Why is cookie consent (per GDPR) not core Shopify functionality?

aj007
Excursionist
30 0 67

Shopify, this question is for you...

 

If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).

  

Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.

 

So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.

 

I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 

 

Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.

 

When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 35 (35)
leoI
Tourist
6 1 2

You can create one for free using google optimize.

Mila_Lansdowne1
Tourist
3 0 1

Thank you for posting the link to the app you are using. I hope Shopify will have a solution. it must be part of the out of the box store setup. i wish you much success with your Store.

 

markdc
Excursionist
19 0 10

I'm chiming in here to keep the attention of the Shopify staff on this point. It definitely needs to be a core feature!

Baldur_Helgason
Shopify Partner
29 0 18

Has anyone found an app that truly integrates with the Shopify Consent Tracking API? (https://shopify.dev/docs/themes/consent-tracking-api)

I’ve not been able to find any.

EDIT: Shopify seems to have their own app https://apps.shopify.com/customer-privacy-banner and from the description it seems they do integrate with the Consent Tracking API. Gonna give this a try

The Customer Privacy Banner works with Shopify’s Customer Privacy settings, allowing you to prevent customer tracking if a customer in the EU does not agree to it.

 

markdc
Excursionist
19 0 10

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.

Baldur_Helgason
Shopify Partner
29 0 18

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.

I’ve set up the one provided by Shopify and it seems to be working correctly. There is a problem with not being able to change the title of the Privacy Policy link.

The app mentioned above: GDPR/CCPA + Cookie Management does not prevent Google Analytics and Facebook JavaScript code from being downloaded before the consent is given so that’s not gonna fly for me.

Now there’s another app that claims to be using the Customer Privacy API

GDPR+

But their example store does not have google analytics or facebook pixel set up at all so I cannot confirm it is working as expected.

FC1
Excursionist
10 0 9

Hello

 

Do you have more info on this? I´m considering trying the GDPR/CCPA+Cookie Management and they say they do block google and facebook. Did you have managed to try it? Regarding other aspects they seen to be quite compliant (granular consent, ability to change consent, consent log etc).

 

Any feedback would be appreciated,

 

Cheers

 

Francisco

Robin101
New Member
1 0 0

Hi There,

 

I am currently using teh "GDPR/CCPA + Cookie Management" app but it is really the best worst solution I could find on the market. So I am always scanning for new, better apps. 

 

I think I have found quite a good one called "GDPR Cookie Bar +ePrivacy Page". This seems to include all relevant legal aspects and is for free too so I am going to switch to this one.

 

Cheers

Santa_Sangria
New Member
1 0 2

Just posting to say "argh"

This cannot be optional and must be solved for EU vendors. 

I've just inherited a store as part of a job. But there's no way any EU vendor should use Shopify if it is not watertight with GDPR.

Should be right at the top of the roadmap!

Milan146
Excursionist
22 1 3

You can reach out to our support team we could work on that, try our free application 

https://apps.shopify.com/responsive-cookie-consent-by-appifycommerce

but we can provide you satisfying solution though