We have an shopify ecommerce site which is attached to our larger organisation and we are currently reviewing how we will be required to gather consent for specific activities under the new GDPR legislation.
Is there any work in the pipeline for shopify to allow our developers to insert our own consent fields / formatting / tooltips or other information into the checkout page so that we can properly comply with the legislation's requirements for informed consent? OR, are there workarounds that we have not thought of that will allow us to meet these requirements?
Thank you in advance for your help!
I have been dabbling with GDPR compliance and making opt-ins simpler and more user friendly for a while. At the outset, yes- what you are looking for is possible. Two ways of doing this -
Shopify is also expected to roll out an update on GDPR for merchants and app developers. Do keep an eye out for that as well. This might very well become a part of the standard product as well - given that GDPR compliance is the next baseline.
Also, from whatever I have understood so far, the efficacy of these tweaks will depend by large on the user experience that you craft around this. We are planning to put together a list of templates on how to manage this efficiently and delightfully. Happy to share it once they are ready.
I am working on developing a GDPR app for Shopify, for instance helping shop owners respond to data subject requests (requests to view, edit, delete or port personal data) and obtaining consent. I would love to hear from shop owners who need this functionality or just want to learn more about how to be prepared for GDPR. You can reach me at firstname.lastname@example.org
This is far more complicated than simply updating your privacy poloicy and requires action in checkout which Shopify just doesn't seem to have prepared for.
At data entry each granular level of data needs either consent box (if that is your legal basis for collection and processing) or a soft opt in box which is not pre-ticked which allows people to opt out (if your legal basis is Legitimate Interest).
This means phone numbers, email addresses, SMS, postal addresses......all personal data, then box for passing data to third parties which again can not be pre-ticked but is ticked to opt out.
The DMA guidance for consent and legitimate interest was published last week, see https://dma.org.uk/article/dma-gdpr-guidance-consent-and-legitimate-interests
I am being told find a developer.......which is madness. Shopify Plus needs the tools.
If Shopify really wants to wash their hands of it, they should just let us edit the checkout. That's something many people have long wanted for other reasons anyway. I understand Shopify's case for not wanting to allow it, but they can't have it both ways - if we can't edit the checkout, then Shopify must do so. If they won't take responsibility for doing that, then they must allow us to.
@Qwirkle and @Matthew Skala
It's good to know that others have been having this issue. Since making this post, I've been in touch with Shopify personally about edits that will be required to the checkout page. They have refused to make any changes to it, citing that they cannot make changes for 'individual customers'.
Of course, we don't believe that the requirements for version-controlled tooltips (at the very least) and the ability to collect GDPR / PECR compliant consent for email marketing is a requirement that's specific to a single customer.
Have either of you contacted shopify directly? You can contact their DPO directly on email@example.com. It might help to make some changes if we all inform them of our requirements under GDPR / PECR.
> Have either of you contacted shopify directly? You can contact their DPO directly on firstname.lastname@example.org.
I did, and I got a useless form letter denying any real responsibility to deal with this. However, I've no need to pursue it further because it has suddenly become necessary for me to leave Shopify for other reasons - the admin page stopped working without warning, support on that issue could offer me nothing except telling me to use a different browser, and that's a dealbreaker. With luck, I'll be off of Shopify before the GDPR deadline, and in any case it makes more sense for me to put my compliance efforts into the replacement.
Best of luck to those who remain with Shopify!
I think their response is very convincing and it would be ridiculous to have privacy notices on every single page, because data these days is collected on every single page via cookies That would not be user-friendly neither. Does it make sense to you?
@everyone I have since spoken to the ICO about this issue and they can offer no specific guidance on how to deal with suppliers in these situations. However, they did say that it would be sufficient for us to place the summary privacy notice on the 'cart' page - or any page that the data subject MUST visit prior to entering their data.
So, we can get away with not placing privacy notices on the checkout page, so long as the privacy information is given to the customer in a loction that they are certain to have visited prior to entering their details.
Some of you may find this information helpful. It may also be useful for you to contact the ICO about this issue (briefly) because they let me know that, if this is a problem for a lot of their organisations, they may be able to produce guidance on the topic. Please don't take up too much of their time, though; they're very busy.