From the beginning, Shopify has been dedicated to improving commerce for all.
Starting a business should be simple, the tools for managing it should be straightforward, and everyone involved in the commerce system should always prioritize the customer.
With data breaches and other types of fraud on the rise, we are also keenly aware that security is critical to building and operating an ecommerce business for merchants and developers alike. We are committed to building the safest commerce platform in the world, and as part of that effort, we are implementing updated requirements for apps that use customer personal data. With these updates, developers will have easier access to the data they need, quickly and at scale. Here’s a detailed breakdown of what’s changing.
New Requirements for Apps that Use Customer Personal Data
At Shopify, we require data minimization practices as part of our privacy by design approach to commerce. This means developers should only request the minimum amount of data needed to make their apps function properly.
To reinforce this approach, in the 2022-10 release, APIs will redact customer personal data by default and allow you to apply for necessary access to customer personal data as needed to provide merchants with the intended app functionality. These changes will enable your app to better support a business’s path towards compliance with privacy and data protection rules.
We’re publishing our protected customer data requirements before the release of API version 2022-10 to help developers prepare. In line with our regular API versioning and depreciation timelines, existing apps will have until July 1st, 2023, to migrate to API version 2022-10.
Our approach to data protection
In the coming release, Shopify will limit an app’s data access to only the required resources and fields.
Protected customer data includes any data related directly to a customer or prospective customer, as represented in the API resources. This includes information like total order value, line items in an order, and order shipping events. Apps requiring this data level must implement our data protection requirements, including informing merchants of your app’s data use and purpose, applying customer consent decisions, opt-out requests, and more.
Protected customer fields require individual configuration and approval, in addition to approval for protected customer data. This includes information like name, address, email, and phone number. Apps that require this layer of data will need to abide by additional requirements, including encrypting data backups, keeping test and production data separate, and more.
A new way to access protected data
We will share details before the new process for apps to request protected data in the partner dashboard. You can update to the latest API version if your app does not use protected data. If your app does use this data, Shopify will approve your use of the minimum amount needed to provide the merchant with the app functionality. If you’re approved for all the requested data, no code updates are required. If you’re not approved for the requested data, you might need to update your app to handle errors or redacted data.
Looking ahead
In August 2022, we will publish reference documentation for unstable APIs that contain protected customer data. Over the next year, there are a few dates developers should make note of and prepare for:
October 1, 2022—Shopify will release the 2022-10 API version. Apps using this version must meet the protected customer data requirements. We will also update our Partner Dashboard to enable app configuration and requests for protected customer data.
April 2, 2023 – New apps must use API version 2022-10 or later and meet the protected customer data requirements.
July 1, 2023 – All apps must use API version 2022-10 or later and meet the protected customer data requirements. Admin API version 2022-10 is the minimum supported version.
With these changes, developers don’t have to compromise on the user experience to build apps while supporting a merchant’s path toward compliance with privacy and data protection rules.
Here are more ways to help you prepare for these changes:
- Read our requirements for protecting customer data at Shopify
- Subscribe to the developer changelog to stay updated on recent Shopify API changes.
- Check out Editions Dev Mode to learn about all of our latest features for developers
- Register for the next Partner Town Hall—Find out the latest from our product teams, submit your questions live, and discover other updates from Editions
Summary
Shopify, a popular e-commerce platform, has introduced new rules for apps that handle customer personal information. These changes are designed to protect user data and improve security. Here’s what you need to know:
1. Data Access Limits:
Apps can now only access customer data they absolutely need. This means they can’t collect extra information just because they want to.
2. Consent Requirements:
Before an app can use customer data, it must get clear permission from the store owner. This helps ensure that personal information is only shared when necessary.
3. Data Deletion:
If a store owner decides to remove an app, all customer data associated with that app must be deleted within 30 days. This protects customer privacy even after an app is no longer in use.
4. Security Measures:
Apps must now have strong security features to keep customer data safe. This includes using encryption and other protective methods.
5. Privacy Policy Updates:
All apps need to have an up-to-date privacy policy that clearly explains how they handle customer information.
6. Regular Checks:
Shopify will perform routine reviews to make sure apps are following these new rules.
Now, let’s address the question: What is privilege escalation?
Privilege escalation is a security concern where a user or program gains more access or permissions than they’re supposed to have. It’s like if a student somehow got the principal’s computer password and could change everyone’s grades. This can be dangerous because it allows unauthorized actions that could harm the system or steal sensitive information.
In the context of Shopify’s new requirements, preventing privilege escalation is crucial. By limiting what data apps can access and ensuring proper security measures are in place, Shopify is working to reduce the risk of unauthorized access to customer information.
These new rules help protect both store owners and their customers from potential data breaches or misuse of personal information. By following these guidelines, app developers can create safer, more trustworthy tools for Shopify users.
