliance will be the most challenging — but also worth your time as a business owner.
Unfortunately, GDPR compliance is a “cost of doing business” for merchants who want to sell to residents of the European Union. While it can be an arduous, confusing and frustrating process, look at it as one of those parts of running a business that just have to be done — such as taxes, returns, chargebacks and dealing with lost shipments.
Another challenge store owners are facing is that stipulations in the law can be interpreted differently and there are many conflicting opinions over what is or is not required. In some cases, this also comes down to the fact that every Shopify store is unique and uses their own particular marketing techniques, so there really isn’t a “one size fits all” answer.
Depending on who you ask, for example, adding a checkbox that users must tick before submitting a form may or may not be required by GDPR.
We won’t get into that debate here, since each merchant has to make a business decision about what they should do to be compliant, but the broader point here is that, even if you do add a checkbox to your forms, you may still not be compliant with GDPR if you’re storing, processing or using personal information in ways that go against the law.
That said, here is Shopify's official statement on consent checkboxes: "In regard to adding additional checkboxes to the newsletter sign-up form or to the cart page, specifically, the checkbox function is unable to gather or store the information that is required under the GDPR, so it would not provide any meaningful benefit to add it to your site. This means that adding the checkbox remains an unsupported customization under the Shopify design policy."
It’s also worth pointing out that adding any new feature — even seemingly small ones such as adding a checkbox to a form — actually take numerous hours of coding, quality assurance and more.
Since consent checkboxes are not a feature that every merchant will need, if theme developers were to implement the feature, they’ll also have to take into account how to make it optional, which typically requires another layer of logic and, with that, coding and QA.
While Out of the Sandbox is closely monitoring Shopify’s requirements around GDPR, if and when we add GDPR compliant enhancements, it’s still important to keep in mind they may not work for every business and you will still need to review your business practices to ensure compliance.
Shopify has recommended that, starting soon, all forms include a rich text field that allows you to offer more detailed explanations about the collection of personal data and links to your privacy or other policies and we are actively working to incorporate that feature into all of our themes.
However, here again, it’s important to note that simply adding some disclaimer text and linking to your privacy policy is not the end of GDPR compliance — it’s about what you do with the personal information after it’s been collected.
