We’re updating our handling of the customers/redact GDPR webhook, and it’s brought up some questions. Our app does not have the read_customers scope because we don’t need it, all the info we need to ship orders comes to us in the order.shippingAddress. However, lately we’ve been getting a lot of customers/redact with a payload like this:
{
"shop_id": 123456789,
"shop_domain": "some-shop.myshopify.com",
"customer": {
"id": 987654321,
"email": null,
"phone": null
},
"orders_to_redact": null
}
Because we don’t have read_customers permissions we can’t use that customer.id to query the Customer API and figure out whose data we need to redact, and by the time we receive that webhook the customers orders have already been redacted it seems because querying the Orders API for customer_id:<customer_id> comes back with nothing, so what exactly are we expected to do with this webhook payload?
Hi @ktbishop
This is a good point - if orders_to_redact is null, then it does sound that there is no order data needed to redact (since order data is already inaccessible). I’ve also asked internally what the best practice for removing customer data when an app does not have the read_customers scope and the only info you have is the customerID.
Thanks @Liam-Shopify, I look forward to hearing back!
Hi again @ktbishop
If the orders have already been redacted, what customer data would you still have?
One option could be to separately and securely store customer IDs when you capture shipping data - this gives you a reliable lookup method without needing to query the Customer API.
@Liam-Shopify Well, that’s sort of our question: since we never got a webhook with any specific orders listed in it, and we don’t currently have read_customers access, we don’t actually know what to redact in this scenario where we get nothing except a customer.id. We tossed around that very idea of starting to save these customer.id values from the order, we were just hoping to avoid having to do that if possible. It sounds like we’ll just have to go that route I suppose. Thanks for your help!
@Liam-Shopify Actually, one bit of clarification: we’ve been under the impression that those customers/redact webhooks were an “all or nothing” thing, i.e. if we receive that webhook we need to find every trace of that customer in our system and redact their info.
Reading your previous response question about orders_to_redact being null actually brings up a new question: when we receive a customers/redact webhook with no orders_to_redact, do we actually need to do anything at all? Are we only supposed to redact info when there are orders listed in that field? Maybe we’ve been redacting way more info than we actually needed to…