It’s a fact that GDPR comes with many challenges, and it is not always easy to find answers to these questions:

  1. What does GDPR actually stand for?
  2. How can I make sure that my business is GDPR-compliant?
  3. How can I keep running my digital business successfully when it is mostly dependent on digital ads where tracking & targeting are the key elements?

We have prepared this guide to help you execute & improve your GDPR-compliant tracking and targeting. As Shopify experts, we are going to discuss the Shopify environment but the facts you can find here easily apply to all businesses. As a business, you need to:

The problem with most GDPR solutions is that they overdo this. It causes your tracking to be interrupted even when the user provides their consent due to a wrong implementation.

To exemplify this, most GDPR apps block the Google Tag Manager containers by default because the GTM’s cookie is not defined in their list. However, the GTM itself is not against GDPR and it has a consent mode. It has the feature to trigger the tags according to the user’s consent.

Chapter 1

Ideal GDPR Setup & Key Takeaways

Ideal GDPR Setup illustration

You can respect the user’s privacy and be GDPR compliant while keeping the tracking and marketing capabilities at the maximum level according to the user’s consent. So, the following takeaways will both protect the user and your business.

What should Shopify merchants do to be GDPR comliant?
  • All your cookies should be scanned and categorized (strictly necessary, marketing, statistics, reporting) and you should take the user’s consent based on the categories.
  • You need to make sure tag management solutions such as Google Tag Manager are classified as ‘strictly necessary’, but they should NOT trigger any tags before the user provides the consent. (Find details below)
  • All other cookies (that are not strictly necessary) and tracking scripts should be blocked before consent is given.
  • The tags/cookies should be enabled INSTANTLY once the consent is provided. The system shouldn’t wait for the next page as the visitor referral data will already be lost.
  • You can use privacy-friendly tracking solutions (Google Analytics alternatives) to be able to track all the data that is not against the GDPR.
This is a rough summary, make sure to take a look at our major guide on GDPR and also recommended GDPR solutions for Shopify merchants.
Chapter 2

Google Tag Manager & GDPR

Google Tag Manager & GDPR illustration

Oftentimes, GDPR solutions overlook or ignore Google Tag Manager (GTM). They either don't classify it correctly or they block it outright. Google Tag Manager can actually be a big help to make your Shopify store GDPR compliant.

In fact, GTM should be treated specifically from a GDPR standpoint as it might carry out a lot of TAGS that are super useful for tracking & targeting.

Ideally, GTM should be in the ‘strictly necessary’ cookies/scripts section. Yet, it should NOT TRIGGER any tag before the user provides consent.

The consent data should be passed to the GTM instantly (not on the next page) preferably using data layers.

GTM should trigger the related tags according to their categories and users’ consent using GTM’s Consent Mode or a manual setup based on triggers.

As the Analyzify team, we have asked our GDPR solution partners to adjust their setup accordingly. Thanks to our partners; Analyzify Google Tag Manager Integration works seamlessly for Shopify merchants.

Keep in mind that while your store is GDPR-compliant, you are also capturing all the data possible within the user’s consent.

Learn more about Analyzify GDPR solution through this page.

Chapter 3

Google Analytics & GDPR

Google Analytics & GDPR illustration

Google Analytics is definitely not a GDPR friendly tracking tool by default as it creates many cookies and stores the user’s data.

However, as it is the most popular tracking solution; almost all GDPR apps on Shopify (including Shopify’s Customer Privacy app) block the scripts and cookies by default and only trigger them when the user provides consent.

You can never be sure about it before you actually test it yourself because Google Analytics scripts might be integrated with your website in many different ways, and your GDPR solution might be blocking only the main integration.

Two common examples below might not be blocked with common Shopify GDPR solutions unless you have a completely proper GDPR integration:

  • You have hard-coded the Google Analytics 4 script and integrated Universal Analytics through the native integration. Your GDPR app will most likely ONLY block the native integration and the hardcoded script will keep running.
  • You have a third-party app to integrate into Google Analytics. You’ll get the same result if you don't use a professional & GDPR-friendly tracking solution.

You should be careful with your Google Analytics integration to be fully GDPR-compliant. Make sure to follow our step-by-step GDPR checklist for Shopify merchants.

We have requested our GDPR solution partners to make the necessary changes. Now, Analyzify Google Tag Manager Integration works effortlessly for Shopify merchants thanks to our partners.

Note that while your business is GDPR compliant, you're tracking all data you can with the user consent.

Chapter 4

Google Ads Conversion Tracking and GDPR

Google Ads Conversion Tracking & GDPR illustration

Google announced "consent mode" to minimize the harm caused by tracking. Here’s what Google tells us to do:

  • Ask user’s consent
  • Don’t block the tracking or scripts - provide the consent information to Google so that they can organize what information will be processed, kept, and used on their end.

As you can see on the related help center page by Google, if the user permits the ad_storage='granted' and analytics_storage='granted'; everything will work as it used to do in the Pre-GDPR era.

And if “ad_storage='denied':” by the user then

  • the cookies won’t be used,
  • existing first-party advertising cookies won’t be read,
  • Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
  • And there’ll be many other limitations.

If you trust Google and use the consent mode, you do so at your own risk. Don’t forget that it is your responsibility - not Google's - if your company is not GDPR-compliant.

Analyzify’s GDPR integration works with Google Consent Mode by default. However, you always have the option to remove this.

Chapter 5

Facebook Pixel & GDPR

FB Pixel & GDPR illustration

The information you are going to get here is taken from Facebook’s related guide.

Facebook simply tells you to fire Facebook Pixel on each page but also to attach the user’s consent preference within the pixel so that they’ll process the data accordingly.

Facebook GDPR
You should read this more in-depth through Facebook’s GDPR implementation guide.