All things Shopify and commerce
We're using a third party cookie compliance management service called OneTrust on some of our Shopify stores - they're supplying us with a Cookie Banner & Preference Centre, as well as a cookie categorisation facility. Most importantly they offer an 'auto-blocking' feature intended to block the source of all NOT strictly-necessary cookies until user permission is provided.
However...
We've found that this technology is not successfully blocking a range of Shopify cookies - _shopify_y, _shopify_s, _y, _s, _shopify_evids etc - which are, to quote ThomasBorowski on this thread https://community.shopify.com/c/shopify-discussions/eu-high-court-decision-regarding-cookies-and-sho... : "set by Shopify's analytics scripts [and] injected into the store automatically".
Tech support at OneTrust had this to say:
"Unfortunately overall, it seems we are unable to block Shopify Cookies. We have no control over cookies that might be set by an external resource on a different domain. These (third party) cookies are set on the "external domain", not the domain of your site."
Concerned about what this might mean for the compliance status of our sites, I went to Shopify Plus Support to asked if it was possible and/or desirable to block these cookies on page load, and was told:
"It could be possible however it is not something that we would support as it could greatly effect the merchants analytics, it could effect store front loading, it could also effect the admin as well."
Since I was fully into web detective mode now, I went and inspected a number of prominent Shopify sites and saw the same cookies appearing in the browser, regardless of what kind Compliance Banner was implemented and before any interaction with a banner.
The questions all this raises are:
What is the correct categorisation for the cookies listed above?
If a cookie is integral to "store front loading" and the functioning of the store admin, in addition to store analytics, can it be correctly categorised as strictly necessary?
If these cookies cannot be designated strictly necessary, and leading compliance services can't block them, what recourse do store owners have to ensure that they're GDPR compliant?
Would really appreciate the thoughts of both other store owners and Shopify staff.
Andy.
Hi Andy,
Thank you for sharing your question here. Cookies and data compliance are a very important topic for merchants and partners and having a clear understanding of that is definitely important.
Our legal and policy page has a detailed document on this topic I would like to share with you. Our Cookie Policy and the definition for all our cookies, including the ones you shared below, can be found here: Shopify Cookie Policy. Our policy page details the cookies that are needed and what areas of the storefront or admin they would affect if not available any longer.
Alongside cookies required for the storefront to load and work properly, there are a range of services that Shopify utilizes that can also create cookies. These are all detailed in our Cookie Policy link shared above. Each of these entities have their own policies and may allow you to opt your business out of their tracking services, which would also minimize the cookies they create for tracking.
Hopefully this resource answers most of your questions. I am not a technical expert myself, but I want to make sure you get answers to all your questions regarding this. Please review the cookie policy and let me know if you have additional questions remaining and I will do my best to get you an answer. If your question is directly related to legal requirements for your business, you will need to consult with a legal professional for additional help as our support is not able to speak to that.
Shay | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Hi Andy,
I know your post was from several years ago. However, we have recently been tasked with using OneTrust with a Shopify site (https://virtekvision.com) and we have run into the exact problem which you described back in 2021. Were you able to find a solution to ensure that the Shopify cookies did not fire before the user gave consent on the OneTrust cookie banner?
Many thanks, Don
Hey Community! As we jump into 2025, we want to give a big shout-out to all of you wh...
By JasonH Jan 7, 2025Hey Community! As the holiday season unfolds, we want to extend heartfelt thanks to a...
By JasonH Dec 6, 2024Dropshipping, a high-growth, $226 billion-dollar industry, remains a highly dynamic bus...
By JasonH Nov 27, 2024