Dear merchants, we have some bad news for you: Showing a cookie notice banner doesn't make your Shopify store GDPR-compliant. What’s worse, even enabling the Customer Privacy setting in Shopify or using a GDPR app may not be enough at all.

We know how important GDPR is to you as a Shopify merchant - and how many EU companies have been fined as a result of the regulations.

Let’s make it clear first, though: This is not a scare story. We have just prepared this guideline to provide you with a bunch of reliable information to:

  • Give you an idea of what GDPR is and what your responsibilities are
  • Check if your store is GDPR compliant (most probably not!)
  • Find the problems & missing points with your GDPR compliance
  • Guide you through how you can properly have all the assets on Shopify to finally be GDPR compliant.

According to GDPR, if a user does not give their consent , data cookies and tracking shouldn’t be allowed. However, this is not the case for many websites. Most of the time, tracking begins before consent is given, or some pixels continue to function even if the user does not provide their consent.

So, we'll take a closer look at the matter and see if your Shopify store is GDPR-compliant. We'll most likely discover that it is not - but don't worry, we'll also provide you with a road map so that you can fix this. Let's jump right in!

Key Takeaways

Important: As this is a rather complicated and significant subject, you may not be able to completely comprehend the essential takeaways. It's only a synopsis; so please read through each section below thoroughly to make sure your Shopify store is GDPR-compliant.

  • GDPR fines increased over 40% between January 2020 and January 2021. Hundreds of companies are fined every month - this makes it a serious, serious topic to learn about.
  • Even if you are not located in the EU, your Shopify store needs to be GDPR-compliant if you are serving European countries.
  • Most probably, your website is not GDPR-compliant at the moment. Check it out by following this article!
  • Showing a cookie banner or having a privacy policy doesn’t make things alright for GDPR. The requirements are much deeper than that.
  • You will be provided with all the tools & actions on this post.
  • The tracking (and related cookies) on your website should not start before the user provides consent, and the users should always have the option to opt out.
  • The users should have the option to delete all of their personal information from your databases.
  • Even if you are not located in the EU, your Shopify store needs to be GDPR-compliant if you are serving European countries.

You are going to discover a completely straightforward & actionable set of information in this guide. If you are interested in technical details and theoretical knowledge, don’t hesitate to navigate to the last section of the page.

You will also see a bookmark icon next to the words that we provide definitions and technical details at the bottom. Click that to jump into related information.

Chapter 1

How Shopify Merchants can be GDPR compliant

Shopify & GDPR Guide - Chapter 1

Here are the assets and functions you need to have to make your Shopify store GDPR compliant. To prepare this list, we got help from the official GDPR guidelines: Regulation 2016/679.

Beware of Your Tool set

This is the #1 point on our list because it is where the majority Shopify merchants fail. As a business owner, you are responsible for ALL data collection, tracking, and cookies that occur through your store - no matter if they are first-party or third party. Let’s go into details with an example:

You have Google Analytics, Tiktok Pixel, and a survey software on your website. Each of these tools has its own tracking, data collection activities and cookies, and they collect user information on their own databases. In this case, you need to

  • Explain all of these in your Privacy Policy (how, why, which the data is collected).
  • Get your visitor’s consent for all of these tracking & cookies.
  • Allow your visitor/user to download/delete their data.

In most Shopify stores, we just see the classic Google Analytics and Shopify permissions on the Privacy Policy, but the other third-party tools aren’t mentioned.

Following the same example, if the user doesn’t provide the consent, even some cookie/consent notice banners block Google Analytics but Tiktok Pixel works no matter what.

So, it’s extremely important for you to know the toolset that you use to collect, process, and store data.

Privacy Policy

This is an easy one to start with. You have a Privacy Policy generator on Shopify and it works just great. Other than this tool, you can find tens of privacy policy solutions in the market which perform really well.

You can find some important notes about the issue below:

  1. Your Privacy Policy has to reflect how you collect, use, share and secure your customer’s personal information.
  2. You should state how long you intend to keep your customer’s data in a document.
  3. Your privacy policy must describe your customer’s preferences regarding use, access and correction of their personal information.
  4. You need to make sure your customers can find your Privacy Policy easily.
  5. You have to update your Privacy Policy if you feel that it does not contain the information mentioned.
You can check out Shopify’s Privacy Policy generator through: Free privacy policy generator

Another important point: You should also include Terms And Conditions, and add some extra paragraphs about GDPR within your terms and conditions. Shopify also helps you with this: Terms and conditions generator.

Make Personal Data Manageable/Accessible

"Personal data" includes information such as a person's name, address(es), email, IP address, Cookie ID, credit card number, order number, and social media account.

Your visitors from the EU can view, modify, and/or rectify their data. You must allow them to delete, modify, or access their data as a store owner.

Some GDPR apps also offer this feature as you’ll see down below.

Other Points:

  • Don’t collect the data you don’t need. For example, don’t ask your clients about their company name if you don’t need that information. More data means more responsibility - and it’s not a good idea for you.
  • As mentioned in #1, you need to be aware of 3rd party apps/solutions that you are using and dealing with your user’s data. Make sure to check this out for each app you are using. Shopify Partners is quite careful with this topic and does their best to be GDPR compliant.
  • You’re responsible for data breaches and security. Therefore, you need to be aware of any data breaches and security.
  • You need to protect your customer from:
    • Illegal or unauthorized processing.
    • Unintentional loss.
    • Destruction or damage.
    • It’s good to know that Shopify uses the HTTPS protocol to encrypt data going to and from merchants and buyers.
    • You can set up some other security features - such as setting up role-based permissions for staff accounts - from the Shopify admin.
Chapter 2

Validation - Is your store GDPR-compliant?

Shopify & GDPR Guide - Chapter 2

We have prepared this step-by-step and in-depth guide to help you make sure that your Shopify store is GDPR-compliant and to clarify the problems in case you have any.

All you need to do is just read this through and take the needed steps and actions carefully.

1 Privacy Policy Check

Is your Privacy Policy easily accessible

Is your Privacy Policy easily accessible from every page of your website?

Is it clearly visible and clickable through your Cookie Consent Banner?

Google Analytics, Facebook, and other targeting

Are Google Analytics, Facebook, and other targeting and tracking platforms mentioned, and do they provide an option to opt-out?

Shopify's policy generator includes Google Analytics, Ads, Facebook, and Bing by default. You should also add others (such as Pinterest, Snapchat, Tiktok, Twitter, LinkedIn, Klaviyo, etc) if you are using them.

Are cookies listed and classified

Are cookies listed and classified on your Privacy Policy?

Shopify's policy generator already lists the classic ones and you should add the others if you are using more

Have you added all the vendors

Have you added all the vendors with whom you share customer/order/visitor information such as payment types, sales channels, fulfillment centers, customer service support, etc?

2 Consent Banner Visual & Content Check

  • Do your visitors have full control to accept, decline or change cookie settings on the banner?
  • Is your banner accessible and visible from all devices (mobile, desktop, tablet, all browsers).
  • Is the cookie table (with name, type, purpose, and duration) present in the privacy policy or another section of the consent banner?
  • Do you have an option (callback widget) for the users to revoke their consent at any time?

3 Auto-block third-party cookies & requests

You should block all the cookies and requests until the user’s consent is given. This is a technical step and most merchants fail at this. That’s why we have included a step-by-step technical tutorial for you here. You don’t need to be a developer or have any technical knowledge to perform this check. A Chrome browser is all you need!

Step 1: Visit website

Visit your website in an incognito window. You need a clear window so that you can make sure you don’t have any cookies on your website. If you are not located in the EU, use a VPN as the GDPR solutions mostly work in the EU.

Step 2: Check consent banner

You should be seeing the consent banner that suits the conditions that are explained above. DO NOT provide any consent and move to step 3.

Open Google Chrome Developer tools
Step 3: Chrome dev tools

Open Google Chrome Developer tools (Windows: Ctrl +Shift + J - Mac: Option + ⌘ + J)

On Chrome Developer Console
Step 4: Cookies Check

On Chrome Developer Console - Click Application - Cookies

Application
Step 4.1

If you haven’t seen “Application” in the first place; it should be hidden under the arrows as seen below

Facebook, Tiktok, Google group
Step 4.2

Here; under the cookies section, you SHOULD NOT be seeing any other cookie group other than your own website. If you see Facebook, Tiktok, Google group here (just like below); that’s a GDPR VIOLATION because the user hasn’t provided the consent and yet there is a Facebook 3rd. Party cookie.

It doesn’t always need to be Facebook.com
Step 4.3

It doesn’t always need to be Facebook.com. There could be other examples as well unless the cookies are strictly necessary - they shouldn’t be here.

Your cookie consent solution
Step 5: Network requests

Your cookie consent solution is NOT working properly if this is the case for your store.

On Chrome Developer Console - Click Network. It is not only about cookies - network requests can also be dangerous. Click the ‘3rd party requests’ tickbox and it will list down all the requests as seen below

Let’s make it clear that not all the 3rd party requests are prohibited - they could be strictly necessary as well. As an example, if you are playing a Youtube video on your website; there will be a request to YouTube, or if you have a Google font, there will be a request to fonts.google.com - these are innocent requests.

However, that’s not the case with Google Tag Manager, Facebook, Klaviyo, Google Analytics, etc. You will understand when you see it. You can also search and filter keywords like “collect”, “facebook”, “analytics” to go ahead and see.

These requests should NOT be here before the user provides the consent.

4 Record all user consents for proof of compliance

You should save all the consents that are provided by users. Most consent tools already do this, so you don’t have to do anything else. Just make sure it is there and accessible for you.

What if you failed?

  • Check out the next section “Shopify GDPR Solutions” and make sure you benefit from one of our recommended solutions.
  • If you do, contact your apps or service providers to make your store GDPR-compliant. Don’t hesitate to send them this checklist.
Chapter 3

GDPR Solutions for Shopify Merchants

Shopify & GDPR Guide - Chapter 3

There are many GDPR solutions for you as a Shopify merchant. You can find them in the Shopify App store, and some of them are external solutions that can be integrated with your store.

We came up with this list considering the best choices for Shopify merchants.

Our priorities as data analytics tools for GDPR solutions:

  • To be GDPR-compliant and fit all the requirements of GDPR.
  • To provide proper tracking (Analytics & FB Pixel and others) as long as users provide the consent.

GDPR Compatible Tracking:Some GDPR tools block the tracking completely or partially even after the user provides the consent. You wouldn’t want that either because you can have your tracking & cookies in place if the user provides the consent.

Important: This is a rough summary. You can check out our page for the most detailed and up-to-date information: Shopify GDPR Solutions to be 100% GDPR Compliant



1. Customer Privacy Banner by Shopify

Shopify has built the Customer Privacy Banner app to provide you with an easy GDPR consent solution to implement. It works together with customer privacy settings within the Preferences section.

Unfortunately, we do not recommend that as it is not fully GDPR-compliant.

Learn more about this solution and read PROs and CONs on this page.

2. Cookiebot

Cookiebot is an external solution and there’s not a Shopify app. It provides you with all the features to be GDPR-compliant, and it also gives you the tools to have GDPR-friendly tracking on your website.

This is one of our top recommended solutions.

Learn more about this solution, read PROs and CONs, and compare with others on this page.

4. GDPR Compliance Center by Pandectes

Another great system from Shopify ecosystem that delivers everything you need for GDPR compliance

Make sure to read our in-depth reviews on this app, compare them with others before you make up your mind.

Chapter 4

GDPR Enforcements - Fines

Shopify & GDPR Guide - Chapter 4

Yes, many companies are actually fined. Depending on the violation type, the GDPR fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

GDPR Fines January 2022

As you can see from the image, there are fines from €2000 to €130000 for January 2022. And the record fines go to:

  • Amazon €746M
  • Whatsapp €225M
  • Google €90M + €60M + €60M
  • H&M €35M

Chapter 5

FAQ

Shopify & GDPR Guide - Chapter FAQ

No. A cookie consent banner is only one of the requirements of GDPR, not to mention most cookie consent banners on Shopify fail the requirements of the banner functions and visuals.

Follow our detailed guideline and checklist to make sure your store is GDPR compliant.

Depends on the store. Merchants are responsible for their stores to be GDPR compliant themselves, as Shopify doesn't own the stores and doesn't carry a responsibility to make the stores GDPR compliant.

This is how Shopify explains it on their related page:

As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.

Shopify provides merchants with a platform that can be configured to be GDPR compliant, but it is up to merchants on how they would like to run their businesses.

As a Shopify merchant, it is your legal responsibilty to be GDPR compliant if you are serving to the clients in the European Union (EU).

We have prepared a detailed guidance and a checklist for Shopify merchants on the GDPR topic, so please follow it carefully to ensure your store passes as compliant.

No, it is unfortunately not enough.

Although those settings limit the data transfers, they are still not sufficient, as GDPR regulations are much more complex and you need to have many other features to be GDPR compliant as a Shopify merchant.

As of May 2021, Google Tag Manager has been updated with an integrated consent feature that allows for each tag you create to have built-in consent checks. So, GTM now asks for a cookie consent to be able to function in accordance with your website.

At its default state, the answer is no.

For your Google Analytics to be GDPR compliant, your website should have a privacy policy that explains how it processes data, to which your visitors can give or deny their consent for your cookies to track their behavior.

Here's the short answer: Yes and no.

It does help your site to be GDPR compliant, but it can also enable every users' data to be treated in a different way based on their consent status, processing some of them as anonymous and some of them as normal. Because of this, it is not enough to only use Consent Mode to be GDPR compliant.

Chapter 6

Technical Details & Definitions

Shopify & GDPR Guide - Chapter 6
What is GDPR?
The General Data Protection Regulation is a EU regulation that covers data protection and privacy. You can discover more about it by visiting: "What is GDPR? by EU."
What is consumer privacy?

Consumer privacy refers to information privacy related to product and service users.

What is a privacy policy?

A privacy policy is a declaration or legal document that explains how a party collects, uses, discloses, and manages a customer's or client's data in one or more ways.

What is ‘Terms & Conditions’?

It covers the legal agreements between a service provider and a person that wants to benefit from that.

What is the importance of ‘Cookies and the GDPR’?

Cookies are little text files that websites save on your computer or mobile device while you are surfing. They are generally harmless and can usually be viewed and removed with ease. However, they can store a lot of information about you. They, because of the amount of data they might hold, may be considered personal data under certain situations and so they could be subject to the GDPR. Find out more:

What is consent?

It’s a voluntary agreement to another's proposition

What is a consent management platform (CMP)?

It’s a platform that publishers can use to request, receive, and store user consent and to save a list of preferred vendors and why they've been collecting the users' information

What is PII?

Personally Identifiable Information is any information that can be used to distinguish or trace an individual's identity such as name, social security number, date and place of birth, etc. You can learn more about it here: