Collecting GDPR-Compliant Consent at Checkout

New Member
4 0 0

We have an shopify ecommerce site which is attached to our larger organisation and we are currently reviewing how we will be required to gather consent for specific activities under the new GDPR legislation.

As far as we are able to discover, it is not possible for us to edit how consent is gathered at checkout in a way that is sufficient for this purpose. The editable area (which is below the email field) is simply a plain-text field which allows us to insert no formatting, tooltips or links to our privacy policy. It is attached to a simple opt-in checkbox.

Is there any work in the pipeline for shopify to allow our developers to insert our own consent fields / formatting / tooltips or other information into the checkout page so that we can properly comply with the legislation's requirements for informed consent? OR, are there workarounds that we have not thought of that will allow us to meet these requirements?

As you will probably know, we are required to inform customers of our privacy policy, what we will do with their data if they sign up. The privacy policy information needs to also be digestible easily - so a link to a long privacy policy will not be sufficient on its own. We will need to be able to inform them of the key points on the checkout page itself.

Thank you in advance for your help!

0 Likes
Highlighted
Shopify Partner
36 0 6

I have been dabbling with GDPR compliance and making opt-ins simpler and more user friendly for a while. At the outset, yes- what you are looking for is possible. Two ways of doing this - 

  1. Getting Consent During Checkout: Customizing checkout flow is only feasible if you are on Shopify Plus. You can definitely add another box explaining the reason for collecting the data and how you plan to use it. This could also be made mandatory for the checkout process. You will need to run this through your developers/ partner managing this. 
  2. Getting Consent before checkout - This is something that you can do even with normal Shopify subscription.

Shopify is also expected to roll out an update on GDPR for merchants and app developers. Do keep an eye out for that as well. This might very well become a part of the standard product as well - given that GDPR compliance is the next baseline.

Also, from whatever I have understood so far, the efficacy of these tweaks will depend by large on the user experience that you craft around this. We are planning to put together a list of templates on how to manage this efficiently and delightfully. Happy to share it once they are ready.

Cheers

iZooto.com - Web Push Notifications for E-Commerce, Bloggers and More
0 Likes
Shopify Partner
11 0 0

I am working on developing a GDPR app for Shopify, for instance helping shop owners respond to data subject requests (requests to view, edit, delete or port personal data) and obtaining consent.  I would love to hear from shop owners who need this functionality or just want to learn more about how to be prepared for GDPR.  You can reach me at gdpr@handyjs.org

0 Likes
Tourist
7 0 2

This is far more complicated than simply updating your privacy poloicy and requires action in checkout which Shopify just doesn't seem to have prepared for.

At data entry each granular level of data needs either consent box (if that is your legal basis for collection and processing) or a soft opt in box which is not pre-ticked which allows people to opt out (if your legal basis is Legitimate Interest).

This means phone numbers, email addresses, SMS, postal addresses......all personal data, then box for passing data to third parties which again can not be pre-ticked but is ticked to opt out.

The DMA guidance for consent and legitimate interest was published last week, see https://dma.org.uk/article/dma-gdpr-guidance-consent-and-legitimate-interests

I am being told find a developer.......which is madness. Shopify Plus needs the tools.

0 Likes
Excursionist
69 0 13

If Shopify really wants to wash their hands of it, they should just let us edit the checkout.  That's something many people have long wanted for other reasons anyway.  I understand Shopify's case for not wanting to allow it, but they can't have it both ways - if we can't edit the checkout, then Shopify must do so.  If they won't take responsibility for doing that, then they must allow us to.

0 Likes
New Member
4 0 0

@Qwirkle and @Matthew Skala

It's good to know that others have been having this issue. Since making this post, I've been in touch with Shopify personally about edits that will be required to the checkout page. They have refused to make any changes to it, citing that they cannot make changes for 'individual customers'.

Of course, we don't believe that the requirements for version-controlled tooltips (at the very least) and the ability to collect GDPR / PECR compliant consent for email marketing is a requirement that's specific to a single customer.

Have either of you contacted shopify directly? You can contact their DPO directly on privacy@shopify.com. It might help to make some changes if we all inform them of our requirements under GDPR / PECR.

 

0 Likes
Excursionist
69 0 13

> Have either of you contacted shopify directly? You can contact their DPO directly on privacy@shopify.com.

I did, and I got a useless form letter denying any real responsibility to deal with this.  However, I've no need to pursue it further because it has suddenly become necessary for me to leave Shopify for other reasons - the admin page stopped working without warning, support on that issue could offer me nothing except telling me to use a different browser, and that's a dealbreaker.  With luck, I'll be off of Shopify before the GDPR deadline, and in any case it makes more sense for me to put my compliance efforts into the replacement.

Best of luck to those who remain with Shopify!

0 Likes
New Member
6 0 0

Same problem here. I am considering to leave Shopify because of GDPR

0 Likes
New Member
6 0 0

Just had a conversation with Shopify support. They say that checkout does not need a privacy notice (a digest version of privacy policy and explaining the reason of the collection of data, with whom is shared and so on...) because the law does not specify you need this notice for each individual page the buyer visits. Actually once the buyer enters the page, data starts to be collected via hidden cookies. Therefore it should be enough a privacy notice at the start of the whole browsing session. Of course this privacy notice must be according to the new GDPR and more detailed than before. Shopify support assured they have studied closely the law and consulted with external legal counsel.

I think their response is very convincing and it would be ridiculous to have privacy notices on every single page, because data these days is collected on every single page via cookies That would not be user-friendly neither. Does it make sense to you?

Anyway checkout page have privacy policy link. What do you think?

Best Regards

0 Likes
New Member
4 0 0

@Juan, there's no suggestion that we would need to have the 'digest' version (as you call it) of the privacy policy on every page and no requirement for it. The PECR law covers the cookie policy notice and it is sufficient to inform people of how their data are collected at the beginning of their session on your site (and, of course, to save that they're aware of that for future sessions). The other requirement is to have the privacy notice 'digest' at the point of other data collection: i.e. on the checkout page, where the customer enters their details. The rest of the pages can simply have a link to the privacy policy, as has been standard practice for many years.

@everyone I have since spoken to the ICO about this issue and they can offer no specific guidance on how to deal with suppliers in these situations. However, they did say that it would be sufficient for us to place the summary privacy notice on the 'cart' page - or any page that the data subject MUST visit prior to entering their data.

So, we can get away with not placing privacy notices on the checkout page, so long as the privacy information is given to the customer in a loction that they are certain to have visited prior to entering their details.

Some of you may find this information helpful. It may also be useful for you to contact the ICO about this issue (briefly) because they let me know that, if this is a problem for a lot of their organisations, they may be able to produce guidance on the topic. Please don't take up too much of their time, though; they're very busy.

 

 

0 Likes