Mandatory GDPR webhooks for all apps

Ryan
Shopify Staff
Shopify Staff
497 42 117

Hi Shopify Devs,

 

In response to the General Data Protection Regulation (GDPR), we've introduced some important changes to our platform to help you properly handle the privacy and security of customers’ personal information.

 

New mandatory webhooks

Two new mandatory webhooks are available to every public app:

  1. customers/redact: When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request for the customers/redact topic to all apps installed on that shop that have been granted access to customers or orders data. Upon receipt of the webhook, the app should delete the customer’s personal information associated to that shop specifically.

  2. shop/redact: 48 hours after a shop uninstalls your app, Shopify will send an HTTP POST request for the shop/redact topic. Upon receipt of the webhook, the app must delete all customers’ personal information associated with that shop.

These webhook subscriptions can be managed from your partner dashboard, in the App Info tab of your apps settings. Going forward, all public apps must subscribe to the new mandatory webhooks and confirm the receipt of each redaction request by responding with a 200 series status code.

 

GDPR Resources

We’ve added a number of resources on Data and user privacy under GDPR.  This includes a sample Privacy Policy Template as well other guidance to help you better understand your privacy choices as a Shopify app developer.

Other resources we’ve released include a a new Partner’s Blog post What App Developers Need To Know About GDPR (4 minute read), and the Shopify GDPR Whitepaper.

 

If you have any questions or concerns, please don’t hesitate to comment in the thread below.

Shopify Apps Team

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Replies 76 (76)
Yoni_Elbaz
Shopify Partner
48 0 10

Hey Ryan,

Thanks for the update! I do have a few GDPR related questions 🙂

1. App store retargeting - today Shopify serves apps' AdRoll and Google remarketing pixels when visitors hit the app listing page. To my understanding, the GDPR requires explicit consent from a user to place a retargeting cookie. Will Shopify be adding such a consent-collection tool? You can find relevant posts from both AdRoll and Google here:

AdRoll https://blog.adroll.com/product/preparing-for-gdpr

Google https://www.cookiechoices.org/intl/en/

 

2. I just want to verify that the shop/redact webhook will not be sent if the store re-installed the app within 48 hours.

 

Thanks!

Yoni from Loox

Joel-Reeds
Shopify Partner
165 9 59

@Yoni  That's an excellent question regarding the shop/redact webhook being cancelled if a shop reinstalls the app within 48 hours.

 

Regards,

Joel.

Co-Founder / CTO @ Intuitive Shipping Inc.
Intuitive Shipping | Smart Boxing | Automate Shipping Profiles
Ryan
Shopify Staff
Shopify Staff
497 42 117

Hi Yoni, Joel,

The webhook will not be sent if the app is re-installed within 48 hours.  Checking into your other question!

 

Ryan

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

rickydazla
Shopify Expert
711 0 83

Ryan! Re:

 

When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request

 

How does a buyer or store owner actually initiate this request?

 

 

I'm a million different people
Ryan_Alyea
Shopify Partner
26 0 10

Hey there,

Related and unrelated question at the same time: Are there any test tools to immediately call the GDPR redactions in a test shop, including to see how it looks on the admin side, app developer/webhook side, and how it looks to the individual requesting a deletion? In the latter, even if they get no notifications, what happens when they attempt to login, etc.

I want to see what the whole process looks like. 🙂

ClementG
Shopify Partner
660 0 140

What will happen if we try to load an order for which the customer requested deletion.

Will order.customer be null? Or will it be non null with a customer id and all other fields null?

Felix2
Shopify Partner
98 0 16

When will the mandatory webhooks really become mandatory?

It's not that everybody can implement it right away. But for many of us the procedure is to plan for it to be done in near future. Thinking of scheduling it in a sprint, plan, develop, test and release ... it can take up two to four weeks.

Will the webhooks send the same HTTP_X_SHOPIFY_SHOP_DOMAIN and HTTP_X_SHOPIFY_HMAC_SHA256 fields for authorization? (Asking because the payload contains the shop id and domain, according to the documentation)

Looga.io
Indinuity
Shopify Partner
41 1 4

How do we test these webhooks ?  

Reward yourself and your Customers.
Felix2
Shopify Partner
98 0 16

You could at least test it by using a development shop or a test app and send request to the webhook endpoints using POSTMAN or a similar tool.

Looga.io
Yoni_Elbaz
Shopify Partner
48 0 10

Another question - will a shop/redact webhook get sent for Closed and/or Paused stores?

 

 

MarcBaumbach
Shopify Partner
30 0 12

After you request an erasure through your admin, Shopify will transmit your erasure request to all apps you have installed at the time you make the request that might have access to that customer’s data.

Once you request an erasure within your admin, a 7 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, please email Shopify at privacy@shopify.com, and include your store information and the relevant customer ID.

Are apps notified after the 7 day buffer period or immediately upon request of erasure? If it's immediate and the request is canceled in the 7 day period, is there anything app developers can do for that scenario?

Indinuity
Shopify Partner
41 1 4

Ive already tested using postman but this is definitely not good enough since my request is totally not a shopify request with a shopify signed header. Its a bogus test until I can actually validate the request from shopify. 

Reward yourself and your Customers.
Ryan
Shopify Staff
Shopify Staff
497 42 117

 Hi All,

We understand this is a huge undertaking so I'll try to answer your questions the best I can, and pass along any that I don't have answers for.  See answers below.

 

How does a buyer or store owner actually initiate this request?

You'll probably want to check our Merchant facing resources here: https://help.shopify.com/manual/your-account/GDPR, https://www.shopify.com/blog/gdpr-ecommerce. "you can find the information and deletion request options on each customer's profile in Shopify."

Are there any test tools to immediately call the GDPR redactions in a test shop, including to see how it looks on the admin side...

No tools available for firing the webhooks currently, the rest is visible in your customers page of your dev store:
As for customers requesting from shops, not 100% sure but I believe that depends on the shop to implement a way for their customers to contact them, will find out.

What will happen if we try to load an order for which the customer requested deletion.


Will order.customer be null? Or will it be non null with a customer id and all other fields null?

Will check into this.

When will the mandatory webhooks really become mandatory?

I'm not a lawyer but if you want to be GDPR compliant... now?  If you mean when will Shopify enforce requiring the field to be filled, checking into this and I'll get back to you.

Will the webhooks send the same HTTP_X_SHOPIFY_SHOP_DOMAIN and HTTP_X_SHOPIFY_HMAC_SHA256 fields for authorization? (Asking because the payload contains the shop id and domain, according to the documentation)

There should be no change to the webhook headers.

How do we test these webhooks ?  

We don't have a testbed setup currently to send fake redactions.

Are apps notified after the 7 day buffer period or immediately upon request of erasure? If it's immediate and the request is canceled in the 7 day period, is there anything app developers can do for that scenario?

I'll look into it.
 

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

dkrasov
Shopify Partner
4 0 3

Hi Ryan,

Is there any payload examples for shop/redact webhook? In the docs it's not clear how `shopify_domain` looks like (with "myshopify.com" or not).

Regards,

Dmytro.

Olek_-_Tidio
Shopify Partner
3 2 0

Hi Ryan,

I wonder if we need to sign a Data Processing Agreement between Shopify and us (an app provider). 

Thanks,
Olek

Ryan_Alyea
Shopify Partner
26 0 10

More of a theorycrafting question: Will the customers/redact be mandatory if the app does not have customers_read or orders_read scope? There's no point in being having a mandatory data deletion if no data can even be requested.

Johannes_Hodde
Shopify Partner
103 0 14

We definitely need a date at which apps that do not register to those hooks stop working! Also, not sure why an app that does not request customer related scopes should register for those hooks? This simply generates traffic for nothing 😞

Not sure how other apps handle uninstall cases but we do remove ALL data upon an uninstall based on the uninstall hook. What's the reason for introducing new hooks for this?

Zapfor_Apps
Shopify Partner
83 1 11

Hey Ryan,

In customers/redact webhook, there are customer and orders_to_redact fields. Do we need to remove just the customer data specified in the customer field from the orders specified in the orders_to_redact field from our storage OR do we have to remove both the customer and orders from our storage?

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
Yoni_Elbaz
Shopify Partner
48 0 10

Another question - Does Shopify require us to only remove data related to orders? Or any data related to the customer (e.g. product reviews written by the customer)