Why is cookie consent (per GDPR) not core Shopify functionality?

aj007
Excursionist
33 0 71

Shopify, this question is for you...

 

If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).

  

Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.

 

So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.

 

I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 

 

Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.

 

When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 40 (40)

Simon_Schier
Tourist
10 1 10

Good Question. Actually, there is no App for it to "really" get a consent or to block cookies, as it has to be done by the core system.

--
Vegan, Unisex cosmetics & perfume - https://www.soberberlin.com

aj007
Excursionist
33 0 71

I emailed this topic to Shopify's Privacy team on June 20th (ticket number 13317172), and also asked a Shopify Help rep to escalate it...

 

2+ weeks later and zero reply from anybody at Shopify... pretty pathetic for something that is critical and not optional for all your merchants selling to hundreds of millions of EU citizens.

 

An epic fail for you, Shopify.

DarrenW123
Tourist
3 0 0

Hi, Im in the process of looking at the same scenario as part of upgrading our site. Can I ask did you ever get a reply or work out a suitable solution?

aj007
Excursionist
33 0 71

Hi - I asked their Privacy Team to reply as well, which they finally did more than 3 months later with the following:


Our team is aware of the issue and we are working on a technical fix!

What that means, and when we might expect a proper, robust, Shopify-supplied solution is anybody's guess.

 

I'm currently paying for one of the cookie banner Apps on the Shopify store, but only as a "best of the worst" solution. I've also noticed using Google PageSpeed and other test tools that App slows down my site (as you'd expect, making more 3rd-party calls) which is bad. 

DarrenW123
Tourist
3 0 0
Hi, yeah I totally agree I signed up for a cookie app too but I would much prefer a definitive out of the box solution rather than a search and hope solution as it is at the moment

SimonM
Shopify Partner
1 0 0

Hi all,

 

I emailed Shopify's privacy team about issues with Shopify consent options in relation to ICO guidance and the recent German court ruling.

 

I received this reply on the 3rd of October 2019, which you may find encouraging:

 

We understand the importance of this ruling and the impact it has on our merchants. This work is a top priority and we are currently working hard on a solution.

In the near future we will show how cookie banners can be implemented so that merchants may tie placing cookies with user consent. Also, feel free to check out cookie banner options in the Shopify App Store or contact a Shopify Expert to customize one for your needs.

Best,
Privacy Team

aj007
Excursionist
33 0 71

I assume by "the recent German court ruling" you mean this:

https://techcrunch.com/2019/10/01/europes-top-court-says-active-consent-is-needed-for-tracking-cooki...

"...So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law."

(warning: TechCrunch and all other Verizon/Oath/Yahoo sites have a most offensive labyrinth of privacy settings, likely designed to make you give up and just offer them your soul)

 

As I note in my original post above, Shopify's suggestion to "check out cookie banner options in the Shopify App Store" is more harm than good, as you'll mostly find said "cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’)".

 

Let's see if Shopify comes up with anything useful and compliant...

MarieV
Tourist
8 0 2

Thanks for raising up the topic! My store is up since 2 weeks and I'm looking for the same thing, a proper GDPR app that will help me be fully compliant. 

 

Did you hear anything back from Shopify...? Alternatively, what app are you using today - if any? 

 

Thanks a lot! 

aj007
Excursionist
33 0 71

Hi @MarieV  - sorry, I've seen nothing useful back from Shopify on this yet. Just the vague "we're working on it" replies that I got last September, and @SimonM got above in October.

 

I currently use https://apps.shopify.com/smart-eu-cookie-banner, which costs $3.00 USD / month and claims to do the following to respect European GDPR...

 

Screenshot 2020-01-04 at 08.42.42.png

MarieV
Tourist
8 0 2

Thanks a lot for your answer @aj007 ! Let's hope Shopify actually is working on it and will release it soon...

 

All the best

zole
New Member
6 0 0

Hi @aj007 does this smart eu cookie banner really works?

Because a lot of apps like this claims but they are not prior to consent.

Please advise.

leoI
Tourist
6 1 2

You can create one for free using google optimize.

Mila_Lansdowne1
Tourist
3 0 2

Thank you for posting the link to the app you are using. I hope Shopify will have a solution. it must be part of the out of the box store setup. i wish you much success with your Store.👍

 

markdc
Shopify Partner
23 0 22

I'm chiming in here to keep the attention of the Shopify staff on this point. It definitely needs to be a core feature!

Baldur_Helgason
Shopify Partner
37 2 31

Has anyone found an app that truly integrates with the Shopify Consent Tracking API? (https://shopify.dev/docs/themes/consent-tracking-api)

I’ve not been able to find any.

EDIT: Shopify seems to have their own app https://apps.shopify.com/customer-privacy-banner and from the description it seems they do integrate with the Consent Tracking API. Gonna give this a try

The Customer Privacy Banner works with Shopify’s Customer Privacy settings, allowing you to prevent customer tracking if a customer in the EU does not agree to it.

 

markdc
Shopify Partner
23 0 22

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.

Baldur_Helgason
Shopify Partner
37 2 31

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.

I’ve set up the one provided by Shopify and it seems to be working correctly. There is a problem with not being able to change the title of the Privacy Policy link.

The app mentioned above: GDPR/CCPA + Cookie Management does not prevent Google Analytics and Facebook JavaScript code from being downloaded before the consent is given so that’s not gonna fly for me.

Now there’s another app that claims to be using the Customer Privacy API

GDPR+

But their example store does not have google analytics or facebook pixel set up at all so I cannot confirm it is working as expected.

FC1
Excursionist
10 0 9

Hello

 

Do you have more info on this? I´m considering trying the GDPR/CCPA+Cookie Management and they say they do block google and facebook. Did you have managed to try it? Regarding other aspects they seen to be quite compliant (granular consent, ability to change consent, consent log etc).

 

Any feedback would be appreciated,

 

Cheers

 

Francisco

Robin101
Visitor
1 0 0

Hi There,

 

I am currently using teh "GDPR/CCPA + Cookie Management" app but it is really the best worst solution I could find on the market. So I am always scanning for new, better apps. 

 

I think I have found quite a good one called "GDPR Cookie Bar +ePrivacy Page". This seems to include all relevant legal aspects and is for free too so I am going to switch to this one.

 

Cheers

Santa_Sangria
Visitor
1 0 3

Just posting to say "argh"

This cannot be optional and must be solved for EU vendors. 

I've just inherited a store as part of a job. But there's no way any EU vendor should use Shopify if it is not watertight with GDPR.

Should be right at the top of the roadmap!

Appify_Commerce
Shopify Partner
31 1 3

You can reach out to our support team we could work on that, try our free application 

https://apps.shopify.com/responsive-cookie-consent-by-appifycommerce

but we can provide you satisfying solution though 

Baldur_Helgason
Shopify Partner
37 2 31

@Appify_Commerce wrote:

You can reach out to our support team we could work on that, try our free application 

https://apps.shopify.com/responsive-cookie-consent-by-appifycommerce

but we can provide you satisfying solution though 


Like many have pointed out in this thread most of the available apps (including yours) DO NOT make you GDPR compliant. Merely notifying the customer the page uses cookies (implied consent) is meaningless when it comes to being compliant. The customer needs to be able to give CLEAR consent by clicking a button before you start tracking them and that means NO tracking cookies are set and tracking scripts DO NOT run before they have consented. Apart from that, the user should be able to able to change their cookie settings after the initial consent.

zole
New Member
6 0 0

Hello, have you found any solution?

Please advise.

Petar

ui-gab
Shopify Partner
211 13 55

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf

 

Background Info:

Who tracks data:

Shopify

Google Analytics (if installed)

Others (facebook pixel, ...etc)

 

In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.

 

Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.

 

Summary:

A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.

 

Let me know if I can help in any other way.

ui-gab
https://www.uiavenue.ca
We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.
aj007
Excursionist
33 0 71

@ui-gab wrote:  [bolding is mine]

...In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.


 

Thanks @ui-gab - I think that perfectly sums up why proper cookie consent can only be provided by Shopify, and why this can't be relegated to an App. 

 

Shopify tends to forget Europe's half-billion+ citizens, and the 600+ billion euros of Ecommerce sales there in 2019 alone. Cookie consent is one example... they also have no workable tax-compliant gift card solution for European merchants either.

sober
Excursionist
27 0 12

I had to laugh so hard as i read "users will feel that they are respected" 

 

Wow. Just wow. There are laws, and App-Developers talk about that at leas someone "feels respected"

When the court asks us if we set those cookies, I will say "Yes, but we told them so they felt resprected"

😄

Made my day! 

It can only be solved by shopify and is indeed a core functionality, which has to be there for EU-Users (even for US Stores!) 

 

Pflege für Haut & Haar - Natürlich und wirkungsvoll.
zole
New Member
6 0 0

@ui-gab wrote:

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf

 

Background Info:

Who tracks data:

Shopify

Google Analytics (if installed)

Others (facebook pixel, ...etc)

 

In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.

 

Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.

 

Summary:

A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.

 

Let me know if I can help in any other way.


@aj007  @ui-gab So there is no way that I can set at least prior to consent google analytics code that I manually entered?

How do people in Europe handle cookies? Are they all set to necessary?

aj007
Excursionist
33 0 71

RE: "How do people in Europe handle cookies? Are they all set to necessary?"

 

Not sure I've seen any Shopify cookie consent Apps that offer 'levels' or 'categories' of tracking - e.g. like OneTrust/etc. offer 'Necessary, Functional, Marketing, Social Media, etc.' There may well be some such Apps, and if they're honest then they'd have a rather broad 'Necessary' category, that actually translates into 'Unavoidable because only Shopify has the power to not fire these tracking codes.'

 

I fear most Shopify merchants 'handle cookies' by installing Apps that claim to be GDPR compliant, and even get good reviews... but actually are just useless decorations offering a false sense of security.

zole
New Member
6 0 0

Yes I understand. 

But professional firms that are working with Softwares for dropping cookies in every possible website claim that you can at last set prior to consent 3rd party scripts like Google analytics and Facebook pixel that you manually insert.

You basically need to edit a code in Shopify "edit code" section.

Any information about that?

ui-gab
Shopify Partner
211 13 55

Not necessarily, after a bit more research, I believe alot more app developers embed code onto the website than intended. Meaning that they have installed the code via a blocking javascript. So there could be potentially some cookie GDPR compliant apps, if they are done properly.

 

If you want to to determine if app built by one of these app developers is actually GDPR compliant, you will A. have to believe them, or B. do some investigative digging on a technical level to see which one actually does everything that is compliant with GDPR. You will probably need some sort of web developer to dig into the small details of the app to see if it actually does what it is advertising.

 

Technical digging will probably involve: installing the app(s, until you find one that does as advertised).

Check that it:

  • during load, it blocks and prevents other cookie tracking from firing until the user has accepted the right cookie selection
  • tracks each user that has explicitly accepted the cookie vs those that have rejected it
  • and a bunch of other GDPR and now CCPA related requirements

Cheers,

Gab

ui-gab
https://www.uiavenue.ca
We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.

thegospelorian
Tourist
7 0 8

Hi everyone,

I am starting a new shopify store in Feb 2021 and was also concerned about GDPR (for EU) and CCPA (for California).

Isn't having a privacy policy (the default one provided by shopify) sufficient to satisfy GDPR and CCPA regulations?  I'm in California myself and when I go to Banana Republic's website (for example), there is no CCPA or cookies banner popping up at the bottom of the page.  They only have a privacy policy link at the bottom of the page like everyone else.  And when I checked out some GDPR banner apps on shopify, it doesn't look like a lot of shopify stores downloaded them.  So I'm wondering if having a privacy policy page is enough.  Aren't customers giving their consent by using the website?  

Also, there are instructions for store owners (GDPR white pages) to contact shopify if a customer requests information about themselves or want to erase their data.  I believe we go to the shopify admin, click customers, and click "request blah blah" which starts a process with shopify.  I believe the instructions also mentioned that shopify sends this request to all the connected apps in our store (not sure about this one). 

Any advice from shopify owners would be helpful.  Thanks and take care.      

    

pault70
Tourist
7 0 4

I really hope @Shopify is looking into this, if only for their own bottom line. Merchants will be scared off if there is the slightest risk of getting one of these huge business ruining fines if they are not compliant.

It should be possible for Shopify to adjust the way app developers create apps and force them to add new steps where consent can (perhaps optionally) be obtained (or not) and cookies or other scripts can be then used (or not) depending on the user's answer. Of course, this will add work for the developers but there really is no other option if eCommerce on Shopify is to continue.

kevin114
Visitor
1 0 0

Hi everyone,

Same issue here: setting up the shop end of 2021 and cannot get fully GDPR compliant as Shopify is triggering cookies prior to consent (their script is read before mine so Cookiebot is too late to block them) and they send some data to a "not adequate" country (US).

I reached out to customer service but they are not really tackling the issue as they suggested that I install their customer banner app (which only shows a banner without taking any actions on the background to block cookies). Therefore, I insisted until they suggested that I talk to a "Shopify Expert" which costs between $50 to $1k just as a starting fee.

Honestly, I do not get why this is so complicated - I spent hours going on forums, trying different Cookie blockers apps, understanding GDPR regulations, etc. - and this should be a native functionality (at least for all the core functions - not the third party which are usually easy to block).

Please let me know if you have any information or found a solution.

Thank you,
Kevin

mmarcus15
Shopify Partner
12 0 1

Hi Kevin,

 

Have you made any progress in this area? I have tried the GDPR/CCPA + Cookie Management app mentioned, but the issue is how they go about blocking cookies which ends up offsetting shopify analytics by a lot (since they delete cookies on every page load).

 

Curious if you have made any further progress in this area?

 

Thank you in advance!

King-Kang
Trailblazer
148 8 76

Hi everyone,

I've already tried inumerous apps, November 2, 2021, and no signal of a perfect solution.

Does anyone knows if this this code works for shopify?

It's not full compliant, but at least we can inform and have full control of the css, and we can also add "if" for languages.

Thank you

 

thegospelorian
Tourist
7 0 8
I used one of the gdpr + ccpa (california) apps on the shopify app store
and it works fine. I asked a shopify customer service rep and he said it
looked fine.
Pandectes
Shopify Partner
51 1 14

Hello all,


I've been following this thread with great interest, and I understand the concerns regarding GDPR-compliant cookie consent on Shopify. As the team behind Pandectes GDPR Compliance, we've worked closely with Shopify's privacy team over the last 5 years to develop a solution that addresses these challenges.

Briefly, I want to make some comments about the above replies:

@Simon_Schier our solution has been tested and audited by several third-party auditors and passed all tests. Technically the proper solution is not to block cookies but the services that generate these cookies - if you block cookies means that you let them fire first and then you remove them - this is not a compliant method because the tracking happens before consent.
@aj007 Shopify is providing the proper documentation to instruct third-party apps to be compliant with GDPR. Shopify also provides a GDPR way on their end to protect visitors against their cookies and this is done with the Customer Privacy API. GDPR apps like our app need to be integrated with this API in order to notify Shopify about consent. Also using an app from the app store that says something does not mean that technically does the proper activities to cover you against these regulations. In other words, having a banner that has some buttons does not mean that you are compliant.
@leoI providing a compliant solution for a Shopify Store is not an easy task and this is not only my opinion but also the opinion of the Shopify Privacy team. A GDPR application needs to have many background services and features in order to make your store compliant. In my opinion, these apps are among the most complex applications.
@markdc it's too complex to be a core feature - I think the way that Shopify porvides their Customer Privacy API is an open way to let GDPR apps communicate directly with Shopify and the GDPR webhooks that the other apps need to serve is the best model at the moment to make all together work properly. Please check our solution as well and let me know what's your feedback. FYI cookie bot is not designed for Shopify needs and doesn't cover all aspects 😉
@Baldur_Helgason our solution is one of them 🙂

Our app is designed to be 100% compliant with GDPR and other privacy regulations. Unlike many solutions that offer a false sense of compliance, Pandectes GDPR Compliance ensures that all consents are properly logged and cookies are managed in accordance with the user's preferences. It's built to handle even the most complex store setups and has been a reliable solution for thousands of stores.

 

We understand the importance of robust cookie consent mechanisms that don't just 'tick the box.' Our app integrates seamlessly with Shopify, providing a comprehensive solution for your GDPR needs without impacting site speed or user experience.

 

For those seeking a reliable, fully compliant GDPR solution for their Shopify store, we invite you to explore what Pandectes GDPR Compliance can offer.

 

Best regards,

 

Nikos

Please let me know if it works by giving it a like or marking it as a solution!
Pandectes GDPR Compliance - #1 GDPR app for Shopify merchants.
Pandectes - 100% Free Cookie Scanner.
Free plan available. Live Chat Support is available 24/7.
BarreCode
New Member
10 0 1

Hey Nikos, 

 

I prefer apps that are "built for shopify," but truthfully, I don't even know the differentiator there. Any thoughts you can share on your app in this regard since it doesn't have this badge?


Can you speak to the effects on the speed of shopify stores for your app?

Thanks!

Pandectes
Shopify Partner
51 1 14

Thank you for your message and for bringing up the "Built for Shopify" badge. I wanted to clarify that obtaining this badge involves meeting a comprehensive set of requirements outlined by Shopify, which you can find here: https://shopify.dev/docs/apps/store/built-for-shopify/criteria. While our app already adheres to the majority of these criteria, we are in the process of fulfilling all the necessary requirements to earn this distinction.

 

We understand the importance of maintaining your Shopify store's speed and performance, which is why our app strictly follows Shopify's recommended guidelines for storefront implementation (our application loads as app embed but also supports the old way of script tag). This ensures that our app does not negatively impact your store's loading times or user experience. You can easily verify this on your end using development tools to check the performance impact.

 

We're committed to providing a high-quality, compliant solution for GDPR cookie consent, and we're continuously working to meet Shopify's standards fully. If you have any further questions or need assistance, please feel free to reach out.

 

Best regards,

 

Nikos

Please let me know if it works by giving it a like or marking it as a solution!
Pandectes GDPR Compliance - #1 GDPR app for Shopify merchants.
Pandectes - 100% Free Cookie Scanner.
Free plan available. Live Chat Support is available 24/7.
BarreCode
New Member
10 0 1

Thanks, Nikos! Honestly, I already went with your app strictly because of this comment and am happy with it!