2020 Report

Compelled Disclosure

In 2020, Shopify received a total of 543 requests. We objected to 326 (60% of these requests). We could notify data subjects in 40% of the cases where we produced.

This report includes data from January 1, 2020 to December 31, 2020.

Our Guiding Principles

Shopify is committed to protecting the privacy of our merchants, customers, partners, and everyone who entrusts us with their personal information. We believe that merchants own their personal information and the personal information of their customers. We are publishing this Transparency Report to:

  • Make commerce better for everyone by building consumer confidence through transparency, as recommended by the Office of the Privacy Commissioner of Canada.
  • Support an informed public debate on privacy rights by joining other members of our industry in reporting on government and other legal requests for access to data.
  • Comply with the spirit of and the principles underlying PIPEDA (the Canadian federal private sector privacy law), the GDPR (the European Union’s data protection regulation), and the CCPA (the California Consumer Privacy Act).

Our Process

To protect the privacy of our merchants, customers, and partners, we follow the below process upon receipt of a request to produce information about a merchant, a merchant’s customer, or a partner:

  • We will refuse to disclose personal information without a subpoena or court order issued by a body that has jurisdiction over Shopify.
  • Legal requests must be addressed to the correct Shopify entity (such as Shopify Inc. or Shopify International Limited).
  • We will always notify affected individuals before we disclose information, unless prohibited by law, and minimize the amount of personal information that we disclose.

We review the following factors to ensure that each order is legally and procedurally valid, broken down by heading below:

  • Jurisdiction and authority of requester
  • Type of legal request
  • Shopify entity and type of information requested

Information requests by country

Information requests by country

In 2020, we received legal requests for information from twenty countries.

As outlined in our Guidelines on Legal Requests for Information, we will only respond to enforceable subpoenas or court orders issued by: (a) bodies that have jurisdiction over the specific Shopify entity from which information is being requested; and (b) the authority to compel the production of information.

If the requesting body does not have jurisdiction over the relevant Shopify entity, we require that they follow the Mutual Legal Assistance Treaty or Hague Evidence Convention (“Letters Rogatory”) processes.

2020 received requests by country
Information Requests by Country Requests Received
Australia 5
Austria 1
Belgium 1
Brazil 2
Canada 17
Denmark 2
England 3
France 228
Germany 45
Hong Kong SAR 3
India 3
Ireland 1
Italy 9
Mexico 1
Singapore 6
South Korea 1
Spain 46
Switzerland 4
UK 8
USA 158

Types of information requests

Types of information requests

In 2020, we received different types of legal requests for information, including Grand Jury Subpoenas, Summons, Preservation Orders, Information Subpoenas, and Certifications of Trustee in Bankruptcy. We did not receive any national security letters, FISA orders, or other classified requests in 2020.

2020 received requests types
Type of Data Request Number received
Civil Investigative Demand 5
Consent Order 1
Demand to Furnish Information 1
Grand Jury Subpoena 53
Informal Request 2
Information Subpoena 4
Judicial Request 5
Law Enforcement 303
Preservation Order 32
Request For Information 1
Search Warrant 6
Summons 6
Temporary Restraining Order (TRO) 2
Other 1

Individual Rights

Individual Rights

Shopify strongly believes that individuals should have control over their personal information. In this spirit, and in accordance with our Privacy Policy, we respond directly to requests from our merchants, partners, and app users to access or delete their personal information. That said, when it comes to personal information about our merchants’ customers, we do not control that information - we only process that information as a “data processor” or a “service provider” for our merchants.

As a result, we are not permitted to respond to requests from a merchant’s customer directly. Instead, we relay these requests to the relevant merchant, and have built tools for our merchants to enable them to act on them in our platform.

In 2020, we fulfilled these data subject requests:

Individual access

2020 Individual Access Rights
Merchant access 24
Partners access 0
Shop access 4
Employee access 3
Customer access 68,398

Deletion

2020 Individual Deletion Rights
Merchant deletion 830
Partner deletion 78
Shop opt-out 102,866
Employee deletion 0
Customer redaction 10,469,711