All terms

Glossary

GDPR

EU regulation governing how organisations process personal data of EU/EEA residents. Applies to any Shopify store with EU visitors.

General Data Protection Regulation (Regulation 2016/679) — the EU's omnibus privacy law in force since May 2018. Applies to any organisation processing personal data of individuals in the EU/EEA, regardless of where the organisation itself is based.

For Shopify merchants, the practical requirements are:

  • A lawful basis for every processing activity.
  • Opt-in consent for non-essential cookies and tracking (this is technically the ePrivacy Directive, but enforced together with GDPR).
  • A privacy policy that lists what you collect, why, and the lawful basis.
  • A way to handle data subject access requests (DSARs) within 30 days.
  • DPAs with every third-party processor (Klaviyo, Meta, Google, etc.).

Maximum fine: 4% of global annual revenue or €20M, whichever is higher. Most enforcement against ecommerce comes via complaints from watchdog groups like NOYB.

See also: CCPA, Lawful basis, DSAR.

Related terms