Understanding the General Data Protection Regulation (GDPR)

Updated July 30, 2018

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation by the European Union with the purpose of protecting personal data. Historically, the focus of privacy regulations has focused on Personally Identifiable Information (PII), but the GDPR expands regulations to ‘persistent identifiers’ such as IP addresses and cookies.

When does it take effect? May 25, 2018

Who does the GDPR affect?

Compliance with the GDPR is required by:

  • Organizations based in the European Economic Area (EEA)

  • Organizations outside of the EEA offering goods or services to, or monitoring, EEA residents

As noted in Forbes, generic marketing doesn’t mandate GDPR compliance, but targeted marketing to EEA residents does. “For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.”

The parties mentioned in the GDPR are:

  • Controller (merchants): The party that determines for what purposes and how personal data is processed.

  • Processor (partners like Shopify or Amazon): The party that processes personal data on behalf of the controller.

  • Data Subject (customers)

Data subjects have the right to request deletion (erasure) of their personal data, correction (rectification) of their data, access to their data, or an export of their data in a common (portable) format.

When personal data is collected from a data subject, controllers must obtain consent.  Consent to collect data must be freely given, informed, in plain language, and not as a condition of service. Controllers should be able to prove that consent was given. Controllers must also provide information about the intended processing of the personal data, as well as information about how to contact and identify the controller. Amazon, AWS and Shopify cookie policies.

Online stores powered by Shopify are Level 1 PCI-DSS compliant. Shopify uses third-party data centers with industry-standard certifications including Tier III, ISO 27001, and PCI-DSS.

Suggested modifications to your Privacy Policy

This site encrypts data using the HTTPS protocol.

For additional questions on how your data is collected, used, or to request deletion of your data, {SITE’s} Data Protection Officer can be reached at {EMAIL}.

{SITE} will not independently sell personal data for commercial purposes, but does disclose personal data to third parties or allow third parties to access personal data to help provide services. To request that your personal data be erased, or to learn more about how your personal data is used please contact

Cookie Pop-Ups

If you’d like a Cookie pop-up there are apps in Shopify to implement one. Here is a Squarespace tutorial.

Example Cookie Pop-up Text:


This website or its third party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. If you want to know more or withdraw your consent to all or some of the cookies, please refer to the privacy policy.

By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to the use of cookies.

Further Reading

Lexology article

CNBC article

Forbes Article:

“In the U.K., it will be the Information Commissioner's Office (ICO) that fines companies breaking the rules, with penalties of up to 4 percent of global turnover, or 20 million euros ($24.4 million), whichever is greater.”

Carrie Leigh