Mandatory GDPR webhooks for all apps

Shopify Partner
48 0 10

Another question - will a shop/redact webhook get sent for Closed and/or Paused stores?

 

 

0 Likes
Shopify Partner
20 0 6

After you request an erasure through your admin, Shopify will transmit your erasure request to all apps you have installed at the time you make the request that might have access to that customer’s data.

Once you request an erasure within your admin, a 7 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, please email Shopify at privacy@shopify.com, and include your store information and the relevant customer ID.

Are apps notified after the 7 day buffer period or immediately upon request of erasure? If it's immediate and the request is canceled in the 7 day period, is there anything app developers can do for that scenario?

0 Likes
Tourist
34 0 2

Ive already tested using postman but this is definitely not good enough since my request is totally not a shopify request with a shopify signed header. Its a bogus test until I can actually validate the request from shopify. 

Reward yourself and your Customers.
0 Likes
Shopify Staff
Shopify Staff
469 36 92

 Hi All,

We understand this is a huge undertaking so I'll try to answer your questions the best I can, and pass along any that I don't have answers for.  See answers below.

 

How does a buyer or store owner actually initiate this request?

You'll probably want to check our Merchant facing resources here: https://help.shopify.com/manual/your-account/GDPR, https://www.shopify.com/blog/gdpr-ecommerce. "you can find the information and deletion request options on each customer's profile in Shopify."

Are there any test tools to immediately call the GDPR redactions in a test shop, including to see how it looks on the admin side...

No tools available for firing the webhooks currently, the rest is visible in your customers page of your dev store:
As for customers requesting from shops, not 100% sure but I believe that depends on the shop to implement a way for their customers to contact them, will find out.

What will happen if we try to load an order for which the customer requested deletion.


Will order.customer be null? Or will it be non null with a customer id and all other fields null?

Will check into this.

When will the mandatory webhooks really become mandatory?

I'm not a lawyer but if you want to be GDPR compliant... now?  If you mean when will Shopify enforce requiring the field to be filled, checking into this and I'll get back to you.

Will the webhooks send the same HTTP_X_SHOPIFY_SHOP_DOMAIN and HTTP_X_SHOPIFY_HMAC_SHA256 fields for authorization? (Asking because the payload contains the shop id and domain, according to the documentation)

There should be no change to the webhook headers.

How do we test these webhooks ?  

We don't have a testbed setup currently to send fake redactions.

Are apps notified after the 7 day buffer period or immediately upon request of erasure? If it's immediate and the request is canceled in the 7 day period, is there anything app developers can do for that scenario?

I'll look into it.
 

Developer Experience @ Shopify
0 Likes
Shopify Partner
4 0 3

Hi Ryan,

Is there any payload examples for shop/redact webhook? In the docs it's not clear how `shopify_domain` looks like (with "myshopify.com" or not).

Regards,

Dmytro.

0 Likes
New Member
2 1 0

Hi Ryan,

I wonder if we need to sign a Data Processing Agreement between Shopify and us (an app provider). 

Thanks,
Olek

0 Likes
Shopify Partner
25 0 7

More of a theorycrafting question: Will the customers/redact be mandatory if the app does not have customers_read or orders_read scope? There's no point in being having a mandatory data deletion if no data can even be requested.

2 Likes
Shopify Partner
99 0 9

We definitely need a date at which apps that do not register to those hooks stop working! Also, not sure why an app that does not request customer related scopes should register for those hooks? This simply generates traffic for nothing :(

Not sure how other apps handle uninstall cases but we do remove ALL data upon an uninstall based on the uninstall hook. What's the reason for introducing new hooks for this?

0 Likes
Shopify Partner
76 1 11

Hey Ryan,

In customers/redact webhook, there are customer and orders_to_redact fields. Do we need to remove just the customer data specified in the customer field from the orders specified in the orders_to_redact field from our storage OR do we have to remove both the customer and orders from our storage?

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
0 Likes
Shopify Partner
48 0 10

Another question - Does Shopify require us to only remove data related to orders? Or any data related to the customer (e.g. product reviews written by the customer)

0 Likes