fbpx

Best Shopify Apps – Pandectes

How Shopify API for GDPR & CCPA compliance works

How Shopify API for GDPR & CCPA compliance works

 

Introduction

The General Data Protection Regulation (Regulation (EU) 2016/679) GDPR and the  California Consumer Privacy Act of 2018, CCPA (SB-1121 as amended at the time of this publication) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.

GDPR went into effect on 25 May 2018 and is one of the most comprehensive data protection laws in the world to date. In the absence of a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country.

Similar to the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA went into effect on 1 January 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.

The two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.

GDPR vs CCPA

The General Data Protection Regulation is an EU law that is uniformly binding in all 27 member states.

GDPR controls how websites, companies and organizations, including your Shopify stores, are allowed to handle personal data, which is anything from namese-mail addresses, ip addressbrowser history and many other things.

If your website has visitors from the EU and you – or embedded third party services like Google or Facebook – process any kind of personal data, the GDPR says that you must first obtain prior consent from the user.

GDPR Compliance

Tracking European customers and visitors

European customers and visitors of your online store must give consent before they can be tracked. When we say tracked we refer not only to the Shopify platform but also to any third party service you may use that tracks users. This includes google, facebook, ad networks and even Shopify applications or third party scripts you may use on your store. The most common way of tracking customers to your online store is using browser cookies. These browser cookies are referred to as non-essential cookies and must be limited in use until consent is given by the customer.

Limit tracking for visitors from Europe

To limit the tracking of European customers visiting your online store, as determined by their IP address, you can enable Limit tracking for customers in Europe in your Shopify store settings. This is a pretty new option from Shopify that solved the most common issues around GDPR. When enabled, this feature limits Shopify’s tracking of online store customers and notifies any third-party apps that you have installed in your store to limit their own tracking.

Steps to enable this option:

  1. In your Shopify admin, click Online Store option from the left menu.
  2. Click Preferences > Customer privacy section.
  3. Click Limit tracking for customers in Europe checkbox to enable it.

Tracking limitation by Shopify

Shopify limits customer and visitors tracking by downgrading its own non-essential cookies, outlined in their Cookie Policy, to session cookies. Session cookies are generally deleted when the customer closes their browser. If a customer consents to tracking, then the non-essential cookies are upgraded to persistent cookies, which are not deleted when the customer closes their browser.

Third-party tracking limitation by Shopify

Because Shopify can’t control if a third-party app or script tracks a customer, they provided to third parties with a consent tracking API to integrate with. This API is essential for any GPDR/CCPA application. Among all available GDPR & CCPA applications on the store, Shopify has selected the best GDPR/CCPA applications.

Shopify apps integrated with consent tracking API

GDPR Cookie Bar +ePrivacy Page is one of them and is very popular across the globe with thousands of happy merchants. The app has integrated the Shopify Consent API from the first moment that was released and has many other integrations with third parties.

The app is providing the appropriate information to the store visitors about regulations through a cookie consent banner. It has a free plan but also it is available to paid plans with monthly charge. It is compatible with Google Analytics and Facebook as long as other marketing platforms and Ads networks such as Rakuten.

The consent tracking API tells the third party if a customer has provided consent to be tracked. If Limit tracking for customers in Europe is not enabled, then third parties using the consent tracking API are told that a European customer can be tracked unless consent is explicitly revoked.

Review the terms of service and privacy policies of third-party apps and scripts that you’re working with to determine how they are respecting customer consent. This is very important to avoid any penalties.

Customer tracking consent

It is important to gather your customers and visitors consent because there are countries and regions that require consent before tracking. This means that you don’t have to have your business in these countries or regions but if you just have visitors from there you need to comply with the law.

The most common way of gathering this consent is through an application that provides a privacy banners or cookie banners. These banners often appear at the bottom of websites and prompt the user with the option to accept non-essential cookies for analytics and marketing. Of course this is the frontend part because the hard job happens in the background so your app needs to cover all aspects of GDPR.

CCPA Compliance

Third-party sale of California customer data and CCPA compliance

Under the California Consumer Privacy Act (CCPA), customers in California should be able to opt-out of the sale of their data. If you don’t provide these customers with an option to opt-out, then they should be automatically exempt from the sale of their data.

You can make such statement on your privacy policy page. Before deciding if this is something you should be doing, you should review the CCPA thresholds and talk to your lawyer to determine if your business is affected by this regulation.

Third-party limitation of sale of your California customers’ data

To limit the third-party sale of California customers’ data, you can enable Limit the third-party sale of your California customers’ data in your Shopify store settings. When enabled, this feature informs third parties that use the consent tracking API to not sell your California customers’ data if they are doing so.

Steps to enable this option:

  1. In your Shopify admin, click Online Store from the left menu.
  2. Click Preferences > Customer privacy section.
  3. Click Limit the third-party sale of your California customers’ data checkbox.

When deciding to share your customer’s data with third parties note that Shopify can’t control how the data is used by third parties, and can only inform them how data should be handled. You should review the privacy policies of third-party apps and scripts that you’re working with and consult your lawyer.

Customer Privacy API

The customer privacy API is a browser-based, Javascript API that enables developers to read and write cookies related to a buyer’s consent to be tracked. The API is implemented as a property on the global window.Shopify object and is accessible to all Shopify online stores.

The GDPR/CCPA application you will use needs to be connected with this API in order all the above options to work properly.

Visitor tracking

A GDPR/CCPA application should use the Customer Privacy API to check if customers have consented to be tracked and if merchants have decided to disallow the sale of visitor data. Their implementation must include a loading pattern to ensure that the API is available. For visitor tracking consent, the app should provide a mechanism for listening to consent collection events that can fire asynchronously on the page, to ensure that the app doesn’t miss any tracking opportunities.

Scroll to Top