GDPR compliance on Shopify after migrating from WooCommerce (2026)
How to set up GDPR compliance on Shopify after migrating from WooCommerce — cookie consent, data deletion requests, privacy policy, customer data export, and Shopify's built-in GDPR tools.
When you migrate from WooCommerce to Shopify, your GDPR compliance setup doesn't automatically transfer. The consent management solution, privacy policy links, cookie banner, and data handling procedures you configured in WordPress need to be rebuilt on Shopify. This guide covers what changes, what Shopify handles natively, and what you'll need apps for.
What WooCommerce used for GDPR compliance
Common WooCommerce GDPR setup includes:
- Cookie consent: Plugins like CookieYes, Complianz, WPGDPR, or Cookiebot
- Privacy policy page: WordPress page linked in footer and checkout
- Consent checkbox at checkout: WooCommerce built-in or plugin-added checkbox linking to privacy policy
- Data access/deletion requests: WordPress Personal Data Export/Erasure tool (Tools → Export Personal Data)
- Data retention: WooCommerce order data retention settings
- Marketing consent: Checkbox for newsletter/marketing emails at checkout
Shopify's built-in GDPR support
Shopify has built-in GDPR infrastructure that handles some requirements natively:
GDPR webhooks (for apps)
Shopify provides three mandatory GDPR webhooks that all Shopify apps must implement:
customers/data_request: Fired when a customer requests their datacustomers/redact: Fired when a customer requests erasureshop/redact: Fired when a merchant requests shop data deletion (after uninstalling an app)
These webhooks ensure that third-party apps comply with deletion/export requests. As a merchant, you don't configure these — app developers do. Shopify enforces this in their app review process.
Customer data export (native)
Shopify Admin → Customers → select customer → click "..." → "Export customer data" generates a PDF or JSON file with all stored data. For data subject access requests (DSAR), you can fulfill these directly from the admin panel without additional tools.
Customer deletion (native)
Shopify Admin → Customers → select customer → "Delete customer". This removes the customer record. Note: completed orders are retained (required for accounting) but personally identifiable information in customer records is removed.
Privacy policy in checkout
Shopify automatically links to your privacy policy in the checkout footer. Set the URL in Shopify Admin → Settings → Policies → Privacy Policy. Shopify's built-in checkout already includes the privacy policy link — no plugin needed.
What you need to configure on Shopify
1. Cookie consent banner
Shopify does not provide a native cookie consent banner. You need an app or custom implementation.
Native option — Shopify's Cookie Banner (from 2024): Shopify now includes a built-in cookie consent banner for stores using Shopify's online store. Enable it in: Online Store → Themes → Customize → App embeds → "Cookie Banner". This handles EU cookie law for analytics/marketing cookies and integrates with Shopify's Customer Privacy API.
App options (for more control):
- CookieYes: Available as a Shopify app — same vendor many WooCommerce stores already use. Directly replaces your WooCommerce CookieYes setup.
- Cookiebot: Enterprise cookie management, same vendor as WooCommerce Cookiebot — easy transition if you're already paying for Cookiebot.
- Pandectes GDPR Compliance: Shopify-specific GDPR app with banner + data request management
- Consentmo: Popular Shopify GDPR app with cookie consent + compliance reports
2. Privacy policy and legal pages
Shopify Admin → Settings → Policies has dedicated fields for:
- Privacy Policy
- Terms of Service
- Refund Policy
- Shipping Policy
Shopify provides auto-generated policy templates you can customize. Update these to reflect your data processing practices on Shopify (which may differ from WooCommerce — Shopify stores some data on their infrastructure).
Key changes in your privacy policy when switching to Shopify:
- Remove references to WordPress/WooCommerce as data processors
- Add Shopify Inc. as a data processor (they process customer data)
- Update your data retention periods to match Shopify's practices
- Review all third-party apps you install and add them as sub-processors if applicable
3. Marketing consent at checkout
Shopify has native email marketing consent built into checkout: "Email me with news and offers" checkbox appears during checkout. This feeds directly into Shopify's customer email marketing opt-in status.
For GDPR compliance, the default Shopify checkout shows this as an opt-in checkbox (unchecked by default) — which is correct for GDPR. Do not enable pre-checked marketing opt-in.
4. SMS marketing consent
If you collect phone numbers for SMS marketing: Shopify's checkout includes an optional "Text me with news and offers" field that captures SMS consent. This is compliant with TCPA (US) and GDPR (EU) consent requirements when configured correctly.
Customer data subject requests (DSARs)
GDPR requires you to handle customer requests to access, export, or delete their data within 30 days. On Shopify:
Data access requests
- Shopify Admin → Customers → find the customer
- Click "..." → "Export customer data"
- This generates a file with all customer data stored in Shopify
- Send to the customer via email
Note: This only covers Shopify-native data. If you use third-party apps (Klaviyo, Loyalty apps, etc.), you need to request data exports from each app separately.
Erasure requests (right to be forgotten)
- Shopify Admin → Customers → find the customer
- Click "..." → "Delete customer"
- Shopify will redact personal information but retain anonymized order records (legal requirement for accounting)
Third-party apps: Submit erasure requests to each app separately. Apps that implement Shopify's customers/redact webhook will automatically receive notification when you delete a customer.
Migrated customer data: consent status
When you migrate customer data from WooCommerce to Shopify, the marketing consent status from WooCommerce does not transfer. On Shopify, customers imported via CSV default to "not subscribed" to email marketing.
How to handle this:
- Conservative approach (recommended): Import all customers as "not subscribed." Only add back customers who are proven opt-ins from your WooCommerce export.
- If you have consent records: Export your WooCommerce opt-in list (from your email platform — Klaviyo, Mailchimp), and tag these customers in Shopify. Set their email marketing consent via Shopify Admin → Customers → Edit (or bulk update via CSV with the correct "Email Marketing Consent" column).
- Do not assume consent transfers automatically: Consent is specific to the platform and context. WooCommerce consent does not legally cover Shopify processing.
Data processing agreement with Shopify
Shopify is a data processor for your store's customer data. For GDPR compliance, you need a Data Processing Agreement (DPA) with Shopify:
- Shopify's DPA is available at help.shopify.com → Shopify's GDPR resources
- You don't need to sign a new DPA — it's included in Shopify's Terms of Service by reference for EU merchants
- For specific DPA needs (larger merchants, enterprise), request via Shopify's privacy team
Apps and GDPR compliance
Every app you install on Shopify potentially processes customer data. Shopify requires all apps in the App Store to:
- Declare what data they collect
- Implement the three GDPR webhooks
- Have a privacy policy
As a merchant, you're responsible for reviewing apps you install. Check app privacy policies before installation, especially for apps handling customer data (Klaviyo, loyalty apps, reviews apps, analytics).
GDPR compliance checklist for Shopify migration
- Enable Shopify's built-in cookie banner (Online Store → Themes → Customize → App embeds) or install a cookie consent app (CookieYes, Cookiebot, Consentmo)
- Update privacy policy in Shopify Admin → Settings → Policies (remove WooCommerce, add Shopify as processor)
- Verify checkout marketing opt-in checkbox is unchecked by default (GDPR requires opt-in, not opt-out)
- Import customers with correct email marketing consent status (don't assume WooCommerce consent transfers)
- Test data export flow: request your own customer data to verify the export works
- Test deletion flow: delete a test customer account to verify anonymization
- Review all installed Shopify apps for GDPR compliance and data declarations
- Update your data retention policy to reflect Shopify's practices
- Document sub-processors: Shopify + all apps that process customer data
- Set up a DSAR process: how will customers submit requests? (Email, contact form, dedicated page)
- Update your cookie policy to list Shopify's cookies (Shopify publishes their cookie list)
GDPR on Shopify is generally simpler than WooCommerce because Shopify maintains the infrastructure — you're not managing server-side data storage, WordPress plugins, or database backups. But the compliance obligations (consent, erasure requests, transparency) are identical. Update your processes, not just your plugins.
Migrate your store with k-sync
Connect your WooCommerce store, validate your products, and push to Shopify in minutes. Free for up to 50 products.
Get started freeRelated reading
Migrating a luggage and travel accessories store from WooCommerce to Shopify (2026)
How to migrate a luggage, travel bags, or travel accessories WooCommerce store to Shopify — luggage specifications, airline compliance, TSA lock, warranty and durability claims, and luggage retail Shopify setup.
Migrating a motorcycle accessories store from WooCommerce to Shopify (2026)
How to migrate a motorcycle accessories, biker gear, or motorbike parts WooCommerce store to Shopify — helmet safety standards, CE-rated protective clothing, type approval for parts, fitment compatibility, and motorcycle retail Shopify setup.