I have noticed that when Guest Access is turned on the use of guest purchasing adds the purchases to the registered account AND overwrites the default address on the account to be the shipping address from the guest purchase. This appears to be non complaint from a GDPR perspective as it means data is being stored against that account without the user having to log in to do so. This could lead to unintended changes if an email is incorrectly entered. It also means that we do not know the home address of the actual customer so the data is unusable outside of the system for marketing purposes or for matching to CRM.
For not for profit customers there is an additional issue in that the lack of log-in means that any donation cannot be matched back for Gift Aid purposes.
The Shopify staff I have mailed about this have said this is intended behaviour, though frankly they were unaware that the address was edited when a guest order was placed. Our request to force log in if an email address that already exists on an activated account was turned down on the basis that this would tell the user that there was an account registered to that address. This seems particularly odd as if you attempt to register an account with an address that is already registered it does exactly this and surely if it is wrong for guest access then t is also wrong for account creation.
Has anybody else spotted this issue and how are you dealing with this?