The policy states that Shopify does not sell Personal Data as defined under the named US Privacy Laws, which include the CCPA, Colorado Privacy Act, Connecticut data privacy law, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act. The statement is qualified to the legal definitions of sale under those specific statutes rather than a broader general assertion.
This analysis describes what Shopify's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This commitment tracks a specific legal definition of "sell" under US Privacy Laws, meaning the scope of the protection is bounded by that definition rather than any broader ordinary meaning.
Interpretive note: The practical scope of this commitment depends on the legal definition of "sell" under US Privacy Laws, which is not elaborated in the excerpt. The claim is stated exactly as written without interpretation of that definition.
The updated policy changes the legal mechanism used to protect personal data when it crosses borders, but does not change where data is transferred or fundamentally alter protection levels. For EEA and Swiss users, data transfers between Shopify entities now rely on Shopify's Binding Corporate Rules (which have been approved by European data protection authorities), rather than adequacy decisions. For UK users, transfers use Standard Contractual Clauses and may rely on the adequacy decision for Canada. For transfers to third-party subprocessors, contractual commitments in the form of Standard Contractual Clauses now replace prior language referencing comparable protections. The policy states these mechanisms reflect Shopify's commitment to adequate protection, but the shift in legal instruments may have implications for how disputes or compliance issues would be evaluated under GDPR or UK data protection law.
View change record →Under these terms, Shopify states it does not sell Personal Data as defined under the CCPA and other named US state privacy laws. The policy separately discloses that Personal Data is shared with advertisers and marketing vendors, which some US state privacy laws treat differently from selling depending on whether the sharing constitutes cross-context behavioral advertising.
How other platforms handle this
we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.
Your personal information may be transferred to countries other than where you live, such as, for example, to our servers in the US.
The Gemini Apps Privacy Notice does not apply, and your Opal data, including feedback you provide, is processed per the Google Privacy Policy.
Monitoring
Shopify has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We do not "sell" your Personal Data as that term is defined under US Privacy Laws.— Excerpt from Shopify's Shopify Privacy Policy
(1) REGULATORY LANDSCAPE: The CCPA and its amendment (CPRA) distinguish between selling personal information and sharing it for cross-context behavioral advertising, with both activities requiring opt-out rights. The Colorado Privacy Act, Connecticut law, Virginia law, and Utah law have analogous but not identical definitions. Whether Shopify's data sharing with advertisers and marketing vendors constitutes a sale or share requiring opt-out rights under specific state law definitions requires analysis of the specific data flows and the compensation exchanged. State attorneys general in the named states have enforcement authority. (2) GOVERNANCE EXPOSURE: Medium. The policy's no-sale assertion addresses the statutory definition of sale but does not address whether data sharing with advertising and marketing vendors constitutes sharing for cross-context behavioral advertising, which triggers separate opt-out obligations under the CPRA and analogous state laws. Compliance teams should evaluate whether opt-out mechanisms are required for advertising-related data sharing even absent a sale designation. (3) JURISDICTION FLAGS: California's CPRA imposes opt-out obligations for both selling and sharing of personal information for cross-context behavioral advertising. Colorado, Connecticut, Virginia, and Utah impose similar opt-out rights for targeted advertising. The adequacy of Shopify's current opt-out mechanisms for these purposes should be evaluated jurisdiction by jurisdiction. (4) CONTRACT AND VENDOR IMPLICATIONS: Merchants using Shopify's advertising and analytics integrations should assess whether their own use of those integrations constitutes a sale or share of consumer Personal Data under applicable law, independent of Shopify's own no-sale assertion. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map the data flows between Shopify and its advertising and marketing vendor partners to confirm whether any of those flows meet the statutory definitions of sale or sharing for cross-context behavioral advertising under applicable US state laws, and ensure that opt-out mechanisms are implemented where required.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This commitment tracks a specific legal definition of "sell" under US Privacy Laws, meaning the scope of the protection is bounded by that definition rather than any broader ordinary meaning.
Under these terms, Shopify states it does not sell Personal Data as defined under the CCPA and other named US state privacy laws. The policy separately discloses that Personal Data is shared with advertisers and marketing vendors, which some US state privacy laws treat differently from selling depending on whether the sharing constitutes cross-context behavioral advertising.
ConductAtlas has identified this type of provision across 290 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Shopify.