Since day one, Shopify has been on a mission to make commerce better for everyone. We believe that building a business should be easy, that the tools for running that business should be simple, and that everyone who contributes to the commerce ecosystem should always put customers first.
With data breaches and other types of fraud on the rise, we are also keenly aware that security is critical to building and operating an ecommerce business for merchants and developers alike. We are committed to building the safest commerce platform in the world, and as part of that effort, we are implementing updated requirements for apps that use customer personal data. With these updates, developers will have easier access to the data they need, quickly and at scale. Here’s a detailed breakdown of what’s changing.
New Requirements for Apps that Use Customer Personal Data
At Shopify, we require data minimization practices as part of our privacy by design approach to commerce, meaning developers should only request the minimum amount of data needed to make their apps function properly.
To reinforce this approach, in the 2022-10 release, APIs will redact customer personal data by default and allow you to apply for necessary access to customer personal data as needed to provide intended app functionality to merchants. These changes will enable your app to better support a business’s path towards compliance with privacy and data protection rules.
We’re publishing our protected customer data requirements before the release of API version 2022-10 to help developers prepare. In line with our regular API versioning and depreciation timelines, existing apps will have until July 1st, 2023, to migrate to API version 2022-10.
Our approach to data protection
In the coming release, Shopify will limit an app’s data access to only the required resources and fields.
Protected customer data includes any data that relates directly to a customer or prospective customer, as represented in the API resources. This includes information like total order value, line items in an order, and order shipping events. Apps that require this level of data must implement our data protection requirements, including informing merchants of your app’s data use and purpose, applying customer consent decisions, opt-out requests, and more.
Protected customer fields require individual configuration and approval, in addition to approval for protected customer data. This includes information like name, address, email, and phone number. Apps that require this layer of data will need to abide by additional requirements, including encrypting your data back ups, keeping test and production data separate, and more.
A new way to access protected data
We will be sharing details in advance of the new process for apps to request protected data in the partner dashboard. If your app does not use protected data, you can simply update to the latest API version. If your app does use this data, Shopify will approve your use of the minimum amount needed to provide the merchant with the app functionality. If you’re approved for all the data that you requested, then no code updates are required. If you’re not approved for the data you requested, then you might need to update your app to handle errors or redacted data.
In August 2022, we will publish reference documentation for unstable APIs that contain protected customer data. Over the next year, there are a few dates developers should make note and prepare for:
October 1, 2022 – Shopify will release the 2022-10 API version. Apps using this version must meet the protected customer data requirements. We will also be updating our Partner Dashboard to enable app configuration and requests for protected customer data.
April 2, 2023 – New apps must use API version 2022-10 or later and meet the protected customer data requirements.
July 1, 2023 – All apps must use API version 2022-10 or later and meet the protected customer data requirements. Admin API version 2022-10 is the minimum supported version.
With these changes, developers don’t have to compromise on the user experience to build apps while supporting a merchant’s path towards compliance with privacy and data protection rules.
Here are more ways to help you prepare for these the changes: