Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Shop Pay is Shopify's one click accelerated checkout that lets returning shoppers complete a purchase with stored email, address and payment information.
Shop Pay is the accelerated checkout option that Shopify offers to merchants on its platform. Shoppers can enable Shop Pay on any participating store, which stores their email, shipping address, billing address and tokenised payment information at Shopify level. On the next visit to any Shop Pay enabled store, they can complete the purchase with a single click after a one time SMS code.
The Shop Pay button writes _shopify_y, _shopify_s, _shopify_country, _orig_referrer and a tracked_start_checkout cookie on the merchant domain, plus _shop_pay session and authentication cookies on shopify.com. Shopify receives the shopper email, phone, full address, payment token, IP, browser fingerprint, cart contents and the cross store purchase history.
Loading the Shop Pay button reads existing Shop Pay cookies to detect a returning shopper and may pre fill information. EU regulators (CNIL in particular) consider the remember me capability to go beyond strictly necessary checkout, so Article 5(3) ePrivacy consent is required for the proactive prompt. The actual transaction relies on contract performance. PSD2 strong customer authentication still applies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Contract performance covers the actual purchase. The Shop Pay enrolment (one off across stores) and the cross store behavioural enrichment are based on the shopper consent given to Shopify directly. As the merchant you act as joint controller for the collection on your store, so disclose Shop Pay in your privacy policy with a link to Shopify''s policy.
Shopify Inc. is based in Ottawa, Canada (GDPR adequacy under PIPEDA). Production runs on Google Cloud in multiple regions and Shopify also operates Shopify International Limited in Ireland for EU merchants. Transfers to the US (where Shopify has subsidiaries) rely on the EU US Data Privacy Framework and Standard Contractual Clauses.
Mention Shop Pay and Shopify Inc. in your privacy policy. Show the Shop Pay link explicitly so the shopper opts in. Confirm Shopify International Limited (Ireland) as your data controller when you set up your Shopify store. Sign the Shopify data processing addendum. Disable Shop Cash and Shop App promotions when not desired, since they rely on cross store profiling.
Websites using Shop Pay must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Shop Pay is combined with Shop Cash rewards, when shoppers are profiled across stores, when buy now pay later features (Shop Pay Installments) are offered, or when minors are part of the audience.
Sample consent text
Shop Pay enables one click checkout by remembering your email, address and payment information on Shopify infrastructure. By choosing Shop Pay you consent to Shopify Inc. (Canada and the United States) processing your data for payment, fraud prevention and remember me features.
Third-party domains contacted
shop.appshopify.comcdn.shopify.compay.shopify.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _shopify_y | first_party | 1 year | Persistent shopper identifier used by Shopify and Shop Pay |
| _shopify_s | first_party | session | Session cookie used by Shopify storefront and Shop Pay |
| tracked_start_checkout | first_party | session | Flags that the shopper initiated the Shop Pay accelerated checkout |
| _shop_pay | third_party | 1 year | Authentication token for Shop Pay across stores |
| _orig_referrer | first_party | session | Stores the original referer at the start of the checkout |
Shop Pay uses cookies for user preferences — inform visitors with a consent banner.
On the merchant domain Shop Pay writes _shopify_y, _shopify_s, _shopify_country, _orig_referrer and tracked_start_checkout. On shopify.com it adds _shop_pay session and authentication cookies, plus device fingerprinting data used to recognise returning shoppers.
The actual checkout runs on contract performance, so consent is not needed to complete the purchase. The remember me feature, the proactive Shop Pay prompt and cross store profiling require Article 5(3) ePrivacy consent and Art. 6(1)(a) GDPR consent for the related processing.
Contract performance for the payment and order delivery. Consent for the Shop Pay remember me feature and any marketing through Shop Cash. Legal obligation for tax and accounting retention. Legitimate interest for fraud prevention.
Yes, indirectly. Shopify Inc. is Canadian (GDPR adequate) but operates US subsidiaries and routes payment data through US infrastructure. Cover transfers with the EU US Data Privacy Framework and Standard Contractual Clauses; rely on Shopify International Limited (Ireland) as the EU controller of the merchant relationship.
Recommended for high volume merchants, for buy now pay later integration (Shop Pay Installments), when minors are part of the audience, when fraud scores are reused for marketing, or when Shop Cash rewards are activated.
Disclose Shop Pay in your privacy policy with a link to Shopify, configure Shopify with EU as the data residency where supported, sign the Shopify DPA, disable Shop App promotions and Shop Cash if not needed, and honour deletion requests by routing them through Shopify.
Other accelerated checkouts: Apple Pay, Google Pay, Klarna, PayPal Express, Amazon Pay. For EU specifically: Bancontact, iDEAL, Giropay, SEPA Instant via Mollie or Adyen. Shopify also supports them natively.
List _shopify_y, _shopify_s, _shopify_country, _orig_referrer, tracked_start_checkout and the _shop_pay cookies set on shopify.com with purpose and duration. Disclose Shopify Inc. as joint controller with you for the collection step and mention the EU US Data Privacy Framework basis.