// SECURITY / DATA_HANDLING

// DATA_HANDLING

Shopify themes handle sensitive customer data at every touchpoint. Mishandling this data can result in GDPR fines, chargebacks, and loss of merchant trust.

[ 01 ] SENSITIVE DATA IN SHOPIFY THEMES

Shopify themes have access to a wide range of sensitive data — much of which should never be exposed to JavaScript or third-party scripts.

customer.email
HIGH

Exposed to analytics scripts → PII leakage

customer.phone
HIGH

GDPR-sensitive — avoid logging to analytics

customer.addresses
HIGH

Never expose full address in JS scope

cart.token
CRITICAL

Session hijacking if exposed to external scripts

customer.orders
HIGH

Order history — access only on authenticated pages

customer.tags
MEDIUM

Internal segmentation — avoid client-side exposure

[ 02 ] CART.TOKEN SECURITY

cart.token is a unique session identifier tied to the current customer's cart. Exposing it to analytics scripts or in URL parameters allows session reuse and cart hijacking.

// NEVER DO THIS

  • {{ cart.token }} in any JavaScript variable
  • cart.token in URL query parameters
  • Sending cart.token to third-party analytics
  • Logging cart.token in browser console

[ 03 ] GDPR COMPLIANCE FOR THEME DEVELOPERS

As a theme developer, you are a data processor under GDPR when your theme code handles customer personal data. Key obligations:

Consent before tracking

Never fire analytics or pixel scripts before explicit cookie consent

Data minimization

Collect only the data necessary — avoid unnecessary customer data in dataLayer

Right to erasure

Theme code must support customer data deletion via Shopify's built-in tools

Transparency

Privacy policy must list all third-party scripts that receive customer data

Data residency

EU customer data must remain in EU — avoid US-only analytics providers without DPA

DPA with vendors

Sign Data Processing Agreements with all third-party script providers

[ 04 ] DATA MINIMIZATION PATTERNS

Only expose data to JavaScript that is strictly necessary for the feature being built.

dataLayer push

Push full customer object with email and phone

Push only customer.id (hashed) and general segment

Cart tracking

Track cart with full product details and customer PII

Track cart events with product IDs and quantity only

Wishlist features

Store wishlist with customer email in localStorage

Store wishlist with anonymous ID, link to account server-side

[ 05 ] AUDIT CHECKLIST

cart.token never appears in JavaScript code

customer.email not sent to third-party analytics without consent

Cookie consent wall fires before any tracking scripts

All third-party scripts listed in Privacy Policy

No PII in URL parameters or query strings

localStorage/sessionStorage contains no sensitive customer data

All form submissions use Shopify's form tag (not raw HTML)

No customer data logged to browser console

// SEE ALSO

→ Liquid Security Docs→ Privacy Policy→ Features→ Pricing

// READY_TO_REPAIR

Start repairing your Shopify code now.

START_REPAIR