Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not from my point of view: Last year I paid for a product from a shop that was using Shopify, you would think that given that this was a one time transaction, once the payment has been processed they wouldn't keep storing your PII forever but guess what? A couple of months ago I was going to buy a product from a totally unrelated shop also using Shopify and as soon as I typed my email address they sent me an OTP to my phone to autocomplete all my personal details. So paying for a product equals to creating an account with Shopify.

This is incredibly shady and I wonder if it's even legal here in Europe.



You may have thought you were saving your details with that shop (or not realised at all of course) but yes this is a recentish feature I think, at least I haven't noticed it for long, branded 'Shop pay' iirc.

As for legality in the EU/UK, it's just like everything else, on some level they technically asked for consent and you gave it, but yes, dark patterns abound.


It may have been stated somewhere in their T&C, but just to be clear: I did not explicitly consent for this.


Right, but the enforcement on this stuff is terrible, you probably also started receiving mailing list spam that you didn't knowingly opt in to, and nothing's going to change or come of it even if you do report it to the ICO.


I think it's shady to use cross-shop information unless the customer explicitly opts into it.

But shopify isn't just a payment processing service. It's a full blown ecommerce suite. Do you think there's an online store out there that gets rid of all PII once an order is paid for, or even after its fulfilled?

We've had people try to return/replace things (or even credit card disputes) years after they bought it. How exactly would that work if we got rid of all information about their order shortly after they made it?


Shopify store owner here. Credit to them, they make deleting customer data trivial. One obvious button.

This is interesting though: is that data deleted everywhere? It makes no sense just to delete from ‘my store’. But I can delete any customer data at any time.

Perhaps this is a nice example of complexity. From the outside it’s easy for us to why don’t they just…, but as soon as you scratch the surface…


You could do a GDPR request for the data they have on you. I would be curious what they save. Keep us updated if you want to.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: