So this happened yesterday: https://techcrunch.com/2019/10/01/europes-top-court-says-active-consent-is-needed-for-tracking-cooki...
It would seem that Shopify stores are currently not able to comply with this ruling. Even if you removed Google Analytics and the FB pixel, Shopify dumps its own analytics and reporting cookies on every visitor's computer without prior consent. As these cookies are (by Shopify's own declaration: https://www.shopify.com/legal/cookies) not necessary for the functioning of the store, these would only be allowed with prior and informed consent by the visitor.
"Solutions" like CookieBot come to mind, but from my own tests, CookieBot does not prevent the cookie dump on the first page load, i. e. prior to the user having the chance to consent to them. And even if the user disables all non-essential cookies through CookieBot after that initial page-load, they're just deleted temporarily, once you reload the page, they're back.
I don't think CookieBot can even do anything about that, as these cookies are set by Shopify's analytics scripts that get injected into the store automatically. CookieBot apparently relies on you adding an attribute to each cookie-setting script tag in the theme's HTML that identifies that script as belonging to one of the available categories (necessary, preferences, statistics or marketing), which users can then block. Since Shopify's analytics scripts get injected automatically, there's no way to add that attribute.
I'd appreciate some feedback directly from Shopify on this. Is there currently any way to operate a Shopify store in compliance with this ruling, and if not, what is being done to fix this?
Good to know @Gabe. Please get published a comprehensive documentation on the topic when possible to help merchants truly become compliant.
Yes, and Händlerbund and IT-Rechtskanzlei are also working on a solution. Händlerbund is not expecting any fines though.
Once Shopify brings out a solution all merchants will be notified.
@GabeSeems you pasted the wrong link there ;)
Besides that, I'm pretty sure apps still aren't able to permanently block Shopify's own tracking cookies, correct?
Oops, no idea how that Harvey Keitel meme snuck itself in there haha! :)
Meant this app here of course. It's not perfect but if it says it is compliant with the new cookie law, I guess we can hold the app dev to it that it does what it says on the tin :)
But more developments are on the way too.
Lots of these app devs claim to be GDPR-compliant or that their app makes your store GDPR-compliant, which is an incredibly bold claim, assuming these devs aren't lawyers or have had their app certified or even just thoroughly reviewed by a lawyer And lots of apps make promises that they can't keep, so just because it says it on the tin doesn't mean that's what it'll do.
My advice would be to proceed with caution, no single app is going to make your store GDPR-compliant or (at this point) even compliant with the pending law changes as per the EU high court ruling regarding cookies.