Protecting access to customer data

Third-party developers use Shopify’s APIs to build apps for merchants. Prior to API version 2022-10, developers could access customer names, contact information, addresses, and other information, like order details and dates, that could be used to identify a unique individual. There was no way for developers to specify which customer data they needed. It was all or nothing. We needed to reduce the risks of 3rd party app developers accessing customer data with minimal impact to the merchant experience of apps.

Project goals

  • Allow developers to limit their own access to customer data

  • Introduce oversight into data access

  • Limit impact to merchant experience

My role

Content design and product design

  • User research

  • Content modeling

  • Collaborating with legal on plain language requirements

  • Designed end-to-end experience

Driving alignment with a content model

After working with legal and security to understand the type of information we needed to gate, I led content modeling sessions with engineering to explore how we might group the data, and what precisely we wanted developers to request access to.

Since customer data is available across 15+ API scopes and 30+ API resources, it wasn’t sustainable for developers to request access to individual scopes or resources.

Together, the team landed on a role and type of data model, which meant developers can request access to a customer’s name, and be able to access it across the API. This decision changed the direction of our solution to be entirely UI-based, developers would manage their access requests in the Partner’s Dashboard, rather than through their API calls.

Final content model we landed on

First round of research I used personal data in our prototype to elicit feedback on language

Reconciling regionalized terms

To better understand developer’s comfort level with privacy laws and terms, I conducted multiple rounds of user research during this project. 

Though developers were familiar with both personal data and personally identifiable information, I discovered the term that the term they understood or preferred depended on where their business was located.

To avoid confusion, we needed a net new term. Protected customer data is intentionally privacy-law agnostic.

Designing for flow of information

To minimize merchant impact we needed to make sure developers were well aware of their requirements in advance of the deadline. Mapping the end-to-end flow made sure I had accounted for all the surfaces and scenarios where developers might run into customer data. It also allowed us to tell a consistent communications story with our documentation and marketing teams. To drive developers toward meeting their compliance requirements, we leveraged:

  • In product: API error messages, banners, and reports

  • Developer documentation: Tutorials, API references, and developer changelog

  • Marketing materials: Editions, email blasts, and AMAs

Outcomes

Shopify has insight into any customer data access by third-party developers.

Repeatable privacy governance mechanism for any new customer data.

Privacy glossary for other teams to leverage as they build onto the feature.