Mandatory GDPR webhooks for all apps

Ryan
Shopify Staff
492 42 113

Hi Shopify Devs,

 

In response to the General Data Protection Regulation (GDPR), we've introduced some important changes to our platform to help you properly handle the privacy and security of customers’ personal information.

 

New mandatory webhooks

Two new mandatory webhooks are available to every public app:

  1. customers/redact: When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request for the customers/redact topic to all apps installed on that shop that have been granted access to customers or orders data. Upon receipt of the webhook, the app should delete the customer’s personal information associated to that shop specifically.

  2. shop/redact: 48 hours after a shop uninstalls your app, Shopify will send an HTTP POST request for the shop/redact topic. Upon receipt of the webhook, the app must delete all customers’ personal information associated with that shop.

These webhook subscriptions can be managed from your partner dashboard, in the App Info tab of your apps settings. Going forward, all public apps must subscribe to the new mandatory webhooks and confirm the receipt of each redaction request by responding with a 200 series status code.

 

GDPR Resources

We’ve added a number of resources on Data and user privacy under GDPR.  This includes a sample Privacy Policy Template as well other guidance to help you better understand your privacy choices as a Shopify app developer.

Other resources we’ve released include a a new Partner’s Blog post What App Developers Need To Know About GDPR (4 minute read), and the Shopify GDPR Whitepaper.

 

If you have any questions or concerns, please don’t hesitate to comment in the thread below.

Shopify Apps Team

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Replies 76 (76)
Indinuity
Shopify Partner
41 1 4

Hey Ryan,


Thanks for the response. Got an issue.. I am testing those options under the Customer details now and I have my hooks setup. I have requested a copy of my data as well as erasure.. and I don't see the hook firing and I have yet to receive an email with my data. I've tried with two customers, once yesterday and once today. In either case.. nothing. 

Reward yourself and your Customers.
john92
New Member
2 0 0

Hi Ryan,

I have three questions.

1. Currently customer login to Shopify via email/password. If a store request to erase personal data of customer A, can A still login to same account 7 days later? Or will Shopify create a new customer account?

2. Is there any plan for Shopify to add test utilty, e.g. a easy way sending fake redactions.

3. Is there any systematical way to speed up the process so that we can test the behavior of the webhook without waiting for a few days?

Thanks for your help!

Regards,

John

Prateek_Madhik1
Shopify Partner
2 0 1

Hi Ryan,

Any update on when we can create webhooks for these topics? Also, am I right to assume that we need to subscribe to these webhooks the same way we subscribe to others (e.g. orders/update, customer/create, etc.)?

 

Thanks,

Prateek

Tim_Miller
Shopify Partner
6 0 0

Hi Ryan,

How would I go about verifying these requests came from the right source? Seeing as they are very destructive in nature I want to make sure that these indeed are coming from Shopify and not someone else imitating the calls.

 

Thanks,

Tim

 

 

Ryan
Shopify Staff
492 42 113

Preface; I am definitely not a lawyer, if you are concerned about the legality of data with GDPR you should definitely talk to one.  These are the best answers I currently have from the apps team. 

I wonder if we need to sign a Data Processing Agreement between Shopify and us (an app provider). 

Nope, if you want the longer explanation feel free to reach out to me on the Partner's Slack.

More of a theorycrafting question: Will the customers/redact be mandatory if the app does not have customers_read or orders_read scope?

Yes it is still mandatory.  Most basic reasoning for this is that apps can update their scopes, and may have access to customer's data in the future.  If you don't actually have any data, you don't have to take action upon receipt of a customer_redact request.

We definitely need a date at which apps that do not register to those hooks stop working!

We will not shutoff apps that do not update these fields without warning.  Getting it done sooner rather than later is the best scenario so no action needs to be taken on our end.  The first milestone will be denying new app creation that does not contain a callback url in these fields.

In customers/redact webhook, there are customer and orders_to_redact fields. Do we need to remove just the customer data specified in the customer field from the orders specified in the orders_to_redact field from our storage OR do we have to remove both the customer and orders from our storage?

 

Does Shopify require us to only remove data related to orders? Or any data related to the customer (e.g. product reviews written by the customer)

You should remove all personally identifiable information (PII) from those orders upon receipt of the webhook containing orders_to_redact.  And you should remove all PII from the shop upon reception of a customer redact request if your app added it to the shop (review for example).

I am testing those options under the Customer details now and I have my hooks setup. I have requested a copy of my data as well as erasure.. and I don't see the hook firing and I have yet to receive an email with my data. I've tried with two customers, once yesterday and once today. In either case.. nothing. 

Did they ever arrive? There is a 48 hour delay on the webhooks after request. Reach out to me on the partner slack if you want to troubleshoot further.

1. Currently customer login to Shopify via email/password. If a store request to erase personal data of customer A, can A still login to same account 7 days later? Or will Shopify create a new customer account?

2. Is there any plan for Shopify to add test utilty, e.g. a easy way sending fake redactions.

3. Is there any systematical way to speed up the process so that we can test the behavior of the webhook without waiting for a few days?

1. If the store owner complies with the request and deletes the data, then no they will not be able to login to the same account later as that would be part of the deletion.

2 & 3. Not at this time

 

Any update on when we can create webhooks for these topics? Also, am I right to assume that we need to subscribe to these webhooks the same way we subscribe to others (e.g. orders/update, customer/create, etc.)?

These are available now, and these webhook subscriptions will be manageable from your partner dashboard, in the App Info tab of your app settings.

 

How would I go about verifying these requests came from the right source? Seeing as they are very destructive in nature I want to make sure that these indeed are coming from Shopify and not someone else imitating the calls.

The same method you validate webhooks from Shopify that you register with your app is valid for these GDPR webhooks: https://help.shopify.com/api/getting-started/webhooks#verify-webhook.

 

Happy Developing.

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

john92
New Member
2 0 0

Hi Ryan,

Thanks to your reply. I want to ask a few more questions. If a merchant only ask Shopify to remove a customer's personal data via admin page (the image), and does not delete the customer account. Can the customer login to same account 7 days later? Or do Shopify delete those account 7 days later?

And in this page, https://help.shopify.com/manual/your-account/GDPR/processing-gdpr-data-requests#process-erasure-requ...

It menstions that

After you request an erasure through your admin, Shopify will transmit your erasure request to all apps you have installed at the time you make the request that might have access to that customer’s data.

So is  the customers/redact webhook fire immediately when the merchant request 'remove personal data' from Shopify admin page?

Thanks,

John

 

Yoni_Elbaz
Shopify Partner
48 0 10

Hi Ryan,

A few important questions still left open:

1. Retargeting and GDPR - Will Shopify collect explicit consent from EU visitors to the app store?

2. Will a shop/redact webhook get sent for Paused / Closed stores?

3. When do webhooks get sent to apps, if merchants have a 7 day buffer period to cancel the deletion request?

Thanks!

Yoni

HSL
Shopify Expert
37 0 3

Maybe something to consider, not all apps need the personal information of the merchants customers.

Right now I strip the personal information from the data sent to my webhooks before processing/storing data, but it would be even better if there was a setting "don't include personal data" for the API so that apps don't receive the data at all and so that merchants can see that the apps who have that setting enabled do not have access to the personal information of their customers. :)

Thanks!

Harold

Marc_Baumbach
Shopify Partner
21 0 6

Hi Ryan (or any others who have seen a customer redact request come in),

When the customer order information is redacted, will the order/update webhook be triggered with missing customer details (e.g., a null customer_id, no billing/shipping address, email, or phone)? If so, that may provide some automatic redaction for some apps, so long as their applications are able to handle those pieces of data being missing.

Thanks!

Marc

AWeber
New Member
1 0 0

Hi Ryan,

I am writing you from AWeber Communications. We are an integration partner and have a few questions about the changes for GDPR.

  • The new webhooks are stated to be mandatory. For planning purposes, when will these be enforced?
  • If the new webhooks are not implemented by the enforcement date, what will happen to our integration?
  • If we are not storing personal information about a customer, are we required to implement these webhooks?
  • The webhooks do not appear to provide any context on the purpose for the redaction. When a customer completes an order with Shopfiy they are given the option to “Keep me up to date on news and exclusive offers”. Customers provide separate consent from the order; therefore, we need this differentiated in the redaction. We need to know if the redaction is related to orders or email marketing. This is important to maintain our position as a data processor and not a controller. When a customer is requesting erasure, are they presented with both options?

Thank you for your time and consideration of these questions.

Zac Gery
Integrations Product Manager