Data, Privacy, and GDPR have all been red-hot topics lately.
As an app developer building on Shopify, you’re expected to always conduct your business in a transparent and ethical manner, which includes collecting and using data in a consensual and explicit way.
However, with GDPR coming into effect tomorrow, there are a few more things to be mindful of, and steps to take to help assure merchants that your apps are GDPR compliant.
In this article, we’ll give a quick overview of how GDPR impacts app developers, and what steps you should take to cover yourself legally and maintain merchant trust.
What exactly is GDPR, and how does it impact app developers?
The EU General Data Protection Regulation (“GDPR”) is the most significant privacy and data protection legislation enacted in years. It comes into effect on May 25th, 2018, and clarifies and imposes new obligations on any party that collects, stores, or processes personal data of individuals located in Europe.
If you serve merchants based in Europe, or any merchant that could potentially have a customer based in Europe, this regulation will affect you. Given that Shopify serves merchants who sell to customers worldwide, you should default to assuming that GDPR will apply to you.
“You should default to assuming that GDPR will apply to you.”
While GDPR is very complicated (the law is almost 90 pages long), and will apply differently to different apps based on the function or service they provide, there are a few general actions you can take that we believe will go a long way in helping you comply with this legislation.
Once again, this is an incredibly complicated law, and there’s no way for us to determine every single use case that applies to every single Shopify app. If you have concerns about how your specific app handles data, we recommend that you seek out a lawyer for guidance.
GDPR compliance on the Shopify Platform
To help make it easier for developers to clearly communicate their data usage—and to help merchants find this information more easily—we have a few platform updates and suggestions to assist with communicating how your app uses merchant and customer data.
1. Be mindful of data requests and permissions needed
When merchants are deciding to connect your app to their store, it’s important for them to be clear on which parts of your store they’re giving you access to when they install your app.
To help make this clearer, Shopify is updating app permissions and listing screens so merchants can view exactly what permissions apps are requesting. For example, if you subscribe to an API endpoint that allows you to access information about the store’s customers, this information will automatically be surfaced to merchants.
If the permissions you request align to your app’s functions, surfacing information around this shouldn’t faze merchants. However, if you request any permissions that don’t seem to align with what your app provides, we recommend that you:
- Update your app listing to be clear on why your app requires permission to that/those piece(s) or data
- Consider if your app does indeed actually require that permission, and disconnect from that API endpoint if it doesn’t
Merchants know that apps often need access to certain pieces of data in order to carry out certain actions or features. However, it’s important to remember that asking for permission to data that doesn’t seem necessary for your app to access can erode merchant trust.
Beyond letting merchants know what information you’ll be accessing, GDPR also requires that you provide all users of your product (i.e. your app) with detailed information about how exactly your app uses the personal information it collects.
3. Ensure you have a secure, organized system for storing data
One of the most important data rights that GDPR specifies is the right all individuals have to access, correct, or have their personal data erased.
This means that not only do you need to have a process for retrieving and deleting merchant data upon request, you also need to be able to easily delete your merchant’s customer’s data from your app as well. The first step in being able to do this is to ensure that all personal data you collect is stored in a secure and organized way.
To help make it easier for individuals to request personal data deletion from apps, we’ll soon be releasing two mandatory webhooks to notify you of deletion requests. More information on these webhooks can be found in our GDPR requirements docs.
Assume that GDPR will apply to you
We understand that this new legislation is large and complicated, and want to help our partners be aware of these laws and prepare accordingly. For this reason, we’ve taken steps and implemented improvements to help both app developers and merchants maintain GDPR compliant businesses.
For additional information on GDPR, we recommend consulting our whitepaper on GDPR, and the developer-specific docs we’ve published.
A major regulation such as this one should be taken very seriously. We’ve worked to provide guides to get you started, but if you’re concerned about specific ways your app uses data, we recommend that you consult a lawyer.