Dear merchants, we have some bad news for you: Showing a cookie notice banner doesn't make your Shopify store GDPR-compliant. What’s worse, even enabling the Customer Privacy setting in Shopify or using a GDPR app may not be enough at all.
We know how important GDPR is to you as a Shopify merchant - and how many EU companies have been fined as a result of being non-compliant to these regulations.
Let’s make it clear first: This is not a scare story. We have just prepared this guideline with a bunch of reliable information to so that you can:
- Have an idea about what GDPR is and what your responsibilities are,
- Check if your store is GDPR compliant (most probably not),
- Find the problems & missing points with your GDPR-compliance,
- Be guided through all the assets on Shopify to finally be GDPR-compliant.
According to GDPR, if a user does not give their consent , data cookies and tracking shouldn’t be allowed. However, this is not the case for many websites. Most of the time, tracking begins before consent is even given, or some pixels continue to function even if the user does not provide their consent.
So, we'll take a closer look at the matter and see if your Shopify store is GDPR-compliant. We'll most likely discover that it is not - but don't worry, we'll also provide you with a road map so that you can fix this. Let's jump right in!
Important: As this is a rather complicated and significant subject, you may not be able to completely comprehend the essential takeaways. This is only a synopsis, so please read through each section thoroughly to make sure your Shopify store is GDPR-compliant.
- GDPR fines increased over 40% between January 2020 and January 2021. Hundreds of companies are fined every month - so this makes it a serious, serious topic to learn about.
- Even if you are not located in the EU, your Shopify store needs to be GDPR-compliant if you are serving customers in European countries.
- The tracking (and related cookies) on your website should not start before the user provides consent, and the users should always have the option to opt out.
- The users should have the option to delete all of their personal information from your databases.
You are going to discover a completely straightforward & actionable set of information in this guide. If you are interested in technical details and theoretical knowledge, don’t hesitate to scroll down to the last section of the page.
You will also see a bookmark for the table of contents mentioned in this guide. You can click on them to jump into the related section of information.
How Shopify Merchants Can Be GDPR-Compliant
Here are the assets and functions you need to have to make your Shopify store GDPR-compliant. To prepare this list, we got help from the official GDPR guidelines: Regulation 2016/679.
Beware of Your Toolset
This is the #1 point on our list because it is where the majority of Shopify merchants fail. As a business owner, you are responsible for ALL data collection, tracking, and cookies that occur through your store - no matter if they are first-party or third party. Let’s go into details with an example:
Let's say you have Google Analytics, TikTok Pixel, and a survey software on your website. Each of these tools has their own tracking, data collection activities, and cookies, and they collect user information on their own databases. In this case, you need to:
- Get your visitor’s consent for all of these tracking types & cookies,
- Allow your visitor/user to download & delete their data.
Following the same example, if the user doesn’t provide their consent, even though some cookie/consent notice banners block Google Analytics, TikTok Pixel keeps working no matter what.
So, it’s extremely important for you to know the toolset that you use to collect, process, and store data.
Here are some important notes about the issue though:
- You should state how long you intend to keep your customer’s data in a document.
Another important point: You should also remember to include Terms & Conditions, and add some extra paragraphs about GDPR in it. Luckily, Shopify also helps you with this: Terms and conditions generator.
Make Personal Data Manageable & Accessible
"Personal data" includes information such as a person's name, address(es), email, IP address, cookie ID, credit card number, order number, and social media account.
Your visitors from the EU must be able to view, modify, and/or rectify their data. So, you must allow them to delete, modify, or access their data as a store owner.
Some GDPR apps also offer this feature as you’ll see down below.
- Don’t collect the data you don’t need. For example, don’t ask your clients about their company name if you don’t need that information. More data means more responsibility - and it’s not a good idea for you.
- As mentioned in the beginning of the chapter, you need to be aware of any 3rd party apps/solutions you are using to deal with your user’s data. Make sure to check this out for each app you are using. Shopify Partners are quite careful with this topic and do their best to be GDPR-compliant.
- You’re responsible for any data breaches and security. Therefore, you need to be diligent when they happen.
- You need to protect your customers from:
- Illegal or unauthorized processing,
- Unintentional loss,
- Destruction or damage.
- It’s good to know that Shopify uses the HTTPS protocol to encrypt data that is received and delivered from merchants and buyers.
- You can set up some other security features - such as setting up role-based permissions for staff accounts - through your Shopify Admin page.
Validation - Is your really store GDPR-compliant?
We have prepared this step-by-step and in-depth guide to help you make sure that your Shopify store is GDPR-compliant and clarify the problems in case you have any.
All you need to do is just read this through and take the needed steps and actions carefully.
Is it clearly visible and clickable through your Cookie Consent Banner?
Are Google Analytics, Facebook, and other targeting and tracking platforms mentioned, and do you provide an option for your user to opt-out?
Shopify's policy generator includes Google Analytics, Google Ads, Facebook Pixel, and Bing by default. You should also add other tracking tools (such as Pinterest, Snapchat, TikTok, Twitter, LinkedIn, Klaviyo, etc.) if you are using any.
Shopify's policy generator already lists the classic ones, but you should add the others if you are using more.
2 Consent Banner Visual & Content Check
- Do your visitors have full control to accept, decline, or change cookie settings on the banner?
- Is your banner accessible and visible from all devices (mobile, desktop, tablet, all browsers etc.)?
- Do you have an option (callback widget) for the users to revoke their consent at any time?
4 Record All User Consent for Proof of Compliance
You should save all the consent that have been provided by users. Most consent tools already do this, so you don’t have to do anything else. Just make sure it is there and accessible for you.
What if you failed?
- Check out the next section called “GDPR Solutions for Shopify Merchants” and make sure you benefit from one of our recommended solutions.
- If you do, contact your apps or service providers to make your store GDPR-compliant. Don’t hesitate to send them this checklist as well.
GDPR Solutions for Shopify Merchants
There are many GDPR solutions for merchants that can be found in the Shopify App store. Some of them are external solutions that can be integrated with your store.
We came up with this list considering the best choices for Shopify merchants.
Here is our priorities when choosing data analytics tools for GDPR-compliance:
- To be GDPR-compliant and fit all requirements of GDPR.
- To provide proper tracking (Analytics, FB Pixel, and others) as long as users provide their consent.
GDPR Compatible Tracking:Some GDPR tools block the tracking completely or partially even after the user provides consent. You wouldn’t want this scenario either, because you have the right to use tracking & cookies if the user provides their consent.
Important: This is a rough summary. You can check out our page for the most detailed and up-to-date information: Shopify GDPR Solutions to be 100% GDPR Compliant
2. GDPR Compliance Center (by Pandectes)
This is another great option from the Shopify ecosystem that delivers everything you need for GDPR compliance.
Make sure to read our in-depth review on this app and compare it with others before you make up your mind, or check our detailed guide to learn how to set the app with Analyzify. For more information on integration between GDPR Compliance Center & Analyzify, check out here.
4. Axeptio (by Tranzistor)
Axeptio is another great option which works through Google Consent Mode, and creates a quick and compliant cookie banner by connecting to your store.
You can learn more about how to set up Axeptio with Analyzify through here.
Analyzify's GDPR Solutions
Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You can refer to this page for more information, but to cut-it-short, there are 2 options you can choose in our app to have GDPR-compliant tracking:
This is our self-service option - Analyzify mainly works as a self-service tool with comprehensive guides at each step to empower its users. It is a detailed, video-guided, and risk-free process that comes with a GDPR-enabled GTM container. Since setting up GDPR is a relatively complex process which requires a few technical steps, we recommend this option for merchants who are experienced with code blocks and GTM containers in general.
We provide all the guidance possible in our Knowledge Base including detailed documentation, but again, if you don't have any experience with editing your theme and adjusting the app settings, please note that this might be hard for you.
GDPR compliant setup - done by Analyzify specialists at no extra cost. Recommended for merchants who want a professional setup and may not be experienced with the related technical concepts or simply not have the time.
Here is a list of what's included:
- GDPR setup & audit
- Consent management tool adjustments
- Validation & tests
GDPR Enforcements - Fines
Yes, many companies actually do get fined. Depending on the violation type, GDPR fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Analyzify experts can take care of your GDPR setup completely at no extra cost! Simply install the app and choose the “Done-For-You GDPR” option as your setup method, and our team will provide you with a GDPR audit, consent management tool adjustments, and validation & tests.
Please note that showing a cookie notice banner doesn't make your Shopify store GDPR-compliant. (Learn more)
Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You will have the GDPR section at the end of your regular setup.
Depends on the store. Merchants are responsible for their stores to be GDPR compliant themselves, as Shopify doesn't own the stores and doesn't carry a responsibility to make the stores GDPR compliant.
This is how Shopify explains it on their related page:
As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.
Shopify provides merchants with a platform that can be configured to be GDPR compliant, but it is up to merchants on how they would like to run their businesses.
Here's the short answer: Yes and no.
It does help your site to be GDPR compliant, but it can also enable every users' data to be treated in a different way based on their consent status, processing some of them as anonymous and some of them as normal. Because of this, it is not enough to only use Consent Mode to be GDPR compliant.
No, it is unfortunately not enough.
Although those settings limit the data transfers, they are still not sufficient, as GDPR regulations are much more complex and you need to have many other features to be GDPR compliant as a Shopify merchant.
No. A cookie consent banner is only one of the requirements of GDPR, not to mention most cookie consent banners on Shopify fail the requirements of the banner functions and visuals.
Follow our detailed guideline and checklist to make sure your store is GDPR compliant.
As of May 2021, Google Tag Manager has been updated with an integrated consent feature that allows for each tag you create to have built-in consent checks. So, GTM now asks for a cookie consent to be able to function in accordance with your website.
At its default state, the answer is no.
As a Shopify merchant, it is your legal responsibilty to be GDPR compliant if you are serving to the clients in the European Union (EU).
We have prepared a detailed guidance and a checklist for Shopify merchants on the GDPR topic, so please follow it carefully to ensure your store passes as compliant.
Technical Details & Definitions
- What is GDPR?
- The General Data Protection Regulation (or GDPR in short) is a EU regulation law that covers data protection and privacy. You can discover more about it by visiting: "What is GDPR? by EU."
- What is consumer privacy?
Consumer privacy refers to information privacy related to product and service users.
- What is ‘Terms & Conditions’?
It covers the legal agreements between a service provider and a person that wants to benefit from it.
- What is the importance of cookies with GDPR?
Cookies are little text files that websites save on your computer or mobile device while you are surfing the web. They are generally harmless and can usually be viewed and removed with ease. However, they can also store a lot of information about you. Because of the amount of data they might hold, they may be considered personal data under certain situations and thus be subject to GDPR. Find out more:
- What is consent?
It’s a voluntary agreement to another's proposition.
- What is a consent management platform (CMP)?
It’s a platform that publishers can use to request, receive, and store user consent, which then can be saved as list of preferred vendors that explain why they've been collecting the users' information.
- What is PII?
Personally Identifiable Information (or PII in short) is any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, etc. You can learn more about it here: