Shopify updated its privacy policy on July 10, 2026 to revise how it describes cross-border data transfers for users in the EEA, UK, and Switzerland. The prior policy stated that Personal Data sent to Canada was protected under Canadian law, which the European Commission had found adequate. The updated policy replaces this with a framework based on Shopify's Binding Corporate Rules (BCRs) for transfers between Shopify entities, and Standard Contractual Clauses (SCCs) for transfers to third-party subprocessors. The practical effect is that data protection assurances now rest on different legal instruments (BCRs and SCCs) rather than adequacy decisions.
The updated policy changes the legal mechanism used to protect personal data when it crosses borders, but does not change where data is transferred or fundamentally alter protection levels. For EEA and Swiss users, data transfers between Shopify entities now rely on Shopify's Binding Corporate Rules (which have been approved by European data protection authorities), rather than adequacy decisions. For UK users, transfers use Standard Contractual Clauses and may rely on the adequacy decision for Canada. For transfers to third-party subprocessors, contractual commitments in the form of Standard Contractual Clauses now replace prior language referencing comparable protections. The policy states these mechanisms reflect Shopify's commitment to adequate protection, but the shift in legal instruments may have implications for how disputes or compliance issues would be evaluated under GDPR or UK data protection law.
The updated policy establishes a new legal framework for protecting personal data when it moves across borders. Rather than relying on European Commission decisions that data protection in certain countries is adequate, Shopify now uses Binding Corporate Rules (internal company commitments approved by regulators) and Standard Contractual Clauses (contractual commitments with third parties). This shift reflects ongoing changes in international data transfer law, particularly EU court scrutiny of transfer mechanisms. The change does not materially alter the data flows themselves, but it affects how Shopify documents compliance with GDPR and UK data protection requirements.
Now protected under Shopify's Binding Corporate Rules (approved by European data protection authorities) rather than adequacy decisions.
Now use Standard Contractual Clauses between Shopify entities, with potential reliance on adequacy decision for Canada transfers.
Now explicitly protected by Standard Contractual Clauses rather than prior language referencing 'comparable' contractual commitments.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Shopify replaced its reliance on European Commission adequacy decisions with Binding Corporate Rules for intra-Shopify transfers and Standard Contractual Clauses for third-party transfers. This shift has compliance implications under GDPR Article 44-50 (international transfers) and UK data protection law. BCRs require ongoing approval by data protection authorities; SCCs have faced recent legal uncertainty in EU courts. Organizations using Shopify should confirm that their data processing agreements and vendor documentation reflect these updated transfer mechanisms, and may wish to monitor regulatory guidance on BCR and SCC enforceability. No immediate action is required, but the change warrants inclusion in data protection impact assessments and vendor due diligence reviews.
GDPR (Articles 44-50, international transfers), UK Data Protection Act 2018 (Chapter 5), Swiss Federal Data Protection Law (Articles 6-7). Recent EU case law has questioned the adequacy of certain transfer mechanisms; BCRs and SCCs are the alternatives provided by GDPR but remain subject to ongoing regulatory scrutiny and court challenge.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003584.
Shopify updated its Terms of Service on May 11, 2026 to add new provisions regarding communications through additional channels like …
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the …
TikTok's data collection extends to device sensors, clipboard content, geolocation, and cross-site tracking. Here is what their Privacy Pol…
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 352+ platforms every Sunday.