The store system provider Shopify is being targeted by data protection experts. Just recently, the Rhineland-Palatinate data protection authority declared a function integrated into Shopify to be illegal.

The e-commerce software Shopify is more popular than ever. As of June 2022, around 26,000 domains from around 17,500 different merchants existed on the portal. But that could soon change. Now an interesting case is making waves. A retailer from Rhineland-Palatinate received mail from the Rhineland-Palatinate data protection authority. The accusation: the retailer is alleged to have transmitted usage data to US service providers without authorization.

What exactly is Shopify?

Shopify is cloud-based e-commerce software from a Canadian software company of the same name. The system provides merchants with acceptance-ready online storefronts and is popular for its ease of use. With about 17,500 merchants in 175 countries – including well-known brands such as Red Bull and Tesla – Shopify is the world’s leading cloud-based store system. For some functions, the software relies on third-party services, which are natively integrated into the system. It is precisely this circumstance that has now been the undoing of a German retailer.

This is what happened

Christian Häfner has been running an online coffee business for over 7 years. To generate his seven-figure turnover in the meantime, Häfner also used Shopify software until June 2022. According to the entrepreneur, the system was the most innovative store system with the best user experience. But that’s over now. Häfner received a complaint from the state data protection authority of Rhineland-Palatinate. He is said to have transmitted his users’ data to US service providers via his website. The use of the necessary networks called CDN Fastly and Cloudflare are illegal, they say.

Other services also affected

Häfner fixed the problem, which had to do with a Consent banner, and from then on used other networks. Without success. Once again, the company received a letter from the data protection authority. This time, the use of the Localstorage application and various third-party requests were criticized. Häfner then received a threat of punishment in another letter.

No support from Shopify

In his distress, the company contacted Shopify’s support. However, the latter could not or would not solve the problem. “At no point did Shopify make any effort to contact the authority,” says Häfner. Even its own external data protection officer was unable to sort out the problem. In the end, the retailer felt compelled to use a new store system.

Reaction from Shopify astonished

Shopify itself did not react to the incident until it was discussed internationally in various merchant forums. It should have communicated more clearly that Shopify was completely legal in Germany, CEO Tobi Lütke wrote on Twitter. However, Lütke criticized the retailer for spreading a disproportionate amount of uncertainty with its publication of the incident. An accusation that Häfner does not accept in this way: “I feel let down by Shopify.”

Uncertainty remains for other merchants

The incident is relevant for other online retailers. Even though EU and U.S. data protection officials are trying to resolve the matter at a higher political level, many entrepreneurs do not know how to deal with U.S. service providers in a GDPR-compliant manner. However, no other cases are known so far in which Shopify customers have received a complaint similar to that of Christian Häfner.

Subscribe to our newsletter

and stay always updated on data protection.