A collection of guidelines for data protection and privacy in the European Union is known as the ePrivacy Directive (EU). The regulation sets extra criteria for European privacy protection and is distinct from the General Data Protection Regulation (GDPR). It controls how data is stored and accessed on devices, including cookies, email marketing, and other privacy-related issues.
Shopify recently updated the store preferences page about customer privacy. So now this section provides three options on how the store customers control their data.
The figure below presents the new options:
The table below explains these options:
|Collected before consent||Data is collected before a customer gives consent. This may not meet applicable data protection and privacy laws, but has no impact on analytics and ad campaigns.||No impacts on analytics or marketing data collection.|
|Partially collected before consent||Analytics data collection is limited to the duration of a user session, and marketing data collection is blocked prior to customer consent.||This option may impact analytics and marketing data, and analytics data collection can be reduced.|
|Collected after consent (Recommended)||Data is not collected until a customer gives consent. This may be required by applicable data protection and privacy protection laws but may impact analytics and ad campaigns.||Due to the potential of users declining to give permission for data collection, this option may impact analytics and marketing data. There can be a drop in the number of overall sessions. Other metrics that depend on accurate session counts for their calculation can also be affected, for example, conversion rate.|
So now any store that wants to be compliant with GDPR and similar laws needs to select the third option, which is the recommended one, and then install a GDPR application.
What’s new with these new features on customer privacy
Shopify Tracking settings have been designed to comply with the Court of Justice of the European Union’s decision on cookies, which prohibits cookies – or other tracking technologies – from storing information on a user’s device. Since session cookies are removed after a user’s visit, and cannot be used to track the user over time, this solution abides by the requirements of the decision while retaining most functionality of the website, which means these Shopify Analytics cookies are not a part of opt-outs.
The downgrade from a persistent cookie to a session cookie makes those cookies compliant with GDPR/CJEU. This is Shopify’s internal solution to remain compliant (does not store any of the data) while still servicing the merchant’s analytics and any additional measures would have to be discussed with a legal expert.
When the clients decline non-essential cookies, Shopify is still permitted to fire the downgraded versions of their analytics cookies. They are limited in use until consent is given, in which case they are properly activated.
The downgraded cookies Shopify utilizes are compliant with GPDR and can still be fired even after the user revokes consent for non-essential cookies. We handle the downgrades from our end after receiving their consent option.
The above Shopify statements about their cookies were a common issue for merchants so far but now with these new options, things are more clear.
Pandectes GDPR Compliance
Pandectes GDPR Compliance is compatible with Shopify Customer Privacy API which means that the app notifies Shopify about the consent type of the visitor and so Shopify can let scripts/cookies fire or not.
Pandectes GDPR Compliance provides an EU GDPR/CCPA banner including preferences popup, and cookie compliance, and works as a complete CMP. Based on a flexible settings panel you are able to make it feet on your needs and brand.
It provides a free plan as well as paid plans that offer more features and capabilities. Thousands of Shopify stores are currently covering their GDPR needs with Pandectes GDPR Compliance.