The store system provider Shopify is being targeted by data protection experts. Only recently, the Rhineland-Palatinate state data protection authority declared a function integrated into Shopify to be unlawful.
The e-commerce software Shopify is more popular than ever. In June 2022, there were around 26,000 domains from around 17,500 different merchants on the portal. But that could soon change. An interesting case is now making waves. A retailer from Rhineland-Palatinate received a letter from the Rhineland-Palatinate data protection authority. The allegation: the retailer is said to have transmitted usage data to US service providers without authorization.
What exactly is Shopify?
Shopify is a cloud-based e-commerce software from a Canadian software company of the same name. The system provides retailers with ready-to-use online stores and is popular due to its user-friendliness. With around 17,500 retailers in 175 countries - including well-known brands such as Red Bull and Tesla - Shopify is the world's leading cloud-based store system. For some functions, the software relies on third-party services that are natively integrated into the system. It is precisely this fact that has now proved fatal for a German retailer.
This is what happened
Christian Häfner has been running an online coffee shop for over 7 years. To generate his now seven-figure turnover, Häfner also used Shopify software until June 2022. According to the entrepreneur, the system was the most innovative store system with the best user experience. But that has now come to an end. Häfner received a complaint from the Rhineland-Palatinate state data protection authority. He is alleged to have transmitted his users' data to US service providers via his website. The use of the necessary networks called CDN Fastly and Cloudflare is said to be illegal.
Other services also affected
Häfner fixed the problem, which had to do with a content banner, and used other networks from then on. Without success. Once again, the company received a letter from the data protection authority. This time, the use of the Localstorage application and various third-party requests were criticized. Häfner then received another letter threatening a fine.
No support from Shopify
In his distress, the company contacted Shopify's support team. However, they were unable or unwilling to solve the problem. "At no point did Shopify make any effort to contact the authorities," says Häfner. Even the company's own external data protection officer was unable to solve the problem. In the end, the retailer was forced to use a new store system.
Shopify's reaction is surprising
Shopify itself only reacted to the incident when it was discussed internationally in various merchant forums. It should have been communicated more clearly that Shopify is completely legal in Germany, wrote CEO Tobi Lütke on Twitter. However, Lütke criticized that the retailer had caused a disproportionate amount of uncertainty by publishing the incident. An accusation that Häfner does not accept: "I feel let down by Shopify".
Uncertainty remains for other retailers
The incident is relevant for other online retailers. Even though data protection experts from the EU and the US are working at a higher political level to resolve the matter, many entrepreneurs do not know how to deal with US service providers in a GDPR-compliant manner. However, no other cases are known to date in which Shopify customers have received a complaint similar to that of Christian Häfner.
