Why is cookie consent (per GDPR) not core Shopify functionality?

Baldur_Helgason
Shopify Partner
29 0 18

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.

I’ve set up the one provided by Shopify and it seems to be working correctly. There is a problem with not being able to change the title of the Privacy Policy link.

The app mentioned above: GDPR/CCPA + Cookie Management does not prevent Google Analytics and Facebook JavaScript code from being downloaded before the consent is given so that’s not gonna fly for me.

Now there’s another app that claims to be using the Customer Privacy API

GDPR+

But their example store does not have google analytics or facebook pixel set up at all so I cannot confirm it is working as expected.

0 Likes
FC1
Excursionist
10 0 9

Hello

 

Do you have more info on this? I´m considering trying the GDPR/CCPA+Cookie Management and they say they do block google and facebook. Did you have managed to try it? Regarding other aspects they seen to be quite compliant (granular consent, ability to change consent, consent log etc).

 

Any feedback would be appreciated,

 

Cheers

 

Francisco

0 Likes
Robin101
New Member
1 0 0

Hi There,

 

I am currently using teh "GDPR/CCPA + Cookie Management" app but it is really the best worst solution I could find on the market. So I am always scanning for new, better apps. 

 

I think I have found quite a good one called "GDPR Cookie Bar +ePrivacy Page". This seems to include all relevant legal aspects and is for free too so I am going to switch to this one.

 

Cheers

0 Likes
Santa_Sangria
New Member
1 0 2

Just posting to say "argh"

This cannot be optional and must be solved for EU vendors. 

I've just inherited a store as part of a job. But there's no way any EU vendor should use Shopify if it is not watertight with GDPR.

Should be right at the top of the roadmap!

Milan146
Excursionist
22 1 2

You can reach out to our support team we could work on that, try our free application 

https://apps.shopify.com/responsive-cookie-consent-by-appifycommerce

but we can provide you satisfying solution though 

0 Likes
Baldur_Helgason
Shopify Partner
29 0 18

@Milan146 wrote:

You can reach out to our support team we could work on that, try our free application 

https://apps.shopify.com/responsive-cookie-consent-by-appifycommerce

but we can provide you satisfying solution though 


Like many have pointed out in this thread most of the available apps (including yours) DO NOT make you GDPR compliant. Merely notifying the customer the page uses cookies (implied consent) is meaningless when it comes to being compliant. The customer needs to be able to give CLEAR consent by clicking a button before you start tracking them and that means NO tracking cookies are set and tracking scripts DO NOT run before they have consented. Apart from that, the user should be able to able to change their cookie settings after the initial consent.

thegospelorian
Tourist
6 0 2

Hi everyone,

I am starting a new shopify store in Feb 2021 and was also concerned about GDPR (for EU) and CCPA (for California).

Isn't having a privacy policy (the default one provided by shopify) sufficient to satisfy GDPR and CCPA regulations?  I'm in California myself and when I go to Banana Republic's website (for example), there is no CCPA or cookies banner popping up at the bottom of the page.  They only have a privacy policy link at the bottom of the page like everyone else.  And when I checked out some GDPR banner apps on shopify, it doesn't look like a lot of shopify stores downloaded them.  So I'm wondering if having a privacy policy page is enough.  Aren't customers giving their consent by using the website?  

Also, there are instructions for store owners (GDPR white pages) to contact shopify if a customer requests information about themselves or want to erase their data.  I believe we go to the shopify admin, click customers, and click "request blah blah" which starts a process with shopify.  I believe the instructions also mentioned that shopify sends this request to all the connected apps in our store (not sure about this one). 

Any advice from shopify owners would be helpful.  Thanks and take care.      

    

0 Likes
pault70
Tourist
6 0 1

I really hope @Shopify is looking into this, if only for their own bottom line. Merchants will be scared off if there is the slightest risk of getting one of these huge business ruining fines if they are not compliant.

It should be possible for Shopify to adjust the way app developers create apps and force them to add new steps where consent can (perhaps optionally) be obtained (or not) and cookies or other scripts can be then used (or not) depending on the user's answer. Of course, this will add work for the developers but there really is no other option if eCommerce on Shopify is to continue.

0 Likes
kevin114
New Member
1 0 0

Hi everyone,

Same issue here: setting up the shop end of 2021 and cannot get fully GDPR compliant as Shopify is triggering cookies prior to consent (their script is read before mine so Cookiebot is too late to block them) and they send some data to a "not adequate" country (US).

I reached out to customer service but they are not really tackling the issue as they suggested that I install their customer banner app (which only shows a banner without taking any actions on the background to block cookies). Therefore, I insisted until they suggested that I talk to a "Shopify Expert" which costs between $50 to $1k just as a starting fee.

Honestly, I do not get why this is so complicated - I spent hours going on forums, trying different Cookie blockers apps, understanding GDPR regulations, etc. - and this should be a native functionality (at least for all the core functions - not the third party which are usually easy to block).

Please let me know if you have any information or found a solution.

Thank you,
Kevin

0 Likes