Shopify Review Compliance Checklist: FTC, GDPR, and Shopify Policy (2026)

Shopify review compliance is the set of rules that govern how a store collects, displays, and stores customer reviews so that the social proof on your product pages is legal, honest, and consistent with platform policy. It spans three overlapping rulebooks: the FTC's consumer-protection rules in the United States, GDPR (and the UK GDPR) for any shopper in the EU or UK, and Shopify's own merchant and app policies that sit on top of both.

Most Shopify merchants treat reviews as a marketing asset and never think about them as a regulated one. That is a mistake that has gotten more expensive: the FTC's rule on fake and deceptive reviews carries civil penalties per violation, and EU data regulators treat review text as personal data the moment a name or email is attached.

This checklist breaks compliance into four practical areas: collection, display, privacy, and platform policy. Work through each section, check the boxes that apply to your store, and fix the gaps. None of it requires a lawyer to start, though a few items at the end are worth a professional review.

What does review compliance actually cover?

At a high level, you are responsible for four things at once:

1. Collection is honest and consensual: you gather reviews from real customers, without buying or fabricating them, and without bribing people for positive ratings.
2. Display is truthful: you show genuine reviews including critical ones, your star averages reflect the real data, and any "verified" labels mean what they say.
3. Privacy is respected: reviewer names, emails, photos, and IP addresses are personal data, and you have a lawful basis to process them plus a way to delete them on request.
4. Platform policy is met: your review app, your theme, and your store conduct all comply with Shopify's terms and the app's data handling rules.

A store can be excellent at marketing and still fail two or three of these. The good news is that the fixes are mostly process and configuration, not a rebuild.

Collection checklist: how you gather reviews

The collection stage is where most legal risk is created, because this is where incentives, gating, and fabrication happen.

• [ ] Only solicit reviews from verified customers. Send review requests to people who actually purchased, ideally tied to a fulfilled order. This is the foundation of an honest review base and makes a "verified buyer" label defensible later.
• [ ] Never write, buy, or commission fake reviews. This includes reviews written by employees, founders, agencies, family, or paid networks posing as customers. Under the FTC's rule this is the single clearest violation, and it applies to AI-generated reviews too.
• [ ] Disclose any incentive clearly. Offering a discount, loyalty points, free product, or entry into a giveaway in exchange for a review is allowed, but the incentive must be disclosed and must not be conditional on the review being positive. "Leave a review for 10% off" is fine; "leave a 5-star review for 10% off" is not.
• [ ] Do not condition incentives on sentiment. Rewards can depend on someone leaving a review. They cannot depend on the review being favorable. Make that explicit in your request copy.
• [ ] Stop review gating. Gating means routing happy customers to a public review form while diverting unhappy customers to a private feedback channel so negatives never get published. Regulators now treat this as review suppression. Ask every customer the same question through the same door.
• [ ] Keep proof of consent for testimonials. If you lift a review into an ad, email, or homepage testimonial with a name or photo, keep a record that the customer agreed to that use.
• [ ] Be honest about employee or insider connections. If a reviewer has a material connection to your business, that connection must be disclosed next to the review.
• [ ] Do not suppress reviews selectively. Removing reviews because they are negative (while keeping comparable positives) can itself be deceptive. You can remove reviews that are spam, abusive, off-topic, or violate clear published guidelines, applied evenly.

The principle behind every item above: a review program is honest when the same rules apply to a one-star and a five-star review.

Display checklist: how reviews appear on the page

Truthful collection can still be undone by misleading display. This is the stage Shopify shoppers actually see, so accuracy here is both a legal and a trust issue.

• [ ] Show genuine reviews, including negative ones. A product page with only glowing reviews and a suspiciously perfect average reads as fake to shoppers and to regulators. Negative and mixed reviews increase credibility and conversion. Suppressing them is the risk, not showing them.
• [ ] Make star averages mathematically accurate. The aggregate rating you display (and the rating in your structured data) must reflect the real distribution of real reviews. Do not seed averages, weight them silently, or hide low scores from the calculation.
• [ ] Keep "verified purchase" labels truthful. Only mark a review verified if you can actually tie it to a purchase. If some reviews are verified and some are not, make the distinction clear rather than implying all are verified.
• [ ] Match your structured data to what is on the page. If you output AggregateRating schema for Google rich results, the rating, review count, and individual reviews in the markup must match what a visitor sees. Mismatched or invented review schema violates both Google's policies and consumer-protection principles.
• [ ] Do not display reviews for the wrong product. Syndicating or borrowing reviews from a different product, a different variant that materially differs, or a competitor without clear disclosure is misleading. Grouping reviews across genuinely identical variants is generally fine; importing unrelated reviews is not.
• [ ] Date your reviews and keep them current. Showing only old, cherry-picked reviews while hiding recent critical ones can mislead. Let the recent picture show.
• [ ] Be clear about how reviews are ordered or filtered. Sorting by "most helpful" is fine. Defaulting to a filter that hides all negatives by design is the gating problem in a new costume.

Optimizing which genuine reviews you feature is allowed and smart; inventing or distorting them is not. This is the line that matters most. You can absolutely test which real, collected reviews convert best per product, surface stronger social proof, and rotate UGC video, as long as every item shown is real and your averages stay honest. This is the lane Eevy operates in: it continuously optimizes the on-page mix of your genuine collected reviews, UGC, and social-proof sections per product, lifting conversion rate by an average of around 18% without ever fabricating or altering a review. Because it only ever surfaces reviews customers actually left, optimizing display stays on the compliant side of the line. It installs from the Shopify App Store in about five minutes and is free up to 25,000 monthly visitors, then $99 a month. The compliance point: tools that test and surface should only ever reorder and select genuine content, never generate it.

Privacy checklist: GDPR and personal data

A review is personal data the moment it carries a name, an email, a photo, an order reference, or an IP address. That pulls EU and UK shoppers' reviews under GDPR, regardless of where your store is based.

• [ ] Identify your lawful basis. For publishing a review with a customer's name, the usual basis is consent or legitimate interest. Whichever you choose, be consistent and document it.
• [ ] Get clear consent for public display. When someone submits a review, make it obvious that their name (or chosen display name) and content will be published. Avoid pre-ticked boxes; consent should be a deliberate action.
• [ ] Offer a display-name or initials option. Letting reviewers publish under a first name, initials, or a handle is a simple way to reduce the personal-data footprint while keeping reviews credible.
• [ ] Cover reviews in your privacy policy. State what review data you collect, why, how long you keep it, who processes it (your review app is a processor), and the rights shoppers have.
• [ ] Honor erasure requests. A reviewer can ask you to delete their review and associated data (the right to erasure). You need a practical process to remove or anonymize it across your store and your review app.
• [ ] Honor access and rectification. Shoppers can ask what review data you hold and ask you to correct it. Build a simple path to respond within the legal window (one month under GDPR, extendable).
• [ ] Confirm a data processing agreement with your review app. Any app storing review data on your behalf is a processor under GDPR. You should have a DPA in place and know where the data is hosted.
• [ ] Mind cross-border transfers. If your review app stores EU shopper data outside the EU, confirm an appropriate transfer mechanism is in place.
• [ ] Minimize what you collect. Do not capture more than you need. Storing raw IP addresses or full email addresses publicly is rarely necessary and increases exposure.

Privacy is the area most merchants overlook because it is invisible on the page. It is also the area where a single ignored erasure request can become a complaint to a regulator.

Platform policy checklist: Shopify's own rules

On top of the law, Shopify imposes its own requirements through the Shopify Terms of Service, the merchant Acceptable Use Policy, and the app review and data policies your review app must follow.

• [ ] Use a reputable review app. Apps in the Shopify App Store must pass review and data-handling requirements. A compliant app handles GDPR data subject requests through Shopify's mandatory webhooks (customer data request, customer redact, shop redact).
• [ ] Confirm your app honors Shopify's GDPR webhooks. When a customer requests data or deletion through Shopify, your review app should respond to the corresponding webhook. This is a hard requirement for App Store apps and a useful signal of a trustworthy vendor.
• [ ] Do not misrepresent your store. Shopify's Acceptable Use Policy prohibits deceptive and misleading conduct. Fake reviews and dishonest social proof fall squarely inside that prohibition and can put your store at risk, separate from any legal action.
• [ ] Keep review widgets from breaking core web vitals and accessibility. Not strictly a legal item, but Shopify and Google both reward fast, accessible pages. Heavy review scripts that block rendering hurt both conversion and standing.
• [ ] Respect Google's review and structured-data policies. If you want review stars in search results, the Review and AggregateRating markup must follow Google's structured data guidelines, which forbid self-serving and fabricated reviews in markup.

Platform policy is the layer people forget because it is not "the law," but a store can be perfectly legal and still get an app delisted or a warning for breaking these terms.

A quick self-audit you can run today

If you only have an hour, run these five checks:

1. Pull up a top product and look for negative reviews. If there are none and the average is a flat 5.0, investigate whether something is filtering or gating them.
2. Check your review request email. Does it promise a reward for a positive review specifically? Fix the wording so the reward is for any honest review.
3. Compare your schema to the page. View source on a product page and confirm the AggregateRating count and value match the visible reviews.
4. Find your erasure process. If a customer emailed asking you to delete their review right now, do you know the steps? If not, write them down.
5. Confirm your app's data handling. Check that your review app is App Store listed and documents GDPR webhook support and a DPA.

Most stores pass three of these and fail two. The two you fail are your roadmap.

The through-line: honest content, honestly shown

Every rule in this checklist reduces to one idea. Collect reviews from real customers, show them truthfully including the unflattering ones, treat reviewer data as personal data, and stay inside your platform's terms. Optimization, presentation, and conversion work are all fully compatible with compliance, as long as what you are optimizing is genuine content you actually collected.

The stores that get into trouble are the ones that try to manufacture trust: fake reviews, gated negatives, inflated averages, invented schema. The stores that win build real trust and present it well.

This article is general information, not legal advice. Compliance obligations depend on where your business and customers are located and can change. For decisions specific to your store, consult a qualified attorney or your data protection advisor.

Related Reading

• The FTC Fake Review Rule and what it means for Shopify stores
• GDPR and product reviews: a compliance guide for Shopify
• Why review gating is dead (and what to do instead)
• How to handle fake reviews on your Shopify store
• Should I show negative reviews on my Shopify store?