GDPR Compliance Center by Pandectes

Why you need to care about cookies consent under the GDPR on your Shopify store

What is GDPR in more detail?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. General Data Protection Regulation or else GDPR is a European regulation to strengthen and unify the data protection of EU citizens. You can find from information here: https://www.eugdpr.org/

How the GDPR affects Cookie Policy

Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.

Recital 30 of the GDPR states:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In short: when cookies can identify an individual via their device, it is considered personal data.

This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.

Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.

So briefly:

  1. GDPR states that as a website owner, you cannot assume a user has opted into the cookies being used on your website — the user must give a positive opt in or “affirmative action” to signal their consent to the use of cookies and you also cannot force users to opt into the use of cookies.
  2. Users who do not give consent should have the same experience of your website as those who give consent, which means you have to provide the same level of service and experience to those who do not accept the cookies.
  3. Consent will need to be specific to the different cookie purposes with the ability to enable and disable cookies at a granular level for each cookie.
  4. It also means that you should not be tracking users on your website with tools such as Google Analytics until they give you a specific permission to do so.

Achieving compliance

Soft opt-in consent is probably the best consent model, according to Cookie Law: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”

Take care of your customer privacy

GDPR Compliance Center is the most popular GDPR application in the store. Shopify is proposing it as the #1 GDPR alternative for the removed apps they had. It provides an EU GDPR/CCPA/LGPD banner including preferences popup, cookie compliance, and works as a complete CMP. Based on a flexible settings panel you are able to make it feet on your needs and brand.

Among it’s features is the compatibility with Shopify’s Consent Tracking API, the integration with Google Consent Mode and the Facebook Data Processing Options for California (CCPA).

In the case of GDPR merchants need to select one of the strict mode banners where all non-strictly required cookies/scripts are blocked until the user gives his consent. They also need to enable the options for limiting tracking for visitors from Europe through their store preferences menu option. More information are here by Shopify.

Finally, they will need to create an e-privacy page in order to support Data Subject Requests for your customers or visitors.

Scroll to Top