Shopify offers third-party apps that can be used to help you scale your business, from a friendly chat function for customers to engaging pop-ups to streamlining shipping and payment processes to streamlining shipment and payments.
This article will discuss:
- What personal data does Shopify app collect from third parties?
- What are the most important privacy laws to be concerned with?
- You should use these best practices to ensure compliance with GDPR.
Before you start adding dozens of apps and click-happy to your Shopify store, it is important to explain the implications of adding plugins.
Shopify users make the most common mistake of installing too many Shopify Apps without taking the time to assess them for cost, trust and usability.
Many third-party apps can collect data from your customers, including the following:
- IP address
- Device ID
- Email address
- Customer account information (mailing address and phone number, etc.
- Credit card data and many other things
Third-party Shopify apps can access and use customer data. You are legally responsible under GDPR to ensure that personal information is collected in accordance with the GDPR.
Shopify Store owners have reported that some apps request customer data, such as IP addresses and website interactions, even though it is not necessary for certain app functionality or features. This is something to be aware of.
What personal data does third-party Shopify apps store?
Each Shopify app that you install on your store needs access to various data types in order to provide certain functionality such as live chat or a marketing automation tool.
An email marketing tool might work well with access only to the country and email addresses of your customers. However, personalized recommendation apps can request access to additional personal data such as IP address, device ID and last purchase details in order to create a more detailed customer profile.
Klaviyo is a highly-rated eCommerce marketing tool you can use to send automated and personalized emails as well as SMS messages.
What is the relationship between Shopify and the Shopify Store Owner?
Shopify Store owners decide what customer data will be collected, for what purpose, and how it will processed. is the data controller in accordance with the GDPR.
Shopify and the third-party provider of apps are data processors because they process personal data for your business.
Shopify as well as third-party app developers can be data controllers if the choose to use customer or store data.
This means that you can either be joint-controllers or data controllers and data processors with third-party apps providers.
Both cases require compliance with GDPR.
You are responsible for ensuring that third-party app developers you use comply with the GDPR.
What are the most important privacy laws to be aware of?
1. What types of personal data do third-party apps collect?
Depending on what functionality a third party app offers, some data collection may be unnecessary or excessive, which could expose you to GDPR violations.
Let’s say you want to create a sidebar for your Shopify store. It is unlikely that third-party apps will need access to customer contact information in order for the app to function properly.
An email service platform such as Privy will need to have access to customer data in order to create personalized marketing campaigns, such as win-back campaigns or abandoned cart. Access to your customer data is required in order to fully utilize all the benefits of Privy.
The GDPR regulations will apply regardless of whether the third-party app provider collects personal data from your customers.
Third-party apps that have access to customer data impose a greater burden on you to comply with GDPR. You also need to ensure compliance by the third-party provider.
You can, for example, access your customer’s data by using a payment app. App providers will need to implement data security measures, such as encryption of data stored on their servers.
2. What length of time do third-party apps keep personal data?
Data retention periods should be proportionate to data use. They shouldn’t be kept longer than necessary under the GDPR. Third-party apps that retain customer data for longer periods of time or indefinitely will be subject to legal action for non-compliance.
3. Third-party apps can transfer data to other countries if they are approved by the government.
Third-party apps might use cloud service providers based in the USA such as AWS and Microsoft Azure. This means that customers’ data may be transferred to the USA. Since the USA is not considered a safe country to transfer data internationally, you as the data controller will need to ensure that personal data is transferred to the USA in accordance with the GDPR.
Most cases, US-based cloud service providers are not legal under GDPR. Some additional technical measures may be required, such as anonymization and complex contractual agreements.
4. How third-party apps can protect your personal data
Data controllers must ensure that third-party apps providers implement technical and organizational measures to protect personal data from being lost or breached.
Here are some best practices for installing Shopify App
- Evaluate all permits and review
You will be asked permission to access different types of personal data when you first install an application. It is best that you go through every category of data that third-party apps ask for access to determine if it is necessary to collect customers’ data.
You may want to first contact Shopify to verify that third-party Shopify apps are not collecting personal data from customers.
If you don’t get a satisfactory answer or believe access to customers’ data is inappropriate, you can decline to install the app. This will protect you from future legal risks.
Shopify Apps that are trustworthy and the best will only ask for what is absolutely necessary.
These privacy policies should be reviewed to fully understand GDPR compliance.
- What kind of data does an application collect?
- It uses it.
- Whether the company sells personal information to third parties
- How long it keeps it.
- Personal data are protected by appropriate technical and organizational measures.
You should include a time frame for responding to data subject requests, such as deletion or change requests. You should also include standards and rules regarding security measures that the app must use.
Shopify demands that Third-Party Apps handle GDPR requests. However, this is unlikely to be enforced quickly or heavily. This is why it’s important to educate yourself as a business owner.
- Be sure to check the data retention periods
The GDPR storage limit stipulates that third-party apps should only keep personal data for as long as necessary and proportionate.
It is important that you include a limit on the retention period in your DPA.
Shopify Store, for example, may allow third-party apps to collect personal data, but they do not have a time limit that can be erased.
- Check the permissions that you grant to an app and remove them if they are not required.
Shopify makes it easy to check permissions granted previously and to revoke them if necessary in just two steps.
Review the permissions that you have previously granted:
- Shopify Admin, click Apps.
- To view the personal data you have provided to the app, click on “About” beside the app.
Although third-party apps can be beneficial in a number of ways, including customer service tools and marketing analytics, it comes with risks.
You are the GDPR data controller. It is your responsibility to ensure that third-party apps only collect the data they really need. They will only use your customer’s personal data for legitimate business purposes.
Before installing an app, it is important to review the privacy policies, terms of service, and developer website. Shopify store owners have the ability to choose the apps they feel are most trustworthy. There are over 6000 apps available in the app store.