Running a store means more than just listing products and processing payments. It means operating within a growing web of legal requirements covering data privacy, consumer rights, accessibility, and more. Miss one, and you could be facing fines, enforcement action, or loss of customer trust.
This checklist covers the ten most important compliance areas every Shopify merchant should address, updated for the regulatory landscape today.
#1: Business Information Disclosure
If you sell online, you are legally required to display certain information about your business clearly on your website. This applies whether you're selling to customers in the EU, the UK, the US, or beyond.
Make sure your store includes:
- Your company's full legal name (and any trading names)
- Your registered business address
- A contact email address
- Your company registration number
- VAT or tax ID number (if applicable)
- Membership of any relevant trade or professional body
The footer of your Shopify store is the standard place for this. You can also include it on a dedicated Contact or About page.
#2: Terms and Conditions
A solid Terms and Conditions (T&Cs) page is one of the most important layers of legal protection for your store. It sets out the rules of engagement between you and your customers, covering everything from payment terms to dispute resolution.
Your T&Cs should be tailored to your business model. A B2C store selling physical goods has different obligations than a B2B software company. Shopify's built-in policy generator is a helpful starting point, but it is worth having a legal professional review your terms, especially if you sell internationally.
#3: Consumer Selling Rules
Selling to consumers online comes with specific statutory obligations that cannot be waived or overridden by your own policies.
Before a customer places an order, your store must clearly communicate:
- That payment is required to complete the order
- Full pricing, including taxes and delivery costs
- An accurate description of what is being sold
- The customer's right to cancel (typically 14 days from delivery for goods, or from the date of contract for services)
- Any exceptions to the cancellation right (custom-made items, perishables, digital downloads once accessed, etc.)
After the sale:
- Send a written order confirmation that restates the key contract terms, including cancellation rights
- Deliver within 30 days unless an alternative arrangement has been agreed in writing
Shopify's checkout settings make it straightforward to surface this information at the right points in the purchase flow, but it is your responsibility to make sure it is there.
#4: Website Accessibility
Accessibility is both a legal requirement and a business opportunity. Legislation such as the Americans with Disabilities Act (ADA) in the US, the European Accessibility Act (EAA), and the Web Content Accessibility Guidelines (WCAG) set the standard for what an accessible website looks like in practice.
For merchants, this means:
- Ensuring your store theme supports keyboard navigation and screen readers
- Using sufficient colour contrast and readable font sizes
- Adding descriptive alt text to all product images
- Making sure interactive elements (buttons, forms, menus) are clearly labelled
Accessibility is not a one-time fix. It requires ongoing attention as your store evolves and new content is added.
#5: Data Privacy (GDPR, CCPA, and Beyond)
If your store collects any personal data from visitors or customers, whether through account registration, checkout, email sign-ups, or tracking pixels, you are subject to data privacy laws. Which laws apply to you depends on where your customers are located, not just where your business is based.
Key frameworks to be aware of:
- GDPR (EU and UK): Requires a lawful basis for processing personal data, explicit consent for non-essential cookies, and clear privacy disclosures
- CCPA / CPRA (California): Gives consumers the right to know what data is collected, opt out of its sale, and request deletion
- LGPD (Brazil), PIPEDA (Canada), and 40+ other national and regional frameworks with their own requirements
For Shopify merchants, the practical challenge is managing cookie consent, tracker control, and privacy disclosures in a way that adapts to each visitor's jurisdiction automatically.
How Consentmo Handles This for Shopify Merchants
Consentmo is the compliance app built specifically for Shopify, trusted by more than 90,000 merchants worldwide. It takes the complexity of global privacy law and turns it into a manageable, automated system that runs in the background while you focus on growing your store.
Here is what Consentmo covers:
Cookie Consent Banner
A fully customizable cookie banner that matches your store's branding. Consentmo automatically adapts the banner's behavior to the visitor's location, showing GDPR-compliant opt-in prompts to EU users, CCPA-compliant opt-out notices to California users, and the appropriate experience everywhere else.
Tracker Manager and AI Cookie Scanner
Consentmo scans your store for all active cookies, scripts, and trackers, including third-party tools added through Shopify apps. Its built-in AI categorises any unclassified cookies automatically and blocks scripts from firing until consent is given.
Google Consent Mode v2
As a certified Google CMP partner, Consentmo integrates directly with Google tags to maintain ad measurement and remarketing accuracy even when users decline cookies. This is now a requirement for all stores using Google Ads or GA4.
Consent Records and Audit Reports
Every consent interaction is logged and stored, giving you the documented proof of consent you need in the event of a regulatory audit or data subject complaint.
Accessibility Widget and Alt Text Scanner
Consentmo also includes an accessibility widget and alt text scanner, helping your store meet ADA, WCAG, and EAA standards alongside its privacy features.
Multi-Language and Multi-Regulation Support
With support for 40+ languages and compliance coverage for GDPR, CCPA, LGPD, and more, Consentmo is built for merchants who sell across borders.
Get started with Consentmo free on the Shopify App Store →
#6: Privacy and Electronic Communications Regulations (PECR)
GDPR is not the only law governing how you communicate with customers. The Privacy and Electronic Communications Regulations (PECR) in the UK, and equivalent ePrivacy rules in the EU, govern email marketing, SMS, and the use of cookies.
For email marketing, this means:
- You must have explicit consent to send marketing emails (soft opt-in rules apply in some B2B contexts)
- Every marketing email must include an easy unsubscribe option
- You must honor opt-out requests promptly
For cookies, PECR requires that non-essential cookies (analytics, advertising, personalization) only fire after the user has given their consent.
#7: Terms of Use
Your Terms of Use (sometimes called Terms of Service) govern how visitors interact with your website as a whole, separate from the transaction-specific T&Cs. They cover acceptable use, intellectual property, limitations on liability, and how disputes are handled.
Shopify includes a default Terms of Service template, but again, this should be reviewed and customized for your specific business. A blanket template may not cover all the edge cases relevant to your products, markets, or customer relationships.
#8: Privacy Policy
A Privacy Policy is not optional. Under GDPR, CCPA, and most other major data privacy frameworks, any business that collects personal data must publish a clear, accurate, and up-to-date Privacy Policy.
Your Privacy Policy should explain:
- What personal data you collect and why
- The legal basis for processing that data
- Who you share data with (third-party apps, analytics platforms, ad networks)
- How long you retain data
- How customers can exercise their rights (access, deletion, portability, objection)
In Shopify, you can add your Privacy Policy directly to your store's legal pages and link to it from the footer. Make sure it is updated whenever you add new apps or change how you handle customer data.
#9: Cookie Policy
If you use cookies on your store (and virtually every Shopify store does, through analytics, ad pixels, and app integrations), you need a Cookie Policy. This can sit within your Privacy Policy or as a standalone page.
It should cover:
- What cookies are in use on your store
- What each category of cookie does (strictly necessary, analytics, marketing, etc.)
- Which third parties set cookies through your store
- How users can manage or withdraw their consent
Failing to have a cookie policy, or using cookies without valid consent, puts you at risk of fines from regulators such as the ICO (UK), CNIL (France), and others that have been actively enforcing cookie rules in recent years.
#10: Returns and Refund Policy
A clear, fair Returns and Refund Policy protects both your business and your customers. Under consumer protection law in most markets, customers have statutory rights to return goods that are faulty, not as described, or (in many cases) simply unwanted. Your policy cannot override those statutory rights.
Beyond legal compliance, a transparent refund policy also builds trust and reduces disputes. Shopify lets you create and display your Refund Policy in your store's legal pages and at checkout.
Key things to include:
- The timeframe in which returns are accepted
- The condition goods must be in to qualify
- Who pays for return shipping
- How and when refunds are processed
- Any product categories that are excluded
Final Thoughts
Compliance is not a one-time task you cross off before launch. Regulations evolve, enforcement ramps up, and your store changes over time as you add apps, expand into new markets, and collect new types of data. The merchants who stay ahead are those who build compliance into the foundation of their operations rather than retrofitting it under pressure.
For Shopify merchants looking for the most efficient path to full compliance, Consentmo covers the privacy and accessibility piece comprehensively, freeing you up to focus on what you do best.
_converted.avif)