What is GDPR in more detail?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape the way organizations across the region approach data privacy. General Data Protection Regulation or else GDPR is a European regulation to strengthen and unify the data protection of EU citizens. You can find the information here: https://www.eugdpr.org/
Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organization that uses them to track users’ browsing activity.
Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers, or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual via their device, it is considered personal data.
This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising, and functional services, such as survey and chat tools.
- Users who do not give consent should have the same experience of your website as those who give consent, which means you have to provide the same level of service and experience to those who do not accept the cookies.
- Consent will need to be specific to the different cookie purposes with the ability to enable and disable cookies at a granular level for each cookie.
- It also means that you should not be tracking users on your website with tools such as Google Analytics until they give you specific permission to do so.
Soft opt-in consent is probably the best consent model, according to Cookie Law: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
Take care of your customer’s privacy
GDPR Compliance Center is the most popular GDPR application in the store. Shopify is proposing it as the #1 GDPR alternative for the removed apps they had. It provides an EU GDPR/CCPA/LGPD banner including preferences popup, and cookie compliance, and works as a complete CMP. Based on a flexible settings panel you are able to make it feet on your needs and brand.
In the case of GDPR merchants need to select one of the strict mode banners where all non-strictly required cookies/scripts are blocked until the user gives his consent. They also need to enable the options for limiting tracking for visitors from Europe through their store preferences menu option. More information is here by Shopify.
Finally, they will need to create an e-privacy page in order to support Data Subject Requests for your customers or visitors.