Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) GDPR and the California Consumer Privacy Act of 2018, CCPA (SB-1121 as amended at the time of this publication) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use or share consumer data, whether the information was obtained online or offline.
GDPR went into effect on 25 May 2018 and is one of the most comprehensive data protection laws in the world to date. In the absence of a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country.
Similar to the GDPR, the CCPAβs impact is expected to be global, given Californiaβs status as the fifth-largest global economy. The CCPA went into effect on 1 January 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date. Brazilβs new privacy law, Lei Geral de Proteção de Dados (LGPD), and the EUβs General Data Protection Regulation (GDPR) look pretty similar. In fact, they are practically identical in many places.
The three laws bear similarities in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.
GDPR vs CCPA
The General Data Protection Regulation is an EU law that is uniformly binding in all 27 member states.
GDPR controls how websites, companies, and organizations, including your Shopify stores, are allowed to handle personal data, which is anything from names, e-mail addresses, IP addresses, browser history, and many other things.
If your website has visitors from the EU and you β or embedded third-party services like Google or Facebook β process any kind of personal data, the GDPR says that you must first obtain prior consent from the user.
GDPR vs LGPD
GDPRβs definition of βpersonal data,β is mentioned as ββ¦any information relating to an identified or identifiable natural person (βdata subjectβ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifierβ¦β The LGPD defines βpersonal dataβ as βinformation regarding an identified or identifiable natural person.β These definitions are practically identical, and the small difference is probably down to translation. However, whereas the GDPR provides examples of personal data, the LGPD does not. This means that there might be more room for interpretation of the LGPD. The list of βsensitive personal dataβ in the LGPD is identical, except that it includes one additional category: information regarding an individualβs membership in religious, philosophical, or political groups. The terms βcontrollerβ and βprocessorβ are present in both the GDPR and the LGPD, but they are defined differently in the two laws. Despite the different wording, the GDPRβs definitions have retained the same core meanings in the LGPD. The LGPDβs definition omits the phrase βalone or jointly with others.β Accordingly, unlike the GDPR, the LGPD does not include the concept of βjoint controllers.β
GDPR Compliance
Tracking European customers and visitors
European customers and visitors of your online store must give consent before they can be tracked. When we say tracked we refer not only to the Shopify platform but also to any third-party service you may use that tracks users. This includes Google, Facebook, ad networks, and even Shopify applications or third-party scripts you may use on your store. The most common way of tracking customers to your online store is using browser cookies. These browser cookies are referred to as non-essential cookies and must be limited in use until consent is given by the customer.
Limit tracking for visitors from Europe
To limit the tracking of European customers visiting your online store, as determined by their IP address, you can enable Limit tracking for customers in Europe in your Shopify store settings. This is a pretty new option from Shopify that solved the most common issues around GDPR. When enabled, this feature limits Shopifyβs tracking of online store customers and notifies any third-party apps that you have installed in your store to limit their own tracking.
Steps to enable this option:
- In your Shopify admin, click the Online Store option from the left menu.
- Click Preferences > Customer privacy section.
- Click the Collected after consent checkbox to enable it.
Tracking limitation by Shopify
Shopify limits customer and visitor tracking by downgrading its own non-essential cookies, outlined in its Cookie Policy, to session cookies. Session cookies are generally deleted when the customer closes their browser. If a customer consents to track, then the non-essential cookies are upgraded to persistent cookies, which are not deleted when the customer closes their browser.
Third-party tracking limitation by Shopify
Because Shopify canβt control if a third-party app or script tracks a customer, they provided third parties with a consent tracking API to integrate with. This API is essential for any GPDR/CCPA application. Among all available GDPR & CCPA applications on theΒ store, Shopify has selected the best Cookie BannerΒ applications.
Shopify apps integrated with consent tracking API
Pandectes GDPR Compliance is one of them and is very popular across the globe with thousands of happy merchants. The app has integrated the Shopify Consent API from the first moment that was released and has many other integrations with third parties.
The app is providing the appropriate information to the store visitors about regulations through a cookie consent banner. It has a free plan but also it is available to paid plans with a monthly charge. It is compatible with Google Analytics and Facebook as long as other marketing platforms and Ads networks such as Rakuten.
The consent tracking API tells the third party if a customer has provided consent to be tracked. If Limit tracking for customers in Europe is not enabled, then third parties using the consent tracking API are told that a European customer can be tracked unless consent is explicitly revoked.
Review the terms of service and privacy policies of third-party apps and scripts that youβre working with to determine how they are respecting customer consent. This is very important to avoid any penalties.
Customer tracking consent
It is important to gather your customerβs and visitorsβ consent because there are countries and regions that require consent before tracking. This means that you donβt have to have your business in these countries or regions but if you just have visitors from there you need to comply with the law.
The most common way of gathering this consent is through an application that provides privacy banners or cookie banners. These banners often appear at the bottom of websites and prompt the user with the option to accept non-essential cookies for analytics and marketing. Of course, this is the frontend part because the hard job happens in the background so your app needs to cover all aspects of GDPR.
CCPA Compliance
Third-party sale of California customer data and CCPA compliance
Under the California Consumer Privacy Act (CCPA), customers in California should be able to opt out of the sale of their data. If you donβt provide these customers with an option to opt-out, then they should be automatically exempt from the sale of their data.
You can make such a statement on your privacy policy page. Before deciding if this is something you should be doing, you should review the CCPA thresholds and talk to your lawyer to determine if your business is affected by this regulation.
Third-party limitation of sale of your California customersβ data
To limit the third-party sale of California customersβ data, you can enable Limit data collection for customers residing in California in your Shopify store settings which in fact forse you to install Shopify’s application. An alternative is to use another app for CCPA, such as the Pandectes GDPR Compliance, which supports CCPA as well.
If you follow the Shopify CCPA app, then when enabled, this feature informs third parties that use the consent tracking API not to sell your California customersβ data if they are doing so.
Steps to enable this option:
- In your Shopify admin, click Online Store from the left menu.
- Click Preferences > Customer privacy section.
- Check the Limit data collection for customers residing in California
When deciding to share your customerβs data with third parties note that Shopify canβt control how the data is used by third parties, and can only inform them how data should be handled. You should review the privacy policies of third-party apps and scripts that youβre working with and consult your lawyer.
At this step you have also the option to select another app for CCPA. Again the Pandectes GDPR Compliance can do the job for you.
Customer Privacy API
TheΒ customer privacy APIΒ is a browser-based, Javascript API that enables developers to read and write cookies related to a buyerβs consent to be tracked. The API is implemented as a property on the globalΒ window. ShopifyΒ object and is accessible to all Shopify online stores.
The GDPR/CCPA/LGPD application you will use needs to be connected with this API in order for all the above options to work properly.
Visitor tracking
A GDPR/CCPA/LGPD application should use the Customer Privacy API to check if customers have consented to be tracked and if merchants have decided to disallow the sale of visitor data. Their implementation must include aΒ loading patternΒ to ensure that the API is available. For visitor tracking consent, the app should provide a mechanism forΒ listening to consent collection eventsΒ that can fire asynchronously on the page, to ensure that the app doesnβt miss any tracking opportunities.Post navigation