EFF's guide to privacy on Shopify

 

EFF's Shop (https://shopeff.org) is an instance of Shopify. As a result, this site is subject to Shopify's privacy policy and data practices. In the writeup below, "we" stands for EFF.

Sometimes what Shopify implements on this site diverges from what we consider privacy best practices, so we want to offer guidance about how best to manage your privacy and data while shopping with us.

Summary

When you visit this site, Shopify places cookies in your browser — including analytics and marketing cookies — before you click anything. When you check out, you leave our store and enter Shopify-hosted infrastructure, where Shopify (not EFF) is the primary handler of your name, address, email, and payment information. To protect yourself: clear your browser data when you're done if you share a computer, and consider installing Privacy Badger to block third-party trackers. Details on each of these are below.

Managing your session

When you visit our shop, Shopify places several cookies in your browser. Some are necessary for the store to function — remembering your cart, currency, and region. Others are used by Shopify for analytics and marketing. We have enabled Shopify's cookie consent banner for all visitors, regardless of region, so you can accept, reject, or customize non-essential cookies before any are set. We've made this choice because we believe everyone — not just visitors from regions where consent is legally required — should have the opportunity to make an informed decision about the cookies on our store.

As you browse, your cart contents and browsing activity are also stored in your browser session. This means that if someone else uses the same browser after you, they may be able to see what you were shopping for and what's in your cart. If you share a computer or browser with others, we recommend clearing your cookies and browser storage for shopeff.org when you're done — you can do this through your browser's privacy settings.

Managing your data

When you click "Check out" on our store, you are redirected to Shopify-hosted infrastructure (checkout.shopify.com and checkout.pci.shopifyinc.com). Any information you enter during checkout — name, shipping and billing addresses, email, phone, and payment details — is held by Shopify and subject to their privacy policy and data retention practices, not EFF's.

If you would like Shopify to delete the data they hold about you, you can submit a request through their data erasure portal at https://privacy.shopify.com/en. Because Shopify's policies may change, we recommend reviewing their current privacy policy before submitting a request.

Separately, EFF retains order records — for example, to fulfill orders, handle returns, and meet tax and accounting requirements. If you would like us to delete the information we hold about your order with us, please contact membership@eff.org.

If you signed up for EFF's email lists during checkout and wish to unsubscribe, you can do so at https://join.eff.org/Subscription/.

Managing third-party tracking and data sharing

Where possible, we have configured our Shopify instance to minimize tracking. We have not installed third-party analytics or advertising tools such as Google Analytics, the Meta Pixel, TikTok Pixel, or email-marketing pixels, and we do not offer Shop Pay, so your checkout information is not linked into Shopify's cross-merchant account system.

However, Shopify itself sets analytics and marketing cookies by default, and payment processors load their own code on browsing pages. Note that the payment-method scripts described below load on product and cart pages regardless of your cookie banner choices, because they are part of how the store offers those payment options:

  • PayPal loads its SDK on product pages when PayPal is offered as a payment method, which causes your browser to contact paypal.com and receive PayPal cookies — even if you never click the PayPal button.
  • Google Pay behaves the same way on the cart page, contacting pay.google.com — even if you never use Google Pay to check out.

These third parties operate under their own privacy policies, not EFF's or Shopify's.

Shopify also offers a feature called "Shopify Network Intelligence" that allows merchants to contribute their visitors' activity to a cross-merchant data pool used for fraud detection, advertising personalization, and other services Shopify sells back to merchants. We have disabled Shopify Network Intelligence on our store. This means that your activity on our shop is not contributed to Shopify's cross-merchant data product, regardless of any individual opt-out choice you make.

Shopify offers a separate "Data sharing opt-out" page that lets visitors opt out of cross-merchant data sharing on stores where Network Intelligence is enabled. Because we have disabled it at the store level, this opt-out is somewhat redundant for our store, but you can still find it linked in our footer if you want to use it. If you have Global Privacy Control enabled in your browser — Firefox has this built in, and other browsers support it via extensions — Shopify honors it automatically as an opt-out signal across the platform, which is a useful privacy feature on other Shopify stores you may visit.

Because individual site configurations don't always translate into full protection in practice, the most reliable way to protect yourself is to block trackers directly in your browser. We recommend installing Privacy Badger, EFF's free open-source browser extension, which automatically blocks third-party trackers across the web — not just on this site. For more detail on the cookies Shopify uses, see Shopify's cookie policy.

Some useful links