Why is cookie consent (per GDPR) not core Shopify functionality?

aj007
Excursionist
33 0 67

Shopify, this question is for you...

 

If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).

  

Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.

 

So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.

 

I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 

 

Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.

 

When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 36 (36)
Simon_Schier
Tourist
10 1 10

Good Question. Actually, there is no App for it to "really" get a consent or to block cookies, as it has to be done by the core system.

--
Vegan, Unisex cosmetics & perfume - https://www.soberberlin.com
aj007
Excursionist
33 0 67

I emailed this topic to Shopify's Privacy team on June 20th (ticket number 13317172), and also asked a Shopify Help rep to escalate it...

 

2+ weeks later and zero reply from anybody at Shopify... pretty pathetic for something that is critical and not optional for all your merchants selling to hundreds of millions of EU citizens.

 

An epic fail for you, Shopify.

DarrenW123
Tourist
3 0 0

Hi, Im in the process of looking at the same scenario as part of upgrading our site. Can I ask did you ever get a reply or work out a suitable solution?

aj007
Excursionist
33 0 67

Hi - I asked their Privacy Team to reply as well, which they finally did more than 3 months later with the following:


Our team is aware of the issue and we are working on a technical fix!

What that means, and when we might expect a proper, robust, Shopify-supplied solution is anybody's guess.

 

I'm currently paying for one of the cookie banner Apps on the Shopify store, but only as a "best of the worst" solution. I've also noticed using Google PageSpeed and other test tools that App slows down my site (as you'd expect, making more 3rd-party calls) which is bad. 

DarrenW123
Tourist
3 0 0
Hi, yeah I totally agree I signed up for a cookie app too but I would much prefer a definitive out of the box solution rather than a search and hope solution as it is at the moment
SimonM
Shopify Partner
1 0 0

Hi all,

 

I emailed Shopify's privacy team about issues with Shopify consent options in relation to ICO guidance and the recent German court ruling.

 

I received this reply on the 3rd of October 2019, which you may find encouraging:

 

We understand the importance of this ruling and the impact it has on our merchants. This work is a top priority and we are currently working hard on a solution.

In the near future we will show how cookie banners can be implemented so that merchants may tie placing cookies with user consent. Also, feel free to check out cookie banner options in the Shopify App Store or contact a Shopify Expert to customize one for your needs.

Best,
Privacy Team

aj007
Excursionist
33 0 67

I assume by "the recent German court ruling" you mean this:

https://techcrunch.com/2019/10/01/europes-top-court-says-active-consent-is-needed-for-tracking-cooki...

"...So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law."

(warning: TechCrunch and all other Verizon/Oath/Yahoo sites have a most offensive labyrinth of privacy settings, likely designed to make you give up and just offer them your soul)

 

As I note in my original post above, Shopify's suggestion to "check out cookie banner options in the Shopify App Store" is more harm than good, as you'll mostly find said "cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’)".

 

Let's see if Shopify comes up with anything useful and compliant...

MarieV
Tourist
8 0 2

Thanks for raising up the topic! My store is up since 2 weeks and I'm looking for the same thing, a proper GDPR app that will help me be fully compliant. 

 

Did you hear anything back from Shopify...? Alternatively, what app are you using today - if any? 

 

Thanks a lot! 

aj007
Excursionist
33 0 67

Hi @MarieV  - sorry, I've seen nothing useful back from Shopify on this yet. Just the vague "we're working on it" replies that I got last September, and @SimonM got above in October.

 

I currently use https://apps.shopify.com/smart-eu-cookie-banner, which costs $3.00 USD / month and claims to do the following to respect European GDPR...

 

Screenshot 2020-01-04 at 08.42.42.png

MarieV
Tourist
8 0 2

Thanks a lot for your answer @aj007 ! Let's hope Shopify actually is working on it and will release it soon...

 

All the best

zole
New Member
6 0 0

Hi @aj007 does this smart eu cookie banner really works?

Because a lot of apps like this claims but they are not prior to consent.

Please advise.

zole
New Member
6 0 0

Hello, have you found any solution?

Please advise.

Petar

ui-gab
Shopify Partner
211 13 55

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf

 

Background Info:

Who tracks data:

Shopify

Google Analytics (if installed)

Others (facebook pixel, ...etc)

 

In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.

 

Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.

 

Summary:

A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.

 

Let me know if I can help in any other way.

ui-gab
https://www.uiavenue.ca
We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.
aj007
Excursionist
33 0 67

@ui-gab wrote:  [bolding is mine]

...In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.


 

Thanks @ui-gab - I think that perfectly sums up why proper cookie consent can only be provided by Shopify, and why this can't be relegated to an App. 

 

Shopify tends to forget Europe's half-billion+ citizens, and the 600+ billion euros of Ecommerce sales there in 2019 alone. Cookie consent is one example... they also have no workable tax-compliant gift card solution for European merchants either.

sober
Excursionist
26 0 11

I had to laugh so hard as i read "users will feel that they are respected" 

 

Wow. Just wow. There are laws, and App-Developers talk about that at leas someone "feels respected"

When the court asks us if we set those cookies, I will say "Yes, but we told them so they felt resprected"

😄

Made my day! 

It can only be solved by shopify and is indeed a core functionality, which has to be there for EU-Users (even for US Stores!) 

 

Pflege für Haut & Haar - Natürlich und wirkungsvoll.
zole
New Member
6 0 0

@ui-gab wrote:

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf

 

Background Info:

Who tracks data:

Shopify

Google Analytics (if installed)

Others (facebook pixel, ...etc)

 

In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.

 

Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.

 

Summary:

A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.

 

Let me know if I can help in any other way.


@aj007  @ui-gab So there is no way that I can set at least prior to consent google analytics code that I manually entered?

How do people in Europe handle cookies? Are they all set to necessary?

aj007
Excursionist
33 0 67

RE: "How do people in Europe handle cookies? Are they all set to necessary?"

 

Not sure I've seen any Shopify cookie consent Apps that offer 'levels' or 'categories' of tracking - e.g. like OneTrust/etc. offer 'Necessary, Functional, Marketing, Social Media, etc.' There may well be some such Apps, and if they're honest then they'd have a rather broad 'Necessary' category, that actually translates into 'Unavoidable because only Shopify has the power to not fire these tracking codes.'

 

I fear most Shopify merchants 'handle cookies' by installing Apps that claim to be GDPR compliant, and even get good reviews... but actually are just useless decorations offering a false sense of security.

zole
New Member
6 0 0

Yes I understand. 

But professional firms that are working with Softwares for dropping cookies in every possible website claim that you can at last set prior to consent 3rd party scripts like Google analytics and Facebook pixel that you manually insert.

You basically need to edit a code in Shopify "edit code" section.

Any information about that?

ui-gab
Shopify Partner
211 13 55

Not necessarily, after a bit more research, I believe alot more app developers embed code onto the website than intended. Meaning that they have installed the code via a blocking javascript. So there could be potentially some cookie GDPR compliant apps, if they are done properly.

 

If you want to to determine if app built by one of these app developers is actually GDPR compliant, you will A. have to believe them, or B. do some investigative digging on a technical level to see which one actually does everything that is compliant with GDPR. You will probably need some sort of web developer to dig into the small details of the app to see if it actually does what it is advertising.

 

Technical digging will probably involve: installing the app(s, until you find one that does as advertised).

Check that it:

  • during load, it blocks and prevents other cookie tracking from firing until the user has accepted the right cookie selection
  • tracks each user that has explicitly accepted the cookie vs those that have rejected it
  • and a bunch of other GDPR and now CCPA related requirements

Cheers,

Gab

ui-gab
https://www.uiavenue.ca
We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.