GDPR/PECR, cookie consent, Shopify and Google Analytics - regulatory and important

Highlighted

I'm really looking for engagement with Shopify staff on this issue as it's been ongoing and appears to have no resolution - though I'm happy to be disabused of this understanding.

 

tl;dr: Shopify stores are all in breach of GDPR/PECR privacy legislation and Shopify must act to correct this before Bad Things happen.

 

For cookies and analytics to be legally compliant in the UK & EU, users MUST opt-in for optional (analytics) cookies and tracking. Currently, this is impossible with Shopify as GA and Pixel codes are entered through store preferences and deployed on the site outwith the theme layout. This is problematic, not least because the UK ICO has stated an increased focus in businesses who are not complying with correct consent for tracking.

 

Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.

Sources:

  1. https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-techno...
  2. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-...

This topic has been raised in a few places on different boards, often for various reasons, and so I felt it appropriate to try and unify into one single topic which should be of critical importance to anyone: (i) in the EU and doing business in the EU, and (ii) outside the EU and doing business in the EU. So, pretty much everybody.

 

The blanket silence, wilful ignorance, and usual comment of 'there's an app for this' from Shopify is, quite frankly, astonishing, given the seriousness of the position everyone is being exposed to by their negligence. This is not meant to be taken as a gibe but a statement of fact.

 

Whilst there is a clear interest in merchants being able to track analytics throughout the store, and through checkout to conversion, this must be balanced by the requirement to meet regulations and not be left open for legal action. The potential levels of fine for merchants would close businesses.

 

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Source: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/pe...

 

Shopify should be acutely aware of this - the repercussions of a successful case against an EU merchant would be a flood of merchants leaving the platform. This would be terrible for merchants, Shopify, and bad for us - as Partners.

 

Simple cookie notice banners are insufficient and not compliant.

 

The requirements for a solution are thus:

 

  • Customers must have the option to opt-in for analytics
  • Merchants must be given the means to control analytics from theme level - this includes Shopify analytics

 

You can see from the ICO's own website that they use a controller produced by a UK company called Civic (https://www.civicuk.com/cookie-control) [we are not affiliated with Civic in any way - we use their controller because they provide a free 'community' licence which is suitable for most use cases]. This controller allows cookies to be enabled and disabled, and call the GA revoke function to clear local cookies. If it's good enough for the ICO then it will be good enough for everyone else. We would normally use the cookie controller as a wrapper to deliver GTM, itself then a wrapper for analytics and various other 'optional' scripts [heatmapping, page activity tracking, etc] - though we can't do that in Shopify due to the lack of access to the Checkout template. Some implementation of this to control cookies and analytics would look to be the way to go. An even better way would be for Shopify to develop a native solution which mimics this functionality so that customers opt-in, and then analytics can be used right through checkout.

 

Shopify must acknowledge this issue and respond - preferably with a roadmap to GDPR/PECR compliance.

 

I'd welcome input from other merchants/partners - this is too big an issue for ignorance to lead everyone down the path to legal action.

Highlighted
New Member
1 0 1

After having spent the last couple of days trying to find a solution to this exact problem, I decided to reach out to Shopify support myself.

No need to share the frustration I experienced while trying to find a good solution, though I did get some great news from talking to support: Shopify has a feature in Beta that will allow users to control Cookies from the admin!
You can read about it here: https://help.shopify.com/en/manual/your-account/privacy/cookies

It of course won't block third party cookies, but it does offer the possibility to limit non-essential tracking cookies which is the one thing that third-party apps are not able to fix.
Combine this with the decent ProCookie cookie banner from Onetrust (not affiliated in any way), and you should have a fully GDPR-compliant store.

Hope this helps others in the EU :)

Highlighted
Tourist
11 0 4

Hi everyone,

Well, i have read this with interest but wonder now, if and how it is possible to apply a cookie policy that is 100% compliant with the GDPR rules right now, 24 July? It is nice to hear that Shopify is working on a solution and tests a Beta in May 2020, but we are at end of July right now and it still seems impossible to offer visitors an opt-in cookie bar! Which means precisely this:

No single Shop in the EU + UK is compliant with the GDPR rules which took effect on 1 October 2019!

None of the cookie bar add-ons (free or not) in the store are compliant, e. g. this one which many use and THINK it is enough: https://apps.shopify.com/eu-cookie-bar However this is NOT opt-in, but just the normal "got it" banner that is completely useless. Every semi-talented lawyer will have an easy working week sending written warnings to Shopify store owners since then. Honestly, it is 10 month since GDPR is in action and it is nothing short from being entirely unacceptable what Shopify does here.

ProCookie cookie banners or others must offer opt-in so that NO non-essential cookies are being set. However, Shopify sets non-essential cookies which will be delete then. However, setting them even for a short period of time is not compliant. And by the way: Advertising Shopify as GDPR-compliant on the one hand and then forcing shop owners to buy a rather expensive app to "more-or-less"-achieve something that might be compliant is... [you name it].

So will there be any serious option built-in to Shopify for free for every shop owner? If not, we very likely will have to leave this environment rather sooner that later, because Shopify will not pay the bill we might receive, correct?

Highlighted

This is correct. We await the revised permissions from Shopify to see where things will fall, and in the meantime make clients aware of the risks and ensure they accept them before starting a Shopify build. It's an entirely unsatisfactory state of affairs, I'm afraid, but this is the world we inhabit.

Highlighted
Tourist
7 0 0

Hi,

I'm a new Shopify user, about to launch my shop. I'm in Ireland so GDPR compliance is a must. I have spent the morning trying to find a suitable app for the opt-in cookie consent on Shopify and I can't find anything. I have checked the box for "limit tracking for customers in Europe" Thanks thomasdec and I've signed up to One trust for the ProCookie banner. It's going to take a day or two for the registration to go through. 

I have to write my privacy policy, I use FB pixel and google analytics. I have zero tech background, I'm wondering is this enough to comply with GDPR. 

Any input would be much appreciated, 

thanks

0 Likes