GDPR for UK Shopify stores: what actually matters in 2026
On this page
Short answer: if you run a UK Shopify store, UK GDPR applies to you the moment you take a customer’s name and email — not when you hit some revenue threshold, and not only if you sell across borders. A cookie banner covers one small part of it. This guide walks through what actually matters, in plain English, and how to see where you stand.
Does UK GDPR apply to my Shopify store?
Yes. UK GDPR (the UK’s version of the EU regulation, retained in law after Brexit and sitting alongside the Data Protection Act 2018) applies to any organisation that processes personal data — information that can identify a living person. For a Shopify store that means customer names, email addresses, delivery addresses, phone numbers, and order histories.
There is no small-business exemption from the core principles. A sole trader shipping candles from a spare room is subject to the same seven data-protection principles as a large retailer. What changes with size is the scale of the obligation, not whether it exists.
The obligations that actually apply (not just cookies)
Most store owners think “GDPR” and reach for a cookie banner. Cookies matter, but they are one obligation among several. The ones that actually apply to a typical UK Shopify store are:
- A truthful privacy notice. You must tell people what data you collect, why, who you share it with, and how long you keep it (UK GDPR Articles 13–14). The catch: it has to match what your store actually does today, not what a template said on launch day.
- Cookie consent before tracking. Under PECR (the Privacy and Electronic Communications Regulations), non-essential tracking — analytics, ad pixels, some chat and review widgets — should not load until the visitor agrees. A banner that fires the tags anyway is not consent.
- Contracts with your processors (Article 28 DPAs). Every third-party app that touches customer data — your email tool, reviews app, analytics, fulfilment, chat — is a “processor”. You are legally required to have a Data Processing Agreement in place with each. If one of them loses your customers’ data and you have no DPA, the liability lands on you.
- Data retention. Keeping personal data “just in case” is not lawful. You need a reason to hold each category of data and a point at which you delete it (the storage-limitation principle, Article 5(1)(e)).
- Data subject requests within 30 days. A customer can ask for a copy of everything you hold on them (a subject access request), and you have one calendar month to respond. The clock starts when they ask — not when you get round to it.
- ICO registration. Most UK businesses processing personal data must register with the Information Commissioner’s Office and pay the annual data protection fee, unless an exemption applies.
Why “we’ve got a cookie banner” is the trap
A cookie banner is visible, cheap, and reassuring — which is exactly why it becomes the finish line in most people’s heads. But the parts of compliance that create real exposure are the invisible ones: the app you installed last quarter that now processes customer emails with no DPA on file; the privacy notice that hasn’t been updated since you changed payment providers; the marketing list you can’t prove people consented to.
This is the quiet problem with compliance for a growing store: it drifts. You add a tool, swap a courier, connect a new CRM — and the paperwork silently stops matching reality. Nobody sends you a warning. It only surfaces when a customer complains, a B2B buyer asks for your DPAs, or the ICO gets in touch.
How to check where you actually stand
You do not need to read the regulation to find out whether your store has gaps. The fastest first step is an outside-in check of the signals anyone — a customer, a partner, or a regulator — can already see from your public website: your privacy notice, cookie behaviour, security, and business identity.
That is exactly what GuardianStack’s free public check does, in about 30 seconds, with every finding shown in plain English and mapped to the rule it comes from. It is read-only — it changes nothing on your store — and it is the honest starting point before you spend money on tools or templates.
The bottom line
UK GDPR for a Shopify store is not one thing you can buy your way out of with a banner. It is a handful of obligations — notice, consent, processor contracts, retention, subject requests, registration — that have to keep matching a business that keeps changing. Get visibility first, fix the gaps that matter, and keep an eye on the drift. That is the whole game.
Sources
The primary sources behind this guide — check them yourself:
Frequently asked questions
Does UK GDPR apply to a small Shopify store?
Yes. UK GDPR applies to any business that handles personal data — names, emails, addresses, order history — regardless of size. A one-person Shopify store processing customer orders is in scope.
Is a cookie banner enough to be GDPR compliant?
No. A cookie banner addresses one obligation (consent for non-essential cookies under PECR). UK GDPR also covers your privacy notice, contracts with the apps that process your data (Article 28 DPAs), data retention, and honouring data subject requests within 30 days.
Do I need to register with the ICO as a Shopify store?
Most UK businesses that process personal data must register with the ICO and pay the annual data protection fee, unless a specific exemption applies. The fee is tiered by size and turnover.
See where your store actually stands
Run a free outside-in compliance check of your website — no login required, results in about 30 seconds.
Run the free website check