How Shopify API for GDPR & CCPA & LGPD compliance works
The General Data Protection Regulation (Regulation (EU) 2016/679) GDPR and the California Consumer Privacy Act of 2018, CCPA (SB-1121 as amended at the time of this publication) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
GDPR went into effect on 25 May 2018 and is one of the most comprehensive data protection laws in the world to date. In the absence of a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country.
Similar to the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA went into effect on 1 January 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.
Brazil’s new privacy law, Lei Geral de Proteção de Dados (LGPD), and the EU’s General Data Protection Regulation (GDPR) look pretty similar. In fact, they are practically identical in many places.
The three laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.
GDPR vs CCPA
The General Data Protection Regulation is an EU law that is uniformly binding in all 27 member states.
GDPR controls how websites, companies and organizations, including your Shopify stores, are allowed to handle personal data, which is anything from names, e-mail addresses, ip address, browser history and many other things.
If your website has visitors from the EU and you – or embedded third party services like Google or Facebook – process any kind of personal data, the GDPR says that you must first obtain prior consent from the user.
GDPR vs LGPD
GDPR’s definition of “personal data,” is mentioned as “…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…”
The LGPD defines “personal data” as “information regarding an identified or identifiable natural person.”
These definitions are practically identical, and the small difference is probably down to translation. However, whereas the GDPR provides examples of personal data, the LGPD does not. This means that there might be more room for interpretation of the LGPD.
The list of “sensitive personal data” in the LGPD is identical, except that it includes one additional category: information regarding an individual’s membership of religious, philosophical, or political groups.
The terms “controller” and “processor” are present in both the GDPR and the LGPD, but they are defined differently in the two laws.
Despite the different wording, the GDPR’s definitions have retained the same core meanings in the LGPD.
The LGPD’s definition omits the phrase “alone or jointly with others.” Accordingly, unlike the GDPR, the LGPD does not include the concept of “joint controllers.”
Tracking European customers and visitors
European customers and visitors of your online store must give consent before they can be tracked. When we say tracked we refer not only to the Shopify platform but also to any third party service you may use that tracks users. This includes google, facebook, ad networks and even Shopify applications or third party scripts you may use on your store. The most common way of tracking customers to your online store is using browser cookies. These browser cookies are referred to as non-essential cookies and must be limited in use until consent is given by the customer.
Limit tracking for visitors from Europe
To limit the tracking of European customers visiting your online store, as determined by their IP address, you can enable Limit tracking for customers in Europe in your Shopify store settings. This is a pretty new option from Shopify that solved the most common issues around GDPR. When enabled, this feature limits Shopify’s tracking of online store customers and notifies any third-party apps that you have installed in your store to limit their own tracking.
Steps to enable this option:
- In your Shopify admin, click Online Store option from the left menu.
- Click Preferences > Customer privacy section.
- Click Limit tracking for customers in Europe checkbox to enable it.
Tracking limitation by Shopify
Third-party tracking limitation by Shopify
Because Shopify can’t control if a third-party app or script tracks a customer, they provided to third parties with a consent tracking API to integrate with. This API is essential for any GPDR/CCPA application. Among all available GDPR & CCPA applications on the store, Shopify has selected the best Cookie Banner applications.
Shopify apps integrated with consent tracking API
GDPR Compliance Center is one of them and is very popular across the globe with thousands of happy merchants. The app has integrated the Shopify Consent API from the first moment that was released and has many other integrations with third parties.
The app is providing the appropriate information to the store visitors about regulations through a cookie consent banner. It has a free plan but also it is available to paid plans with monthly charge. It is compatible with Google Analytics and Facebook as long as other marketing platforms and Ads networks such as Rakuten.
The consent tracking API tells the third party if a customer has provided consent to be tracked. If Limit tracking for customers in Europe is not enabled, then third parties using the consent tracking API are told that a European customer can be tracked unless consent is explicitly revoked.
Review the terms of service and privacy policies of third-party apps and scripts that you’re working with to determine how they are respecting customer consent. This is very important to avoid any penalties.
Customer tracking consent
It is important to gather your customers and visitors consent because there are countries and regions that require consent before tracking. This means that you don’t have to have your business in these countries or regions but if you just have visitors from there you need to comply with the law.
The most common way of gathering this consent is through an application that provides a privacy banners or cookie banners. These banners often appear at the bottom of websites and prompt the user with the option to accept non-essential cookies for analytics and marketing. Of course this is the frontend part because the hard job happens in the background so your app needs to cover all aspects of GDPR.
Third-party sale of California customer data and CCPA compliance
Under the California Consumer Privacy Act (CCPA), customers in California should be able to opt-out of the sale of their data. If you don’t provide these customers with an option to opt-out, then they should be automatically exempt from the sale of their data.
Third-party limitation of sale of your California customers’ data
To limit the third-party sale of California customers’ data, you can enable Limit the third-party sale of your California customers’ data in your Shopify store settings. When enabled, this feature informs third parties that use the consent tracking API to not sell your California customers’ data if they are doing so.
Steps to enable this option:
- In your Shopify admin, click Online Store from the left menu.
- Click Preferences > Customer privacy section.
- Click Limit the third-party sale of your California customers’ data checkbox.
When deciding to share your customer’s data with third parties note that Shopify can’t control how the data is used by third parties, and can only inform them how data should be handled. You should review the privacy policies of third-party apps and scripts that you’re working with and consult your lawyer.
Customer Privacy API
The GDPR/CCPA/LGPD application you will use needs to be connected with this API in order all the above options to work properly.
A GDPR/CCPA/LGPD application should use the Customer Privacy API to check if customers have consented to be tracked and if merchants have decided to disallow the sale of visitor data. Their implementation must include a loading pattern to ensure that the API is available. For visitor tracking consent, the app should provide a mechanism for listening to consent collection events that can fire asynchronously on the page, to ensure that the app doesn’t miss any tracking opportunities.