Platform Matters for Privacy Compliance
Shopify and WooCommerce power the majority of small and mid-size e-commerce stores, and each platform handles privacy compliance differently. While neither platform makes you fully compliant out of the box, both offer tools and integrations that can get you most of the way there. Understanding what your platform does and does not provide is essential for building an effective compliance program.
Shopify: What's Built In
Shopify has invested significantly in privacy features, especially since the wave of state privacy laws began in 2023. Here is what Shopify provides natively:
Privacy Policy Generator
Shopify offers a free privacy policy generator that creates a basic policy covering standard disclosures. However, this template:
- Covers general best practices but may not include all state-specific requirements
- Does not automatically update when new laws take effect
- Should be customized to reflect your specific data practices, third-party integrations, and cookie usage
Recommendation: Use Shopify's generator as a starting point, then customize it or replace it with a comprehensive policy that addresses CPRA, VCDPA, and other applicable state laws.
Customer Data Request Tools
Shopify provides admin tools to help you respond to DSARs:
- Customer data access — You can export a customer's data from the Shopify admin
- Customer data erasure — You can request deletion of a customer's personal data, which Shopify processes across its systems
- Automated DSAR handling — Shopify processes data requests for data it controls (payment processing, Shopify Payments)
Gap: Shopify only handles data within its own systems. Data in third-party apps, email marketing platforms, analytics tools, and other integrations must be handled separately by you.
Cookie Consent
Shopify's approach to cookie consent:
- The Shopify Privacy & Compliance app (formerly Customer Privacy Banner) provides basic consent functionality
- Supports GPC signal detection
- Allows you to categorize scripts and block them based on consent
Gap: The built-in tools may not provide the granular control needed for full compliance. Many merchants use third-party CMPs like OneTrust, Cookiebot, or Pandectes for more robust consent management.
Shopify's Data Processing Addendum
Shopify provides a Data Processing Addendum (DPA) that governs how Shopify processes personal data on your behalf. This helps satisfy the vendor contract requirements under CPRA and other state laws.
Shopify: What You Need to Add
Even with Shopify's built-in tools, you need to address these areas:
- Comprehensive privacy policy — Replace or heavily customize the generated template
- Robust cookie consent — Consider a dedicated CMP for granular script blocking and GPC compliance
- Third-party app audit — Review every Shopify app you use and understand what data it collects and where that data goes
- DSAR process for non-Shopify data — Build workflows to handle data requests across your email platform, analytics, CRM, and other tools
- Data processing agreements — Ensure you have DPAs with every third-party app and service that accesses customer data
- "Do Not Sell or Share" link — Add the required California opt-out link to your footer
- Data retention settings — Configure how long you retain customer data and document your retention policy
WooCommerce: What's Built In
WooCommerce, as a WordPress plugin, takes a more modular approach to privacy. WordPress itself provides some privacy tools, and WooCommerce extends them:
WordPress Privacy Tools
WordPress core includes:
- Privacy Policy page template — A dedicated page type for your privacy policy with suggested content
- Personal Data Export — Built-in tool to export a user's personal data in a downloadable format
- Personal Data Erasure — Built-in tool to erase a user's personal data from WordPress
- Privacy settings page — A settings page where you designate your privacy policy page
WooCommerce Privacy Features
WooCommerce adds:
- Integration with WordPress privacy tools — WooCommerce data is included in WordPress's export and erasure tools
- Order data retention settings — You can configure automatic deletion of order data after a specified period
- Account erasure requests — Customers can request account deletion through their account page
- Checkout consent checkbox — You can add a privacy policy consent checkbox to your checkout flow
WooCommerce Data Stored
WooCommerce stores significant personal data that you need to manage:
- Customer names, addresses, and contact information
- Order history and transaction details
- Payment information (typically tokenized through your payment gateway)
- Account credentials and preferences
- IP addresses and browsing data (through WordPress and analytics)
WooCommerce: What You Need to Add
WooCommerce requires more manual setup for privacy compliance:
- Cookie consent plugin — WordPress/WooCommerce does not include a cookie consent mechanism. Install a dedicated plugin such as Complianz, CookieYes, or Termly
- Privacy policy — The WordPress template is minimal. You need a comprehensive policy covering all applicable state laws
- DSAR management — While WordPress has basic export/erasure tools, you likely need a plugin or process for managing DSAR intake, verification, tracking, and response deadlines
- GPC signal handling — Neither WordPress nor WooCommerce natively detects GPC signals. Your cookie consent plugin must handle this
- Plugin audit — WooCommerce sites often have dozens of plugins, many of which collect or process personal data. Audit each one
- Data processing agreements — Obtain DPAs from your hosting provider, payment gateway, email service, and every plugin vendor that handles customer data
- Security hardening — Unlike Shopify (which manages hosting security), WooCommerce sites require you to manage your own security: SSL certificates, updates, backups, access controls, and monitoring
Head-to-Head: Privacy Compliance Comparison
| Feature | Shopify | WooCommerce |
|---|---|---|
| Privacy policy generator | Yes (basic) | Template only |
| Data export tool | Yes | Yes (via WordPress) |
| Data erasure tool | Yes | Yes (via WordPress) |
| Cookie consent | Basic (app) | Plugin required |
| GPC detection | Via app | Plugin required |
| Data retention controls | Limited | Configurable |
| DPA provided | Yes | Varies by host/vendor |
| Security managed | Yes (by Shopify) | Self-managed |
| Third-party app/plugin risk | Moderate | Higher (more plugins) |
Recommended Tools and Plugins
For Shopify
- Pandectes GDPR Compliance — Comprehensive consent management with GPC support
- Consentmo — GDPR and CCPA compliance app with cookie scanning
- Enzuzo — Privacy policy generator and DSAR management
For WooCommerce
- Complianz — All-in-one cookie consent and privacy compliance plugin
- CookieYes — Cookie consent banner with GPC support
- WP GDPR Compliance — Adds consent checkboxes and data request management
- Starter Templates — Some themes include privacy-compliant page templates
Best Practices for Both Platforms
- Audit quarterly — Review all apps/plugins, data flows, and third-party integrations every quarter
- Test your DSAR workflow — Submit a test data request and verify the entire process works end to end
- Keep everything updated — Outdated plugins and apps are both a security risk and a compliance risk
- Document your configuration — Record which privacy settings you have enabled, which plugins you use, and why
- Do not rely solely on your platform — Shopify and WooCommerce provide tools, not compliance. You are responsible for the overall program