GDPR/PECR, cookie consent, Shopify and Google Analytics - regulatory and important

I’m really looking for engagement with Shopify staff on this issue as it’s been ongoing and appears to have no resolution - though I’m happy to be disabused of this understanding.

tl;dr: Shopify stores are all in breach of GDPR/PECR privacy legislation and Shopify must act to correct this before Bad Things happen.

For cookies and analytics to be legally compliant in the UK & EU, users MUST opt-in for optional (analytics) cookies and tracking. Currently, this is impossible with Shopify as GA and Pixel codes are entered through store preferences and deployed on the site outwith the theme layout. This is problematic, not least because the UK ICO has stated an increased focus in businesses who are not complying with correct consent for tracking.

Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.

Sources:

1. https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-the-rules-on-cookies-and-similar-technologies/#rules5
2. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/

This topic has been raised in a few places on different boards, often for various reasons, and so I felt it appropriate to try and unify into one single topic which should be of critical importance to anyone: (i) in the EU and doing business in the EU, and (ii) outside the EU and doing business in the EU. So, pretty much everybody.

The blanket silence, wilful ignorance, and usual comment of ‘there’s an app for this’ from Shopify is, quite frankly, astonishing, given the seriousness of the position everyone is being exposed to by their negligence. This is not meant to be taken as a gibe but a statement of fact.

Whilst there is a clear interest in merchants being able to track analytics throughout the store, and through checkout to conversion, this must be balanced by the requirement to meet regulations and not be left open for legal action. The potential levels of fine for merchants would close businesses.

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Source: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/penalties/

Shopify should be acutely aware of this - the repercussions of a successful case against an EU merchant would be a flood of merchants leaving the platform. This would be terrible for merchants, Shopify, and bad for us - as Partners.

Simple cookie notice banners are insufficient and not compliant.

The requirements for a solution are thus:

• Customers must have the option to opt-in for analytics
• Merchants must be given the means to control analytics from theme level - this includes Shopify analytics

You can see from the ICO’s own website that they use a controller produced by a UK company called Civic (https://www.civicuk.com/cookie-control) [we are not affiliated with Civic in any way - we use their controller because they provide a free ‘community’ licence which is suitable for most use cases]. This controller allows cookies to be enabled and disabled, and call the GA revoke function to clear local cookies. If it’s good enough for the ICO then it will be good enough for everyone else. We would normally use the cookie controller as a wrapper to deliver GTM, itself then a wrapper for analytics and various other ‘optional’ scripts [heatmapping, page activity tracking, etc] - though we can’t do that in Shopify due to the lack of access to the Checkout template. Some implementation of this to control cookies and analytics would look to be the way to go. An even better way would be for Shopify to develop a native solution which mimics this functionality so that customers opt-in, and then analytics can be used right through checkout.

Shopify must acknowledge this issue and respond - preferably with a roadmap to GDPR/PECR compliance.

I’d welcome input from other merchants/partners - this is too big an issue for ignorance to lead everyone down the path to legal action.

After having spent the last couple of days trying to find a solution to this exact problem, I decided to reach out to Shopify support myself.

No need to share the frustration I experienced while trying to find a good solution, though I did get some great news from talking to support: Shopify has a feature in Beta that will allow users to control Cookies from the admin!
You can read about it here: https://help.shopify.com/en/manual/your-account/privacy/cookies

It of course won’t block third party cookies, but it does offer the possibility to limit non-essential tracking cookies which is the one thing that third-party apps are not able to fix.
Combine this with the decent ProCookie cookie banner from Onetrust (not affiliated in any way), and you should have a fully GDPR-compliant store.

Hope this helps others in the EU

Hi everyone,

Well, i have read this with interest but wonder now, if and how it is possible to apply a cookie policy that is 100% compliant with the GDPR rules right now, 24 July? It is nice to hear that Shopify is working on a solution and tests a Beta in May 2020, but we are at end of July right now and it still seems impossible to offer visitors an opt-in cookie bar! Which means precisely this:

No single Shop in the EU + UK is compliant with the GDPR rules which took effect on 1 October 2019!

None of the cookie bar add-ons (free or not) in the store are compliant, e. g. this one which many use and THINK it is enough: https://apps.shopify.com/eu-cookie-bar However this is NOT opt-in, but just the normal “got it” banner that is completely useless. Every semi-talented lawyer will have an easy working week sending written warnings to Shopify store owners since then. Honestly, it is 10 month since GDPR is in action and it is nothing short from being entirely unacceptable what Shopify does here.

ProCookie cookie banners or others must offer opt-in so that NO non-essential cookies are being set. However, Shopify sets non-essential cookies which will be delete then. However, setting them even for a short period of time is not compliant. And by the way: Advertising Shopify as GDPR-compliant on the one hand and then forcing shop owners to buy a rather expensive app to “more-or-less”-achieve something that might be compliant is… [you name it].

So will there be any serious option built-in to Shopify for free for every shop owner? If not, we very likely will have to leave this environment rather sooner that later, because Shopify will not pay the bill we might receive, correct?

This is correct. We await the revised permissions from Shopify to see where things will fall, and in the meantime make clients aware of the risks and ensure they accept them before starting a Shopify build. It’s an entirely unsatisfactory state of affairs, I’m afraid, but this is the world we inhabit.

Hi,

I’m a new Shopify user, about to launch my shop. I’m in Ireland so GDPR compliance is a must. I have spent the morning trying to find a suitable app for the opt-in cookie consent on Shopify and I can’t find anything. I have checked the box for “limit tracking for customers in Europe” Thanks thomasdec and I’ve signed up to One trust for the ProCookie banner. It’s going to take a day or two for the registration to go through.

I have to write my privacy policy, I use FB pixel and google analytics. I have zero tech background, I’m wondering is this enough to comply with GDPR.

Any input would be much appreciated,

thanks

The IT industry created lots of interesting functions around GDPR - much of it way over the top, but generated revenue.

Look at this site www.gov.uk - Question : where is the popup warning that there may be cookies - well it’s not there.

Just a ‘cookies’ link right down at the bottom of the page.

If someone says your site is not compliant … just refer them to www.gov.uk.

PS And it was like this in 2020 when UK was in the EU.

To correct the above, just in case anybody stumbles on this thread:

The gov.uk site has a very big, fully compliant cookie banner on first arrival to their site. Don’t for a second think that simply a link saying ‘Cookies’ in your footer is going to make your site compliant with the law.

A link or a simple bar that says “This site uses cookies” is not compliant, since the user must explicitly opt in to each cookie category.

When it comes to cookies though, Shopify has an option to limit tracking. I don’t know if it is on by default, but if Shopify does not track personal identifiable information with this option (and they say they don’t), then I don’t see how it isn’t compliant.

For third party apps like Google, Facebook etc., the person who installs and manages them is responsible.

Has anyone found a solution to this?

I understand you can enable Google Analytics in two ways in Shopify:

1. Specify Google Analytics ID in Online Store / Preferences / Google Analytics section in Shopify Admin.

2. Inject Google Analytics tracking code into your theme source code.

Both ways have their advantages and disadvantages, but it seems like none of them will solve the issue with GDPR in full.

If you decide to go for the first option, it is not clear how to disable Google Analytics AT CHECKOUT if a user didn’t opt-in for GA (you can still disable GA on all other pages by setting window[‘ga-disable-UA-XXXXX-Y’] = true as described here: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out).

If you go for the second option, then you’ll have to enable things like Google Enhanced Ecommerce manually in your javascript code, and in addition to that you won’t be able to track user’s behaviour at checkout even if user’s consent to do that has been received properly, as you don’t have an access to checkout source code on regular Shopify tariffs (you need to be on a Shopify Plus to be able to do that).

Hello all,

we provide the app GDPR Compliance Center which is providing multiple types of banners with opt-in / opt-out / opt-in-out options etc.

The most important part is that it provides integrations with:

1. Shopify’s consent tracking API
2. Google Consent Mode
3. Facebook - General Data Protection Regulation
4. Rakuten Ads - GDPR/CCPA

Especially with the Google Consent Mode integration, we provide a custom event to GTM so you can easily manage all your third-party scripts from GTM by reading the current consent of the visitor.

The same can be done inside the app with the Smart blocker & the advanced rules tool that we offer which can be used for any kind of script you have from external services or other apps.

Hi Pandectes,

This is interesting. Thanks for sharing. I took a look at the demo store. When rejecting all cookies I expected to see only essential cookies when checking in dev tools. However, when cross referencing the cookies present against the cookies list on the demo site I can see that a lot of the analytics cookies are still loaded and a lot of unlisted ones are too. I’d be happy to hear whether I’m getting something wrong here if you’re happy to take a look.

Here’s the full list of cookies after rejecting all.

Hey, it is surprising that this discussion started in 2020 and it is still ongoing on 2022.

I wanted to know if I am getting it right. According to this https://help.shopify.com/en/manual/your-account/privacy/cookies.

You can currently activate the “Limit tracking to EU” and “Limit tracking to California”. Both will automatically limit the tracking to only the necessary cookies and not add Google Analytics or Facebook, and it does not matter whether the user accepts or rejects the cookies, they are disabled (In EU and California).

If you do not limit anything, then Google and Facebook tracking will be enabled, unless user rejects the cookies.

Is this how the default shopify system works?

@Maxkoa that is indeed how the Shopify setup works. There is one major problem though: in the EU, the only cookies that are allowed (without a user’s consent) are those to ensure the proper functioning of your website. This excludes analytics cookies and that is exactly where Shopify’s problem lies.

Even with the “Limit tracking to EU” option enabled, the Shopify analytics cookies (i.e. _y, _shopify_y,..) are still enabled meaning your website is not compliant with EU regulations. The user needs to provide explicit approval for these cookies to be enabled and thus needs to be able to reject them. This is still not possible, even when fines starting to be handed out by the EU…

Example case here

At this stage it would be good to know if anyone has actually seen a Shopify store that is compliant with GDPR.

Many plugins sell compliance that is nothing of the sort - banners that tell users cookies are used; tools that don’t restrict the cookies used.

But are there actually any stores that are doing this properly?

Does anyone know of any examples?

At this stage the worry is that this problem is structural, and whilst accountability sits with merchants this puts Shopify users at risk, which they it seems we are unable to properly mitigate due to platform limitations.

@thomasdec , so there is currently no way to disable the shopify’s analytics cookies? Not even digging into the code?

I found this but I am not sure whether this would limit it. I have not tested it https://shopify.dev/api/consent-tracking?shpxid=d49ef849-4B41-4D74-6976-7D85D5203D5D

@jake_mitchell + @Maxkoa there are plenty of solutions out there that block 3rd party cookies, OneTrust being one of the best ones that don’t require some app to be installed.

There are also plenty of apps out there that sell their solution as “cookie consent compliant” but it is simply not possible today because Shopify doesn’t allow control over their internal Analytics cookies. If these cookies would in fact be blocked (as they need to be in order to be compliant), the whole Analytics suite on the Shopify admin would pretty much have to be disabled.

As you said Jake, this puts Shopify users at risk and subject to hefty fines. Unfortunately, it is still impossible to comply with EU cookie regulations while using the Shopify platform.

I have implemented the consent tracking API option on one of my stores so that I can use an external tool such as OneTrust rather than an app. In no way does it give you control over the internal Shopify analytics cookies. See the screenshot attached for the Shopify analytics cookies still being loaded, even though I’ve denied all cookies using the tracking consent api.

Screen Shot 2022-03-29 at 11.22.38 AM.png160×404 12.5 KB

@jake_mitchell @Maxkoa @thomasdec

The solutions that a store owner has are two:

1. Either follow what Shopify provides by using their Consent Tracking API, which is what we do as an app here on the store with our GDPR Compliance Center or

2. Block any script (including the ones that Shopify provides) before the visitor gives the positive consent to be used. This is another option that we also support with our script blocker feature.

We have clients that follow the first and others that follow the second solution. It all depends on how you want to apply your policy to your store.

Of course, there are many solutions out there for GDPR like the one you mentioned @thomasdec but in a specific environment/marketplace like Shopify, where it has specific requirements / APIs, etc, I think the best way is to have something tight to the Shopify technology which is an app from the Shopify store.

@Pandectes having looked at the demo store that’s listed for your app, I can tell you that it does not comply with GDPR guidelines. Even though I rejected all cookies, the internal Shopify analytics cookies were still there on pageload (see screenshot below):

Screenshot 2022-06-21 at 10.11.55.png803×626 111 KB

Shopify’s consent tracking API does not comply with GDPR either. It is simply impossible to disable Shopify’s analytics cookies so please don’t advertise your app like so many others out there saying you are GDPR compliant because you’re not. You’re providing store owners a false sense of compliance while they are in fact still liable.

@thomasdec I completely understand the situation you describe and thank you for your comment but our demo store is not configured to block something because we want to know the traffic it gets as it is not a functional store. We just have it as a demo to present the banner, the cookie details, and the DSR page. DSR page also is not providing any feedback as we don’t have products and orders so we don’t have customers.

Anyone can try our app for free (even the paid plans that offer a 7days free trial) and see its features and the way we block any script you like and that’s why large retail brands have selected our app between all the other options (including external services) and we have been audited by law/tech firms about the capabilities we provide.

If you are still not convinced by my sayings, please schedule a call with us here: https://calendly.com/pandectes/30min, and I ensure you that you will be able to see it in action.

To close with, there are apps and services that just clear cookies (1st party only). These are still not 100% compliant because technically these cookies, with their information, are stored on the browser - even for some milliseconds - and then the GDPR app removes them. So in the end, you see a store without these cookies. But in reality, the process of these cookies has run and the tracking has taken place.

@Pandectes I took the opportunity to install the app on my store and check out the trial. Digging into the code, it shows that you store all _shopify_y (Analytics related) cookies under category 1 which are according to your app “fuctionalityStorage” and “personalizationStorage” related.

If you were audited by law/tech firms, you will no doubt have received feedback about these cookies being analytics related. As per GDPR guidelines, no cookies are allowed but those that are essential to the functioning of your website such as language preferences or cart sessions. Analytics cookies clearly fall out of that bucket, meaning you are not GDPR compliant.

As I said multiple times before, Shopify does not allow you to disable these cookies because they are essential to the functioning of their Analytics suite. There simply is no way to not load them on pageload, period.