Shopify Legal Requirements Checklist 2026: Every Legal Page Your Store Needs

Most new Shopify store owners spend weeks perfecting their product photos and homepage design, then add a legal page in the last five minutes before launch — or skip it entirely. That's exactly backwards. Legal pages are among the first things Shopify checks before enabling payment processing, the first thing Facebook reviews before approving your ad account, and the first thing a regulator looks at if a customer files a complaint.

The good news is that getting your legal pages right doesn't require a lawyer or an expensive SaaS subscription. This guide covers every policy your Shopify store needs in 2026: which ones Shopify actually requires, which laws mandate which disclosures, and where to add each policy inside your Shopify admin. At the end, there's a complete checklist you can work through right now.

Let's start with what Shopify itself mandates.

What Shopify Actually Requires

Refund Policy — Required by Shopify

Shopify's Terms of Service require all merchants to publish a refund and return policy. This isn't optional: Shopify displays your refund policy at checkout, and it's a prerequisite for activating Shopify Payments. If you don't have one, customers see a blank during checkout, which kills conversions and flags your account for review.

A functional refund policy needs to answer at least these questions:

• Return window: How many days does a customer have to request a return — 14, 30, or 60 days from delivery?
• Item condition: Must items be unused and in original packaging, or do you accept returns on opened products?
• Return shipping: Who pays — you or the customer? Do you provide a prepaid label?
• Refund method and timeline: Original payment method only? Store credit? How long until the refund processes?
• Non-returnable items: Perishables, digital goods, custom orders, intimate apparel, and similar categories are typically excluded — spell this out explicitly.

Shopify's built-in policy builder in Settings → Policies generates a basic template, but it's intentionally generic. It doesn't know whether you sell handmade ceramics, supplements, or digital downloads. A policy generated through FreeTOS's refund policy generator asks about your specific product types and customizes the language accordingly.

Privacy Policy — Required by Law and by Shopify

Shopify's Terms of Service explicitly require every store to have a privacy policy. Beyond Shopify's own rules, privacy policies are mandated by law in virtually every major market. Every Shopify store collects personal data by default: customer names, shipping addresses, email addresses, and payment information. The moment you install Google Analytics or Meta Pixel, you're also collecting behavioral data and passing it to third parties.

Your privacy policy must disclose:

• What data you collect — both data customers provide (name, address, email) and data collected automatically (IP address, browsing behavior, cookies)
• Why you collect it — order fulfillment, marketing, fraud prevention, analytics
• Who you share it with — this must include Shopify, your payment processor (Stripe, PayPal, etc.), shipping companies, and any marketing platforms
• How long you keep it — typical retention periods for order records, customer accounts, and marketing data
• How customers can exercise their rights — access, correction, deletion, and data portability requests

GDPR applies if you have any EU customers. CCPA applies if you have California customers. Several other US states — Virginia, Colorado, Connecticut, Texas, and more — have their own privacy laws with their own disclosure requirements. A well-drafted privacy policy from FreeTOS covers all of these in a single document.

Cookie Policy — Required If Selling to EU or UK

A privacy policy and a cookie policy are not the same thing. A cookie policy specifically discloses every cookie your store sets, categorized by type — strictly necessary, functional, analytical, and marketing — and explains what each one does and how long it persists.

If any of your visitors or customers are based in the EU or UK, EU ePrivacy Directive and GDPR both require explicit, prior, informed consent before setting non-essential cookies. The word "prior" is the important part: cookies must not load until the visitor actively clicks "Accept." Passive consent — continuing to browse, closing a banner, or pre-ticked checkboxes — does not meet the legal standard.

Shopify stores typically run multiple cookie-setting services: Google Analytics (GA4), Meta Pixel for Facebook/Instagram ads, Google Ads conversion tracking, Klaviyo or Mailchimp tracking pixels, and any number of third-party Shopify apps. Each one places cookies that require EU consent. Your Shopify theme's built-in cookie banner may not meet GDPR requirements — many don't block cookies before consent fires. Generate your cookie policy here and verify your consent banner actually blocks scripts on load.

Strongly Recommended (Not Always Required But Protect You)

Terms of Service

Terms of Service are not technically required by law in most jurisdictions, but no serious Shopify store should operate without them. Your ToS is the legal contract between you and every customer who makes a purchase. Without it, you have no contractual basis for the things you'll eventually need to enforce.

A Shopify ToS should cover:

• Acceptable use: What customers can and cannot do in relation to your store — prohibiting resellers, fake reviews, account sharing, or any misuse specific to your business
• Intellectual property: Your product photos, brand assets, and copy are your property. State it.
• Liability limitations: Cap your liability for issues beyond your control — shipping delays, product use errors, third-party platform outages
• Dispute resolution: Which jurisdiction's law governs, and how disputes are handled — arbitration, small claims, or court
• Account termination: Your right to cancel or refuse orders from abusive customers

The FreeTOS Terms of Service generator produces e-commerce-specific ToS language that covers all of these areas, customized to your store type.

Shipping Policy

A shipping policy is not legally required, but it's one of the highest-ROI legal pages you can publish. The single most common reason customers contact Shopify store support is to ask about shipping. Every customer who finds that answer in your shipping policy is a support ticket that doesn't get created, and a chargeback that doesn't get filed because the customer felt misled.

Your shipping policy should cover: order processing time (same day, 1–3 business days), which carriers you use, estimated delivery windows by region, international shipping availability and any customs/duty notes, free shipping thresholds if you offer them, and what happens if a package is lost or arrives damaged.

Generate a complete shipping policy with FreeTOS — it takes about 60 seconds.

GDPR Compliance — If You Sell to Europe

GDPR compliance goes beyond having a privacy policy. If you have any EU customers — even occasionally — these are the additional requirements that apply to your Shopify store:

Cookie consent banner. As described above, must block non-essential cookies until consent is given. Not just a notice — an actual gate.

Data Processing Agreement (DPA) with Shopify. Under GDPR, if a third party processes your customers' personal data on your behalf, you need a DPA in place. Shopify provides its DPA automatically — you can find and accept it under Settings → Legal. But you should verify it's accepted, not just assume it is.

Data subject request process. EU customers have the right to request access to their data, request corrections, and request deletion. You must be able to respond within 30 days. Shopify has built-in tools for customer data exports and deletions under Settings → Customer Privacy.

Breach notification procedure. GDPR requires you to notify the relevant supervisory authority within 72 hours of becoming aware of a data breach that poses a risk to individuals. Your privacy policy should mention this. For a deeper breakdown of EU requirements, see the complete GDPR guide.

Generate a GDPR-specific privacy policy for your Shopify store with the FreeTOS GDPR privacy policy generator.

Complete Legal Pages Checklist for Shopify Stores

Where to Add Each Policy in Shopify

Generating your policies is only half the job. Here's exactly where each one goes inside your Shopify admin so they actually appear at checkout and in your footer.

1. Core policies (Refund, Privacy, ToS, Shipping) — Shopify Admin → Settings → Policies. This is the most important location. Policies added here are automatically linked in your checkout flow. Shopify pulls refund and privacy policy links directly from this panel and shows them on every checkout page. Paste your final policy text into the appropriate fields and save. You do not need to create separate pages for these unless you want them accessible from your nav — Shopify handles the checkout linking automatically.

2. Cookie consent banner — Online Store → Themes → Edit Code → theme.liquid → before </body>. If you're implementing a custom cookie consent solution (which you should, since Shopify's default banner often doesn't meet GDPR's prior-consent standard), you'll add the banner script before the closing body tag in theme.liquid. If you use a consent management app from the Shopify App Store, it handles this injection automatically.

3. Custom policy pages for footer navigation — Online Store → Pages → Add page. If you want your policies to be directly browsable — for example, a dedicated /privacy-policy page accessible from your footer — create them as standard Shopify pages here. Give each one a clear title, paste in your policy content, then add the page to your footer navigation via Online Store → Navigation → Footer menu.

4. GDPR tools — Settings → Customer Privacy. Shopify has built-in GDPR and CCPA functionality under this panel. Here you can manage your Data Processing Agreement with Shopify, configure what happens when customers request their data, and enable or disable certain data tracking features by region. This does not replace a cookie consent banner — it's a supplement to it.

5. Legal pages linked from checkout — Settings → Checkout → Additional scripts / checkout customization. If you want additional legal links or disclosures visible at checkout beyond what Shopify pulls from Settings → Policies, use the checkout customization options available on Shopify Plus, or the Additional Scripts field on lower plans.

Common Shopify Legal Page Mistakes

After reviewing hundreds of Shopify stores, these are the most common legal mistakes — and the ones most likely to cause real problems:

Using Shopify's auto-generated boilerplate without editing it. Shopify's policy generator outputs the same generic template for every store. It doesn't know you sell handmade soap, or that your products ship from Germany, or that you use five third-party apps that each set their own cookies. A boilerplate policy that doesn't match your actual practices can make you more legally exposed than no policy at all, because it creates a false record.

Having a 7-day or 30-day return policy without an EU carve-out. If you sell internationally and your return window is under 14 days, you're violating EU consumer law for every EU order you fulfill. Even US-based stores with US-focused marketing will have EU customers find their site through search. The fix is simple: add a clause that EU customers receive a minimum 14-day right of withdrawal regardless of your standard policy.

Relying on a cookie notice that doesn't actually block cookies. A banner that says "We use cookies" while simultaneously loading GA4 and Meta Pixel is not GDPR-compliant. The EU standard is explicit prior consent — cookies must not fire until the visitor actively accepts. Check your store using a browser privacy extension or a cookie audit tool to verify what actually loads on page arrival.

Not updating your privacy policy when you add new Shopify apps. Every app you install that touches customer data — email marketing, live chat, reviews, loyalty programs, wishlist tools — is a new data processor that must be disclosed in your privacy policy. Most store owners install apps continuously and never update their privacy policy to match.

No mention of Shopify as a data processor. GDPR requires your privacy policy to identify all parties who process your customers' data on your behalf. Shopify is your primary data processor — they store your customer records, process payments, and run your storefront. Failing to name them is a GDPR omission that regulators specifically look for.

How to Get All Your Shopify Legal Pages for Free

Every policy in this checklist can be generated free at FreeTOS — no account, no watermark, no trial that converts to a paid plan. Each generator asks the right questions for your specific store type and produces a complete, ready-to-paste document in about 60 seconds.

Frequently Asked Questions