> If this is true, I find this case troubling and weak, and hope it is overturned. It is squarely on the shop operator to be compliant - Shopify is just a platform vendor and shoppers are not Shopify customers; rather, they are customers of the shop. This seems to be akin to suing Google because a website uses Google Analytics but didn't disclose it in their privacy statement - silly...

Most of my work is in the Shopify app dev ecosystem, and while I haven't been following this case very closely, I do think it's ironic how Shopify is behaving here given the privacy standards they enforce on their app developers.

Some context: all Shopify app developers are required to follow the EU's GDPR rules for customer data, full stop. Your app must implement Shopify's mandatory GDPR webhooks. You must delete customer data when a shop's customer is deleted; you must produce all data you store on a shop's customer within 7 days upon receipt of a certain GDPR webhook; and you must delete all the data you store on the shop itself after the shop uninstalls your app.

Additionally, if your app requires access to any customer data (whether its via the Customer API, or via other APIs e.g. to get the name of a customer who placed an order), you need to apply for access to that data on an app-by-app basis – replete with an explanation for why your app needs the data. Shopify's app store staff has to manually review and approve that data access application before you can publish your app on their app store.

To be clear, I think these restrictions are a good thing†, as apps used to have access to a veritable firehose of private customer data. But it's ironic to see Shopify enforce such standards on their app developers, while at the same time arguing that they should be able to track their own potential customers anywhere and everywhere across the internet regardless of privacy laws.

† Though I think it's a little odd that a Canadian company is making me, an American app developer, think about/adhere to the EU's GDPR rules. Not to mention other privacy laws like the one in California. Why not just call it "Shopify's Privacy Standards?"