UK GDPR compliance is one of those subjects that most merchants know they should address and many quietly avoid. The risk is not abstract: the ICO (Information Commissioner's Office) has issued fines to UK businesses for cookie consent failures, inadequate privacy policies, and unlawful marketing. The fine ceiling under UK GDPR is £17.5 million or 4% of global annual turnover.

For most Shopify merchants, the real risk is not a maximum fine, but an enforcement notice, a complaint from a customer, or reputational damage. This checklist covers what you actually need to have in place.

What does UK GDPR mean for Shopify merchants post-Brexit?

After Brexit, the UK operates under its own data protection framework: the UK GDPR and the Data Protection Act 2018. The UK GDPR is the retained version of the EU's GDPR, with broadly similar requirements but governed by the ICO rather than EU data protection authorities.

For practical purposes, if you were compliant with EU GDPR before Brexit, you are likely compliant with UK GDPR. The key differences are:

UK merchants dealing with EU customer data must also comply with EU GDPR, which means having a legal representative in the EU if you do not have an EU establishment
The ICO is the supervisory authority for UK matters, not EU data protection authorities
The UK has indicated it may diverge from EU GDPR in future, but as of 2026, the requirements are substantially aligned

If you sell to EU customers, you need to consider both UK GDPR and EU GDPR. For most UK merchants selling primarily to UK customers, UK GDPR is the primary compliance framework.

What do you need for cookie consent?

Cookie consent is where many Shopify merchants are non-compliant. A banner that says "We use cookies" and only has an "Accept" button is not valid consent under UK GDPR or the Privacy and Electronic Communications Regulations (PECR).

Valid cookie consent requires:

A genuine choice: the user must be able to decline non-essential cookies as easily as they can accept them. An "Accept all" button without an equivalent "Reject all" or granular options is not compliant under current ICO guidance.
Prior to non-essential tracking: GA4, Meta Pixel, TikTok Pixel, and similar tools must not load until consent is given. A banner that appears after the tracking scripts have already fired is not compliant.
Informed consent: users must be told what they are consenting to, in plain language. Category-level explanations ("Analytics cookies help us understand how our site is used") are the standard approach.

Cookies that do not require consent:

Strictly necessary cookies (shopping cart, session, login)
Functional cookies that the user has explicitly requested (saved preferences, language settings)

Cookies that do require consent:

Analytics cookies (GA4, Shopify Analytics if using cookies)
Marketing and advertising cookies (Meta Pixel, Google Ads, TikTok)
Social media tracking cookies
Any third-party cookie that tracks user behaviour across sites

Recommended apps for cookie consent:

App	Key features	Pricing
Cookiebot (Usercentrics)	Automatic cookie scan, IAB TCF 2.2 compliant, consent log	From £9/month
OneTrust	Enterprise-grade, highly configurable, full consent record	From £50/month
Pandectes GDPR	Shopify-specific, consent mode for GA4, free tier available	Free tier; paid from $9/month
Consentmo	Shopify-native, consent mode integration, GDPR and PECR	Free tier; paid from $9/month
Free Cookie Consent banner	Basic compliant banner, limited customisation	Free

Pandectes GDPR and Consentmo are the most popular Shopify-specific options because they integrate with Shopify's consent API and configure Google Consent Mode v2 for GA4 automatically. Google Consent Mode v2 is required for Google Ads conversion tracking and GA4 to work correctly for non-consenting users via modelling.

Cookiebot is the most comprehensive option for merchants who need an automatic cookie scan (it discovers and categorises all cookies on your site), detailed consent logs, and IAB TCF 2.2 compliance for programmatic advertising.

What must your privacy policy include?

The UK GDPR requires you to provide a privacy notice that covers specific information. A template policy that has not been tailored to your business is a compliance risk.

Minimum required content:

Who you are: your business name, registered address, and contact details
What personal data you collect: names, email addresses, order data, browsing data, IP addresses, payment information
Why you collect it (the legal basis for each type of processing):
- Contract: processing necessary to fulfil an order
- Legitimate interests: fraud prevention, improving your service
- Consent: marketing emails, analytics cookies
- Legal obligation: VAT records, accounting
Who you share data with: Shopify (your data processor), payment providers, shipping carriers, email marketing platforms, analytics providers
How long you retain data: order records (7 years for tax purposes), marketing data (until unsubscribed or consent withdrawn), analytics data (your GA4 retention setting)
Data subject rights: the right to access, rectify, erase, restrict, and object to processing, and the right to data portability
How to make a complaint to the ICO
If you transfer data outside the UK: the safeguards in place (most major platforms use standard contractual clauses or adequacy decisions)

Your privacy policy must be accessible from every page of your store (a footer link is standard) and must be linked from your checkout.

How should you handle marketing consent?

Marketing email consent is a separate requirement from your privacy policy. Under PECR, you need explicit consent to send marketing emails to individuals (B2C customers). "Legitimate interests" as a lawful basis does not apply to direct marketing emails to consumers under PECR.

What compliant email marketing consent looks like:

An unticked opt-in checkbox at checkout with clear wording ("Yes, I would like to receive marketing emails and offers")
Subscribing customers who have not previously given marketing consent must be given the opportunity to opt in, not assumed to consent
Unsubscribing must be simple: an unsubscribe link in every marketing email is legally required, not optional

What is not compliant:

Pre-ticked marketing consent boxes
Bundling marketing consent into terms and conditions acceptance
Adding customers to marketing lists because they made a purchase (without separate marketing consent)

Shopify's customer email marketing consent field (the "Accepts email marketing" checkbox) stores whether each customer has opted in. Ensure your email platform (Klaviyo, Omnisend, Mailchimp) only sends marketing to customers where this field is true.

Soft opt-in exception: under PECR, you can send marketing to existing customers about similar products and services without fresh consent, provided they were given a clear opportunity to opt out when their details were collected and in each subsequent message. This is the "soft opt-in" exception. It applies to customers who have made a purchase, not to newsletter sign-ups or abandoned cart contacts.

What are data subject rights and how do you handle them?

Under UK GDPR, individuals have the following rights over their personal data:

Right of access: the right to request a copy of the data you hold on them (a Subject Access Request, or SAR). You must respond within one month.
Right to rectification: the right to have inaccurate data corrected.
Right to erasure: the right to have their data deleted, in specific circumstances. For Shopify merchants, this means being able to delete customer records on request, subject to retention requirements for legal obligations (VAT records, accounting).
Right to restrict processing: the right to request that you pause processing their data while they challenge its accuracy or lawfulness.
Right to object: the right to object to processing based on legitimate interests, including profiling.
Right to data portability: the right to receive their data in a machine-readable format.

Practical implementation for Shopify merchants:

Shopify includes a customer data request process under Settings, then Legal. Customers can submit access and erasure requests via this mechanism. For erasure requests, Shopify allows you to anonymise customer records in a way that satisfies the right to erasure while retaining the order data you need for legal and accounting purposes.

Set up a data privacy@yourdomain.co.uk email address and link it in your privacy policy as the contact for data subject requests. Responding to SARs within 30 days is a legal requirement.

What about third-party apps and data processing agreements?

Every app you install on Shopify that processes personal data is a data processor. Under UK GDPR, you must have a Data Processing Agreement (DPA) in place with each of these processors.

Major platforms (Shopify, Klaviyo, Google, Meta) have standard DPAs or data processing terms available in their terms of service or on request. For smaller app providers, you may need to request a DPA specifically.

Review the apps in your Shopify admin and identify which ones handle personal data (customer names, emails, order data, browsing data). For each, check:

Do they have a UK GDPR-compliant DPA available?
Where is the data processed and stored? (EU, US, or other)
If data is transferred outside the UK, what safeguard is in place?

The ICO's guidance on international data transfers is clear that you must document these transfers and the safeguards. Standard Contractual Clauses (SCCs) are the most common mechanism for US-based processors.

What does Shopify include for compliance?

Shopify provides several built-in features to assist with UK GDPR compliance:

Customer data request handling: customers can request access to or deletion of their data via a portal
Cookie consent API: Shopify's storefront API includes a consent management interface that compliant apps use to control when tracking scripts load
Data portability: you can export customer and order data for SAR responses
GDPR checklist: Shopify provides a basic compliance checklist in the admin

These tools are helpful but not sufficient on their own. Shopify does not configure your cookie consent banner, write your privacy policy, or manage your marketing consent records. Those are your responsibility.

Key actions to take now

Audit your cookie consent setup. Test it by visiting your store in a private browser window with an ad blocker disabled. Before you interact with the cookie banner, check whether GA4, Meta Pixel, or any marketing scripts have already fired. Use a browser network inspector or the Google Tag Manager preview. If they have, your consent implementation is non-compliant.
Install a compliant cookie consent app if you do not already have one. Pandectes GDPR or Consentmo are the most practical starting points for Shopify merchants.
Review your privacy policy against the required content checklist above. If it does not list all third-party processors, retention periods, or data subject rights, update it.
Check your email marketing consent collection at checkout. Confirm the marketing opt-in box is unticked by default and that your email platform only sends to customers where consent is confirmed.
Set up a data subject request handling process. Add a privacy contact email to your privacy policy and confirm you can respond to access and erasure requests within 30 days.
Review your installed apps and confirm you have DPAs in place with any that handle customer personal data. Check each app's terms of service or contact them directly if a DPA is not readily available.

Frequently Asked Questions

Is the ICO actively fining small Shopify merchants?

The ICO's enforcement focus has been primarily on larger organisations and systemic failures rather than small merchants. However, ICO fines for cookie consent failures are no longer rare: the ICO has fined companies for inadequate consent mechanisms and unlawful marketing. The more common risk for small merchants is a customer complaint leading to an ICO investigation, which requires time to respond to even if no fine results. Compliance is also increasingly an expectation of customers, not just a legal requirement.

Do I need to register with the ICO?

Most UK businesses that process personal data are required to pay the ICO's data protection fee, which ranges from £40 to £2,900 per year depending on organisation size. There are limited exemptions. A Shopify merchant processing customer data for order fulfilment and marketing is almost certainly required to register. Check the ICO's online self-assessment tool to confirm whether you need to register.

Do I need a separate privacy policy for EU customers?

If you sell to EU customers, you need to comply with EU GDPR as well as UK GDPR. For most practical purposes, a single privacy policy written to cover both frameworks is sufficient, provided it includes the required content under both regimes (they are very similar). The EU GDPR may require you to appoint an EU representative if you do not have an establishment in the EU and you process EU personal data at scale.

What happens if a customer requests that I delete their data?

Under the right to erasure, you must delete or anonymise the customer's personal data unless there is a lawful reason to retain it. The most common legitimate reason to retain data is a legal obligation: you are required to keep VAT records and accounting records for 6 years under UK tax law, which includes order totals and customer billing information. Shopify's anonymisation feature removes identifying personal data (name, email, address) from customer and order records while retaining the financial data needed for accounting purposes. This satisfies the erasure request without creating accounting compliance problems.

GDPR Compliance for UK Shopify Stores: A Practical Checklist