Customer Privacy Automation Needs Work

There’s a few issues I’m seeing with automating Customer Privacy options:

1. The generated Privacy Policy has a typo/grammatical error under the Children’s Data section:

If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we “share” or “sell” (as those terms are defined in applicable law) personal information of individuals under 16 years of age.

This should be a simple fix, but it requires turning off automation for now.

2. The generated Privacy Policy includes our Shopify owner’s address in the Contact section:

Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please call or email us at [store_owner_email] or contact us at [store_owner_address] For the purpose of applicable data protection laws, we are the data controller of your personal information.

The verbiage here says call or email us and only provides an email, and we should be able to hide the address or choose a different, public address, for this text.

3. The Data Sharing Opt-Out Page includes confusing text:

To opt out of the “sale” or “sharing” of your personal information collected using cookies and other device-based identifiers as described above, you must be browsing from one of the applicable US states referred to above.

There are no states listed in the text about this, so it’s misleading/confusing. This piece does not seem customizable at all - I can’t find it anywhere. When I visit this page from a private browser (FireFox or Chrome Incognito) we see this text. When I visit the page from a logged in Chrome account (Georgia, USA) we are not seeing the verbiage, and we can “opt-out” even though Georgia is not one of the states listed in the automated settings’ states.

4. The Data Sharing Opt-Out Page is not being included in our menus when automated:

We’ve tried setting this in the Customer privacy > Data sharing opt-out page to the Footer menu (recommended), we’ve tried adding it to the Footer menu via Content > Menus > Footer menu and it will not show up in either case. Other changes to the menu reflect when we reorder items or add links there, but the “Your privacy choices” page will not show up. We’ve added a direct link to the page URL for now but it should work when we select the page or add it via the Customer privacy settings.

5. Cookie Consent dialogue shows up for visitors outside visible regions:

This seems odd - when I visit the website from a private browser (FireFox or Chrome Incognito), I don’t see the consent dialogue. But when I visit from Chrome (logged in from Georgia, USA - doesn’t require consent) I do see it. According to the automated regions, the US is not included in places that should see the cookie consent banner.

Seems like these automations could use some work and small customizations shouldn’t preclude automation functionality.

Google AI warns of potential problems caused by Shopify’s automated customer privacy. It’s probably best to use a third party app. Pretty scary:

“Can Shopify’s automated customer privacy features cause problems?

While Shopify’s automated customer privacy features offer valuable assistance for compliance, solely relying on them can lead to several problems:

1. Compliance risks

• Generic policies: Automated generators might not capture the specifics of your business’s data collection and processing, potentially leading to non-compliant or inaccurate privacy policies.

• Outdated policies: Privacy laws are constantly evolving. Automated features may not update policies in real-time, leaving your store vulnerable to penalties and audits.

• Inadequate consent management: Especially for regions like the EU (GDPR), obtaining explicit user consent before deploying non-essential cookies and tracking is crucial. Shopify’s automated tools might not fully support these advanced consent requirements, according to Pandectes.

• Third-party app limitations: Many stores use third-party apps, each with its own data collection practices. Shopify’s features may not adequately address the complexities of ensuring these apps comply with privacy laws.

2. Potential legal and financial consequences

• Fines and lawsuits: Non-compliance with privacy laws can result in hefty penalties, including potential lawsuits.

• Data breaches and leaks: Over-reliance on automated systems without understanding their underlying mechanisms can create vulnerabilities, potentially leading to data breaches. For instance, a third-party app was blamed for a Shopify data leak affecting numerous users in July 2024, notes eSecurity Planet.

3. Loss of customer trust

• Lack of transparency: Generic or outdated policies can erode customer trust, as they may not feel fully informed about how their data is being used.

• Poor handling of data requests: If automated systems are insufficient for handling requests like data access or deletion, it can negatively impact customer relationships and potentially lead to further legal issues.

4. Operational inefficiencies

• Difficult data request handling: Shopify’s tools for data requests can be cumbersome for large volumes, hindering efficiency and potentially leading to compliance issues.

• Limited customization: The default cookie banner and privacy settings might lack the necessary customization options, hindering compliance efforts.

In conclusion

While Shopify’s automated features are a helpful starting point, they are not a substitute for a comprehensive and proactive approach to customer privacy. Merchants are ultimately responsible for understanding and fulfilling their legal obligations.”

I’m seeing the same issues with Shopify’s privacy automation — the glitches and lack of customization are frustrating. I’m working on finding solutions too and would love to team up or share ideas. Anyone else tackling this?