If you have a website built on Shopify, you may have seen its Privacy Policy generator and asked yourself – is Shopify’s Privacy Policy generator any good? The generator itself is free and Shopify is a reputable business known all over the world for its eCommerce solutions (one of, if not the most popular ecommerce platforms), so what could go wrong? When it comes to privacy law compliance and the creation of a Privacy Policy, Shopify’s Privacy Policy generator unfortunately misses the key points such as determining what privacy laws apply to you, having the required disclosures included in the Privacy Policy, and keeping the policy updated with changing legislation. In fact, the generator does not appear to comply with any privacy laws, nor will it actually fit your business and your privacy practices. Thus, using the generator will put you at risk of privacy-related fines and lawsuits. In this article, we will break down the Shopify Privacy Policy generator so that you can make a decision as to whether it is the right choice for your business.
Table of Contents
The Shopify Privacy Policy generator is not based on the privacy laws that apply to you
The first step to creating a Privacy Policy is to determine what privacy laws apply to you. Each privacy law has a list of very unique disclosures that must be made in a Privacy Policy. Thus, unless the Privacy Policy is based upon the laws that apply to you, there is simply no way to create a compliant Privacy Policy. The following privacy laws can apply to business websites:
- California Online Privacy and Protection Act of 2003 (CalOPPA): applies to operators of commercial websites that collect the PII of California residents;
- California Privacy Rights Act (CPRA): The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors:
- Has annual gross revenues of $25,000,000 or more;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
- Nevada Revised Statutes Chapter 603A applies to data brokers and operators of commercial websites that collect the PII of Nevada consumers that purposefully directs their activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution;
- Delaware Online Privacy and Protection Act (DOPPA): applies to operators of commercial websites that collect the PII of Delaware residents;
- Virginia Consumer Data Protection Act: applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
- During a calendar year, control or process the PII of at least 100,000 residents of Virginia; or
- Control or process the PII of at least 25,000 Virginia consumers, and derive 50% of gross revenue from the sale of PII.
- Colorado Privacy Act applies to controllers of PII that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
- Control or process the PII of 100,000 or more Colorado consumers during the calendar year; or
- Derive revenue or receive a discount from the sale of PII and collect or process the PII of 25,000 or more Colorado consumers.
- Connecticut SB6: applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processes the personal data of 100,000 or more Connecticut residents; or
- Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.
- Utah Consumer Privacy Act applies to persons who do business in Utah or that product a product or service that is targeted to to consumers that are located in Utah and that meet the following criteria:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.
- General Data Protection Regulation (GDPR): applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location; or
- Monitor the behavior of European Union residents, regardless of your location.
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the PII of Canadian residents.
- Quebec Law 25: applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administrating, or alienating property or providing a service.” This means that Quebec Law 25 will apply to both for-profit and nonprofit organizations that collect, hold, use or share the personal information of Quebec residents.
- Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they
- Private sector healthcare providers;
- Businesses that sell or purchase PII;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.
- General Data Protection Regulation (GDPR): applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location; or
- Monitor the behavior of European Union residents, regardless of your location.
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the PII of Canadian residents.
- Quebec Law 25: applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administrating, or alienating property or providing a service.” This means that Quebec Law 25 will apply to both for-profit and nonprofit organizations that collect, hold, use or share the personal information of Quebec residents.
- Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they have turnover of less than AUD $3,000,000 per year:
- Private sector healthcare providers;
- Businesses that sell or purchase PII;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.
- Iowa SF262 (effective January 1, 2025)
- Indiana SB5 (effective July 1, 2026)
- Tennessee Information Protection Act (TIPA – effective July 1, 2025)
- Montana Consumer Data Privacy Act (MCDPA – effective October 1, 2024)
- Texas Data Privacy and Security Act (TDPSA – effective July 1, 2024)
- Oregon Consumer Privacy Act (effective July 1, 2024)
- Delaware Personal Data Privacy Act (DPDPA – effective January 1, 2025)
- NJ SB332 (effective January 16, 2025)
- New Hampshire SB 255 (effective January 1, 2025)
- Kentucky HB15 (effective January 1, 2026)
- Nebraska LB1074 (effective January 1, 2025)
Unfortunately, the Shopify Privacy Policy generator will not ask you about any of the above factors. Thus, the generator will not know which privacy laws apply to you and the Privacy Policy will not contain the disclosures required by those laws, leaving you at risk of privacy-related fines and lawsuits.
The Shopify Privacy Policy generator does not comply with GDPR
Interestingly enough, the Shopify Privacy Policy generator page states that the generator “has been updated to include the requirements of the General Data Protection Regulation (GDPR).” However, the generator does not actually determine whether GDPR actually applies to you but instead adds GDPR disclosures to the Privacy Policy, making you subject to the law, regardless of whether you are actually subject to it. Plus, the Privacy Policy generated does not, in fact, include all of the disclosures required.
GDPR requires the following disclosures to be made in a Privacy Policy:
- Your name and contact information;
- What PII you collect;
- Purposes for which you will be using that PII;
- Whether you share PII and the categories of third parties with whom you share PII;
- The privacy rights provided to consumers;
- How a consumer can exercise their privacy rights;
- The legal bases for processing PII;
- How long you store PII;
- Whether you use PII for direct marketing and how individuals can opt out of such use;
- If you use PII for automated decision making or profiling, the logic involved in such automated decision making or profiling;
- Whether you intend to transfer PII outside of the European Union and where you intend to transfer it to; and
- If you have a Data Protection Officer, their contact details.
The Privacy Policy generated by Shopify does not comply with GDPR in the following ways:
- The policy states that device information is collected, but does not list any other PII that is usually collected by websites through features such as contact forms and email newsletter forms (e.g. emails, phone numbers, physical addresses, or names);
- The policy states that information is used to fulfill orders, screen for fraud and communicate with the individual but it does not state that information could be used for direct marketing purposes;
- The policy states that information is shared with Shopify, Google Analytics and law enforcement but does not state that information could be shared with other commonly used third parties such as email marketing services providers, hosting companies, or shipping providers;
- The policy states that European Union residents have the rights of correction, updating, or deleting. However, it is missing the rights of access, portability, opting out, withdrawing consent, or lodging a complaint;
- The policy states that the legal bases under which information is processed are contracts and legitimate business interests, but does not provide for the consent legal basis, under which most businesses collect PII;
- The policy states that PII may be transferred to Canada and the United States, which may not be accurate for your business.
Shopify’s Privacy Policy generator claims to include GDPR disclosures but, unfortunately, falls short of the requirements of GDPR to have an up to date Privacy Policy that includes all of the disclosures and is accurate to the business’ privacy practices.
Shopify’s Privacy Policy generator does not fit your business practices
All privacy laws require that Privacy Policies conform to the actual privacy practices of the business providing the policy. In fact, having a Privacy Policy that does not conform to business practices may even be considered a deceptive act under the Federal Trade Commission Act. When generating the Privacy Policy, the Shopify Privacy Policy generator asks for your company name, email, address, website URL and whether your website uses cookies. While this may seem like a fast way to create your Privacy Policy, it leads to a Privacy Policy where Shopify inputs seemingly random information and you just have to hope that this information fits your business and privacy practices.
In fact, Shopify inputs the PII that you collect, how you use it, who you share it with, how your website responds to Do Not Track signals, and how long you retain data all without any input from you. This means that the Privacy Policy may not match your privacy practices at all, making it confusing, deceptive, and non-compliant. While you can edit the text of the Privacy Policy itself to fit your business practices, you will have to spend your valuable time doing so. In addition, if you are not a privacy attorney, this is not advisable as you may edit the policy in a way that is non-compliant as well.
Shopify does not update policies as laws change
The last issue with the Shopify Privacy Policy is that it does not update when existing privacy laws that apply to you change or new privacy laws pass requiring new disclosures. With over a dozen proposed privacy bills in the United States and countries such as Canada and Australia considering updates to their privacy laws, it is imperative that you have a strategy for keeping your Privacy Policy up to date with changing disclosure requirements. Using Shopify’s Privacy Policy generator means that you will need to keep track of all of these changes and make the proper updates to your Privacy Policy as needed, costing you a lot of valuable time and money.
In conclusion, the Shopify Privacy Policy generator is not a good Privacy Policy solution for businesses as it is not based upon the laws that apply to you, does not comply with any laws, does not fit your business, and does not update as the laws change. If you are looking for a Privacy Policy solution that can help with all the things that Shopify can’t, check out the Termageddon Privacy Policy generator for a comprehensive and up to date Privacy Policy that fits your business.
