Skip to content

Vendor-neutral, engineer-written explanations. Clear definitions first, then practical steps with real examples — no fluff.

How do I handle GDPR and customer data requests in Shopify?

SB
Written by StageBit Engineering Team
Updated February 2026 0 min readVerified by engineers

Shopify provides built-in tools to help merchants handle GDPR and customer data requests, including access and erasure requests. While Shopify supports the process, you’re responsible for verifying requests and ensuring compliance with applicable privacy laws.

Customer Data Access Requests (Right to Access)

When a customer asks for a copy of their personal data, you can request it directly from the customer profile.

  1. Go to Customers in your Shopify admin.
  2. Click on the customer’s profile.
  3. Click More actions (top right) and select Request customer data.
  4. Refresh the customer profile page to access the generated data.
  5. If you’re the store owner, the data is also sent to your email.

Always verify the customer’s identity before sharing data and provide the information only if it’s legally required.

Customer Data Erasure Requests (Right to Be Forgotten)

If a customer requests deletion of their personal data, Shopify allows you to erase it while retaining required business records.

  1. Go to Customers.
  2. Open the customer’s profile.
  3. Click More actions (top right) and select Erase personal data.

Important Notes About Data Erasure

  • Shopify erases personal details such as name and address.
  • Order transaction data (items sold, date, and time) remains for business and legal records.
  • If the customer placed an order within the last 180 days, the erasure request stays pending to protect against chargebacks.
  • You have a 10-day window to cancel an erasure request.
  • Erasing customer data cancels any active subscription contracts.
  • Once processed, data erasure cannot be undone.

Privacy Compliance Settings in Shopify

Navigate to Settings > Customer privacy to manage your store’s privacy features.

Privacy Policy (Recommended)

  • Add a policy explaining how visitor and customer data is collected and used.
  • Use Shopify’s automated privacy policy generator to stay current.

Cookie Banner (Recommended)

  • Display a banner requesting consent to manage visitor data.
  • Required in many regions for GDPR compliance.

Data Sharing Opt-Out Page

  • Allow visitors to opt out of data sharing for advertising.
  • Required in California, Colorado, and several other US states.

Additional Privacy Settings

  • Manage email and SMS marketing consent at checkout.
  • Enable double opt-in for marketing communications.
  • View your data hosting location, such as the United States.

Privacy Settings Automation

Enable privacy automation to automatically apply Shopify’s latest privacy recommendations, helping your store stay compliant as regulations evolve.

Your Responsibilities as a Merchant

  • Verify customer identity before processing any data request.
  • Respond to valid requests within legally required timeframes.
  • Notify any third parties that received customer data.
  • Keep your privacy policy, cookie banner, and opt-out pages updated.
  • Consult a legal professional familiar with privacy laws in your region.

Related Answers

Shopify How do I comply with privacy laws (GDPR, CCPA) using Shopify settings? Shopify How do I monitor suspicious activity or login attempts in Shopify? Shopify How do I recover or roll back if I break my Shopify theme? Shopify How do I back up my Shopify theme and store data?

Was this answer helpful?

Your feedback helps us improve our answers.

Still need help?

Talk to our Shopify experts

We've handled GDPR/CCPA compliance for dozens of EU & US Shopify stores.

Talk to Shopify Experts

Tell us more about your brand!

Rohit Kundale, Our VP of Sales and Marketing is ready to meet with your team.