Why is cookie consent (per GDPR) not core Shopify functionality?

Excursionist
19 0 21

Shopify, this question is for you...

 

If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).

  

Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.

 

So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.

 

I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 

 

Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.

 

When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

7 Likes

Good Question. Actually, there is no App for it to "really" get a consent or to block cookies, as it has to be done by the core system.

--
Made for men - https://www.soberberlin.com
1 Like
Excursionist
19 0 21

I emailed this topic to Shopify's Privacy team on June 20th (ticket number 13317172), and also asked a Shopify Help rep to escalate it...

 

2+ weeks later and zero reply from anybody at Shopify... pretty pathetic for something that is critical and not optional for all your merchants selling to hundreds of millions of EU citizens.

 

An epic fail for you, Shopify.

3 Likes
New Member
3 0 0

Hi, Im in the process of looking at the same scenario as part of upgrading our site. Can I ask did you ever get a reply or work out a suitable solution?

0 Likes
Excursionist
19 0 21

Hi - I asked their Privacy Team to reply as well, which they finally did more than 3 months later with the following:


Our team is aware of the issue and we are working on a technical fix!

What that means, and when we might expect a proper, robust, Shopify-supplied solution is anybody's guess.

 

I'm currently paying for one of the cookie banner Apps on the Shopify store, but only as a "best of the worst" solution. I've also noticed using Google PageSpeed and other test tools that App slows down my site (as you'd expect, making more 3rd-party calls) which is bad. 

0 Likes
New Member
3 0 0
Hi, yeah I totally agree I signed up for a cookie app too but I would much prefer a definitive out of the box solution rather than a search and hope solution as it is at the moment
0 Likes
New Member
1 0 0

Hi all,

 

I emailed Shopify's privacy team about issues with Shopify consent options in relation to ICO guidance and the recent German court ruling.

 

I received this reply on the 3rd of October 2019, which you may find encouraging:

 

We understand the importance of this ruling and the impact it has on our merchants. This work is a top priority and we are currently working hard on a solution.

In the near future we will show how cookie banners can be implemented so that merchants may tie placing cookies with user consent. Also, feel free to check out cookie banner options in the Shopify App Store or contact a Shopify Expert to customize one for your needs.

Best,
Privacy Team

0 Likes
Excursionist
19 0 21

I assume by "the recent German court ruling" you mean this:

https://techcrunch.com/2019/10/01/europes-top-court-says-active-consent-is-needed-for-tracking-cooki...

"...So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law."

(warning: TechCrunch and all other Verizon/Oath/Yahoo sites have a most offensive labyrinth of privacy settings, likely designed to make you give up and just offer them your soul)

 

As I note in my original post above, Shopify's suggestion to "check out cookie banner options in the Shopify App Store" is more harm than good, as you'll mostly find said "cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’)".

 

Let's see if Shopify comes up with anything useful and compliant...

0 Likes
Tourist
8 0 0

Thanks for raising up the topic! My store is up since 2 weeks and I'm looking for the same thing, a proper GDPR app that will help me be fully compliant. 

 

Did you hear anything back from Shopify...? Alternatively, what app are you using today - if any? 

 

Thanks a lot! 

0 Likes
Excursionist
19 0 21

Hi @MarieV  - sorry, I've seen nothing useful back from Shopify on this yet. Just the vague "we're working on it" replies that I got last September, and @SimonM got above in October.

 

I currently use https://apps.shopify.com/smart-eu-cookie-banner, which costs $3.00 USD / month and claims to do the following to respect European GDPR...

 

Screenshot 2020-01-04 at 08.42.42.png

0 Likes