Why is cookie consent (per GDPR) not core Shopify functionality?

aj007
Excursionist
31 0 65

Shopify, this question is for you...

 

If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).

  

Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.

 

So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.

 

I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 

 

Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.

 

When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 40 (40)
MarieV
Tourist
8 0 2

Thanks a lot for your answer @aj007 ! Let's hope Shopify actually is working on it and will release it soon...

 

All the best

earth9
Explorer
108 3 10
Hi, Shopify is an eCommerce platform worldwide. So it doesn't only focus on EU market. So it's not their core function. But a lot app company developed GDPR cookie bar for Shopify. So did we, Shopify already approved our GDPR cookie bar. here it is: https://apps.shopify.com/gdpr-bar?utm_source=shopifyforum&utm_medium=forum&utm_campaign=songfei It has 3 main functions: Notify User of Cookies on Site Show your customers that the site uses cookies by banner, users will feel that they are respected. Increase their favorability of your site. Avoid Paying Penalty Charges The EU GDPR Cookie Bar informs the customers that you are using cookies, so you don't have to worry about paying high penalty charges. Cookie Consent Banner Present customers a banner asking for their consent for the cookies used on the store. Full customize of the bar types. And you can find more in the instruction
Reincarnated
Pathfinder
102 8 28

I have also created a fully customizable one that uses code in the themes section.  It can be viewed here if your interested.  demo.ecomdev.ca

finnhartwich
New Member
2 0 6

@earth9 wrote:
Hi, Shopify is an eCommerce platform worldwide. So it doesn't only focus on EU market. So it's not their core function. But a lot app company developed GDPR cookie bar for Shopify. So did we, Shopify already approved our GDPR cookie bar. here it is: https://apps.shopify.com/gdpr-bar?utm_source=shopifyforum&utm_medium=forum&utm_campaign=songfei It has 3 main functions: Notify User of Cookies on Site Show your customers that the site uses cookies by banner, users will feel that they are respected. Increase their favorability of your site. Avoid Paying Penalty Charges The EU GDPR Cookie Bar informs the customers that you are using cookies, so you don't have to worry about paying high penalty charges. Cookie Consent Banner Present customers a banner asking for their consent for the cookies used on the store. Full customize of the bar types. And you can find more in the instruction

You clearly haven't read any post in this thread. Your app doesn't solve any of the problems mentioned and as said before by the OP, does more harm than good for Vendors who focus on the European market.


Reincarnated
Pathfinder
102 8 28

For Shopify to track the acceptance they would need to attach that information somewhere.  If the Customer is not logged into an account, then its anonymous Information.  Also (and i'm not sure why) not everyone uses Google Analytics.  In Addition to this, since Cookie bars are not default, its hard to force the information.

 

https://support.google.com/tagmanager/answer/6106716?hl=en#AllClicks

 

The Above link shows how to add Custom Collection of Information, and could be attached to your "Accept" Button.  You could make it a popup as well (like Age Verification) saying if they do not accept, they can not enter and have it Redirect to another site if they say no.  But Again this would need to be setup on a per use basis since it could change from Theme to theme, or app to app, not to mention the custom settings in Google Analytics.

I will see if I can get the Basis of it setup in my cookie bar.  Right now I use Facebook Tracking in it (optional, and experimental) but I will see if I can get mine setup accordingly.  Its a very fair point seeing that they can call for proof.  Being in Canada, and serving Canada and the USA with my stores its not something I had to dig into much myself.  But I will try to get my Code updated.

 

Best Regards.

aj007
Excursionist
31 0 65

Thanks @finnhartwich - agreed it sounds like another 'more harm than good' app :)

 

Note you don't have to 'focus' on the European market for GDPR to be relevant. You just need to have at least a few customers in the EU... and Ecommerce News claims 'Ecommerce sales in Europe grew to 621 billion euros in 2019' - so chances are very good that you do have some!

zole
New Member
6 0 0

Hi @aj007 does this smart eu cookie banner really works?

Because a lot of apps like this claims but they are not prior to consent.

Please advise.

zole
New Member
6 0 0

Hello, have you found any solution?

Please advise.

Petar

ui-gab
Shopify Partner
210 13 55

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf

 

Background Info:

Who tracks data:

Shopify

Google Analytics (if installed)

Others (facebook pixel, ...etc)

 

In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.

 

Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.

 

Summary:

A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.

 

Let me know if I can help in any other way.

ui-gab
https://www.uiavenue.ca
We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.
aj007
Excursionist
31 0 65

@ui-gab wrote:  [bolding is mine]

...In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.


 

Thanks @ui-gab - I think that perfectly sums up why proper cookie consent can only be provided by Shopify, and why this can't be relegated to an App. 

 

Shopify tends to forget Europe's half-billion+ citizens, and the 600+ billion euros of Ecommerce sales there in 2019 alone. Cookie consent is one example... they also have no workable tax-compliant gift card solution for European merchants either.