How Shopify Merchants Can Be GDPR Compliant

Validation - Is your store really GDPR - compliant?

GDPR Solutions for
Shopify Merchants


Analyzify & GDPR

GDPR Enforcements - Fines

FAQ

Technical Details & Definitions

Dear merchants, we have some bad news for you: Showing a cookie notice banner doesn’t make your Shopify store GDPR-compliant. What’s worse, even enabling the Customer Privacy setting in Shopify or using a GDPR app may not be enough at all.

We know how important GDPR is to you as a Shopify merchant – and how many EU companies have been fined as a result of being non-compliant to these regulations.

Let’s make it clear first: This is not a scare story. We have just prepared this guideline with a bunch of reliable information to so that you can:

  • Have an idea about what GDPR is and what your responsibilities are,
  • Check if your store is GDPR compliant (most probably not),
  • Find the problems & missing points with your GDPR-compliance,
  • Be guided through all the assets on Shopify to finally be GDPR-compliant.

According to GDPR, if a user does not give their consent , data cookies and tracking shouldn’t be allowed. However, this is not the case for many websites. Most of the time, tracking begins before consent is even given, or some pixels continue to function even if the user does not provide their consent.

So, we’ll take a closer look at the matter and see if your Shopify store is GDPR-compliant. We’ll most likely discover that it is not – but don’t worry, we’ll also provide you with a road map so that you can fix this. Let’s jump right in!

Achieve Data Confidence and Get the Help You Need When It Matters.
Key Takeaways

Important: As this is a rather complicated and significant subject, you may not be able to completely comprehend the essential takeaways. This is only a synopsis, so please read through each section thoroughly to make sure your Shopify store is GDPR-compliant.


You are going to discover a completely straightforward & actionable set of information in this guide. If you are interested in technical details and theoretical knowledge, don’t hesitate to scroll down to the last section of the page.

You will also see a bookmark for the table of contents mentioned in this guide. You can click on them to jump into the related section of information.

Chapter 1

How Shopify Merchants Can Be GDPR - Compliant



Here are the assets and functions you need to have to make your Shopify store GDPR-compliant. To prepare this list, we got help from the official GDPR guidelines: Regulation 2016/679.
 

Beware of Your Toolset

This is the #1 point on our list because it is where the majority of Shopify merchants fail. As a business owner, you are responsible for ALL data collection, tracking, and cookies that occur through your store – no matter if they are first-party or third party. Let’s go into details with an example:

Let’s say you have Google Analytics, TikTok Pixel, and a survey software on your website. Each of these tools has their own tracking, data collection activities, and cookies, and they collect user information on their own databases. In this case, you need to:

  • Explain all of these in your Privacy Policy (how, why, which data is collected),
  • Get your visitor’s consent for all of these tracking types & cookies,
  • Allow your visitor/user to download & delete their data.

In most Shopify stores, we just see the classic Google Analytics and Shopify permissions on the Privacy Policy, but the other third-party tools aren’t mentioned.

Following the same example, if the user doesn’t provide their consent, even though some cookie/consent notice banners block Google Analytics, TikTok Pixel keeps working no matter what.

So, it’s extremely important for you to know the toolset that you use to collect, process, and store data.

Privacy Policy

This is an easy one to start with. Shopify alreadys provides a Privacy Policy generator and it works just great. Other than this tool, you can also find tons of privacy policy solutions in the market which perform really well.

Here are some important notes about the issue though:

  • Your Privacy Policy has to reflect how you collect, use, share, and secure your customer’s personal information.
  • You should state how long you intend to keep your customer’s data in a document.
  • Your privacy policy must describe your customer’s preferences regarding use, access, and correction of their personal information.
  • You need to make sure your customers can find your Privacy Policy easily.
  • You have to update your Privacy Policy if you feel that it does not contain the information mentioned.

 

 

Another important point: You should also remember to include Terms & Conditions, and add some extra paragraphs about GDPR in it. Luckily, Shopify also helps you with this: Terms and conditions generator. 

 

Cookie Consent Bar

We have arrived at the most complex part of the topic. Here, we will go through the most important requirements and common mistakes, but you can check out our more extensive version which covers a complete setup guide where we discuss all of these settings in greater detail.

Requirements:

  1. You should ask users what type of cookies they allow, and also give them the option to decline any of them.
  2. You should not try to assume what the users will choose, and “tick” the options in advance for them.
  3. You have to make sure that cookies & tracking don’t start before the consent is provided. In most cases (as we mentioned with an example above), some pixels do stop, but some of them keep on working even before the user has provided their consent.
  4. You need to have a cookie banner which the ‘Accept’ and ‘Reject’ buttons are equally visible & noticeable.
  5. Do not utilize cookie popups that prevent users from visiting your website (cookie walls). Cookie walls do not comply with the GDPR. Even if the user does not consent to the usage of cookies, they should be able to use your website.

Solutions:

You can find many cookie consent solutions on the Shopify app store such as GDPR apps, and many other external tools.

Shopify also has its own app called "Customer Privacy Banner". You can find more details about it in the section called "GDPR Solutions for Shopify Merchants".


Make Personal Data Manageable & Accessible


“Personal data” includes information such as a person’s name, address(es), email, IP address, cookie ID, credit card number, order number, and social media account.

Your visitors from the EU must be able to view, modify, and/or rectify their data. So, you must allow them to delete, modify, or access their data as a store owner.

Some GDPR apps also offer this feature as you’ll see down below.

 

Other Points:

 

  • Don’t collect the data you don’t need. For example, don’t ask your clients about their company name if you don’t need that information. More data means more responsibility – and it’s not a good idea for you.

     

  • As mentioned in the beginning of the chapter, you need to be aware of any 3rd party apps/solutions you are using to deal with your user’s data. Make sure to check this out for each app you are using. Shopify Partners are quite careful with this topic and do their best to be GDPR-compliant.

     

  • You’re responsible for any data breaches and security. Therefore, you need to be diligent when they happen.

     

  • You need to protect your customers from:
    • Illegal or unauthorized processing,
    • Unintentional loss,
    • Destruction or damage.

       

  • It’s good to know that Shopify uses the HTTPS protocol to encrypt data that is received and delivered from merchants and buyers.

     

  • You can set up some other security features – such as setting up role-based permissions for staff accounts – through your Shopify Admin page.
Chapter 2

Validation - Is your really store GDPR - compliant?

 

We have prepared this step-by-step and in-depth guide to help you make sure that your Shopify store is GDPR-compliant and clarify the problems in case you have any.

All you need to do is just read this through and take the needed steps and actions carefully.

1- Privacy Policy Check

Is your Privacy Policy easily accessible from every page of your website? Is it clearly visible and clickable through your Cookie Consent Banner?

Are Google Analytics, Facebook, and other targeting and tracking platforms mentioned, and do you provide an option for your user to opt-out? Shopify's policy generator includes Google Analytics, Google Ads, Facebook Pixel, and Bing by default. You should also add other tracking tools (such as Pinterest, Snapchat, TikTok, Twitter, LinkedIn, Klaviyo, etc.) if you are using any.

Are cookies listed and classified on your Privacy Policy? Shopify's policy generator already lists the classic ones, but you should add the others if you are using more.

Have you added all the vendors with whom you share customer/order/visitor information with (such as payment types, sales channels, fulfillment centers, customer service support, etc.)?

2- Consent Banner Visual & Content Check

  • Do your visitors have full control to accept, decline, or change cookie settings on the banner?

  • Is your banner accessible and visible from all devices (mobile, desktop, tablet, all browsers etc.)?

  • Is the cookie table (with name, type, purpose, and duration) present in the privacy policy or another section of the consent banner?

  • Do you have an option (callback widget) for the users to revoke their consent at any time?

3- Auto-block Third-Party Cookies & Requests

You should block all the cookies and requests until the user’s consent is given. This is a technical step and most merchants fail at this. That’s why we have included a step-by-step technical tutorial for you here. You don’t need to be a developer or have any technical knowledge to perform this check. A Chrome browser is all you need!

Step 1: Visit your website

Open your website in an incognito window. You need a clear window so that you can make sure you don’t have any cookies on your website. If you are not located in the EU, use a VPN, as the GDPR solutions mostly work in the EU.

Step 2: Check your consent banner

You should be seeing the consent banner that checks the conditions explained above. DO NOT provide any consent and move to step 3.

Open Google Chrome Developer tools (Windows: Ctrl +Shift + J / Mac: Option + ⌘ + J).

On the Chrome Developer Console, click "Application" > "Cookies".

If you haven’t seen “Application” in the first place; it should be hidden under the arrows as seen below.

Here under the cookies section, you SHOULD NOT be seeing any other cookie group other than your own website. If you see anything related with Facebook, TikTok, or the Google group here, that’s a GDPR violation because the user hasn’t provided their consent and yet there is a Facebook 3rd Party cookie.

It doesn’t always need to be Facebook.com. There could be other examples as well unless the cookies are strictly necessary - they shouldn’t be here.

Your cookie consent solution is NOT working properly if this is the case for your store. On your Chrome Developer Console, click "Network". It is not only about cookies - network requests can also be dangerous. Check the "3rd-party requests" tickbox and it will list down all the requests.

Let’s make one thing clear: not all 3rd party requests are prohibited – they could be strictly necessary as well. As an example, if you are playing a Youtube video on your website, there will be a request to YouTube; or if you have a Google font, there will be a request to fonts.google.com – these are innocent requests.

However, that’s not the case with Google Tag Manager, Facebook, Klaviyo, Google Analytics, etc. You will understand when you see it. You can also search and filter keywords like “collect”, “facebook”, “analytics” to go ahead and see.

These requests should NOT be here before the user provides or doesn’t give their consent.

4- Record All User Consent for Proof of Compliance

You should save all the consent that have been provided by users. Most consent tools already do this, so you don’t have to do anything else. Just make sure it is there and accessible for you.

What if you failed?

  • Check out the next section called “GDPR Solutions for Shopify Merchants” and make sure you benefit from one of our recommended solutions.

  • If you do, contact your apps or service providers to make your store GDPR-compliant. Don’t hesitate to send them this checklist as well.
Chapter 3

GDPR Solutions for Shopify Merchants


There are many GDPR solutions for merchants that can be found in the Shopify App store. Some of them are external solutions that can be integrated with your store.

We came up with this list considering the best choices for Shopify merchants.

Here is our priorities when choosing data analytics tools for GDPR-compliance:

To be GDPR-compliant and fit all requirements of GDPR.

To provide proper tracking (Analytics, FB Pixel, and others) as long as users provide their consent.

GDPR Compatible Tracking:

Some GDPR tools block the tracking completely or partially even after the user provides consent. You wouldn’t want this scenario either, because you have the right to use tracking & cookies if the user provides their consent.


Important:
  This is a rough summary. You can check out our page for the most detailed and up-to-date information: Shopify GDPR Solutions to be 100% GDPR Compliant

1. Customer Privacy Banner (by Shopify)

Shopify has built the Customer Privacy Banner app to provide you with an easy GDPR consent solution to implement. It works together with customer privacy settings within the Preferences section. Unfortunately, we do not recommend this as it is not fully GDPR-compliant. You can learn more about this solution and read PROs and CONs on this page.

2. Pandectes GDPR Compliance (by Pandectes)

This is another great option from the Shopify ecosystem that delivers everything you need for GDPR compliance. Make sure to read our in-depth review on this app and compare it with others before you make up your mind, or check  our detailed guide to learn how to set the app with Analyzify. For more information on integration between Pandectes GDPR Compliance & Analyzify, check out  here 

3. Cookiebot (by Usercentrics)

Cookiebot is an external solution and it is not a Shopify app. It provides you with all the features to be GDPR-compliant, and it also gives you the tools to have GDPR-friendly tracking on your website. This is one of our top recommended solutions. You can learn more about this solution, read PROs and CONs, and compare with others our detailed guide on this page. You can also check out our setup guide on to see how you can set the app with Analyzify.

4. Axeptio (by Tranzistor)

Axeptio is another great option which works through Google Consent Mode, and creates a quick and compliant cookie banner by connecting to your store. You can learn more about how to set up Axeptio with Analyzify through here.

Chapter 4

Analyzify's GDPR Solutions


Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You can refer to this page for more information, but to cut-it-short, there are 2 options you can choose in our app to have GDPR-compliant tracking:

Do-It-Yourself GDPR

This is our self-service option – Analyzify mainly works as a self-service tool with comprehensive guides at each step to empower its users. It is a detailed, video-guided, and risk-free process that comes with a GDPR-enabled GTM container. Since setting up GDPR is a relatively complex process which requires a few technical steps, we recommend this option for merchants who are experienced with code blocks and GTM containers in general.

We provide all the guidance possible in our Knowledge Base including detailed documentation, but again, if you don’t have any experience with editing your theme and adjusting the app settings, please note that this might be hard for you.

Done-For-You GDPR

GDPR compliant setup – done by Analyzify specialists at no extra cost. Recommended for merchants who want a professional setup and may not be experienced with the related technical concepts or simply not have the time.

Here is a list of what’s included:

  • GDPR setup & audit

  • Consent management tool adjustments;

  • Validation & tests
Chapter 5

GDPR Enforcements - Fines


Yes, many companies actually do get fined. Depending on the violation type, GDPR fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

As you can see from the image, there are fines ranging from €2000 to €130.000 for January 2022. And the record fines go to:

- Amazon: €746M
- Whatsapp: €225M
- Google: €90M + €60M + €60M
- H&M: €35M

Chapter 6

FAQ

Shopify Conversion Tracking Chapter FAQ

Analyzify experts can take care of your GDPR setup completely at no extra cost! Simply install the app and choose the “Done-For-You GDPR” option as your setup method, and our team will provide you with a GDPR audit, consent management tool adjustments, and validation & tests.

Please note that showing a cookie notice banner doesn’t make your Shopify store GDPR-compliant. (Learn more)

Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You will have the GDPR section at the end of your regular setup.

Depends on the store. Merchants are responsible for their stores to be GDPR compliant themselves, as Shopify doesn’t own the stores and doesn’t carry a responsibility to make the stores GDPR compliant.

This is how Shopify explains it on their related page:

As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.

Shopify provides merchants with a platform that can be configured to be GDPR compliant, but it is up to merchants on how they would like to run their businesses.

Here’s the short answer: Yes and no.

It does help your site to be GDPR compliant, but it can also enable every users’ data to be treated in a different way based on their consent status, processing some of them as anonymous and some of them as normal. Because of this, it is not enough to only use Consent Mode to be GDPR compliant.

No, it is unfortunately not enough.

Although those settings limit the data transfers, they are still not sufficient, as GDPR regulations are much more complex and you need to have many other features to be GDPR compliant as a Shopify merchant.

No. A cookie consent banner is only one of the requirements of GDPR, not to mention most cookie consent banners on Shopify fail the requirements of the banner functions and visuals.

Follow our detailed guideline and checklist to make sure your store is GDPR compliant.

As of May 2021, Google Tag Manager has been updated with an integrated consent feature that allows for each tag you create to have built-in consent checks. So, GTM now asks for a cookie consent to be able to function in accordance with your website.

At its default state, the answer is no.

For your Google Analytics to be GDPR compliant, your website should have a privacy policy that explains how it processes data, to which your visitors can give or deny their consent for your cookies to track their behavior.

As a Shopify merchant, it is your legal responsibilty to be GDPR compliant if you are serving to the clients in the European Union (EU).

We have prepared a detailed guidance and a checklist for Shopify merchants on the GDPR topic, so please follow it carefully to ensure your store passes as compliant.

Chapter 7

Technical Details & Definitions

What is GDPR?

The General Data Protection Regulation (or GDPR in short) is a EU regulation law that covers data protection and privacy. You can discover more about it by visiting: “What is GDPR? by EU.” 

What is consumer privacy?

Consumer privacy refers to information privacy related to product and service users.

What is a privacy policy?

A privacy policy is a declaration or legal document that explains how a party collects, uses, discloses, and manages a customer’s or client’s data in one or more ways.

What is ‘Terms & Conditions’?

It covers the legal agreements between a service provider and a person that wants to benefit from it.

What is the importance of cookies with GDPR?

Cookies are little text files that websites save on your computer or mobile device while you are surfing the web. They are generally harmless and can usually be viewed and removed with ease. However, they can also store a lot of information about you. Because of the amount of data they might hold, they may be considered personal data under certain situations and thus be subject to GDPR. Find out more.

What is consent?

It’s a voluntary agreement to another’s proposition.

What is a consent management platform (CMP)?

It’s a platform that publishers can use to request, receive, and store user consent, which then can be saved as list of preferred vendors that explain why they’ve been collecting the users’ information.

What is PII?

Personally Identifiable Information (or PII in short) is any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, etc. You can learn more about it here.