If your store is accepting payments online and collecting, processing or storing visitor information (which all Shopify websites are), then you need to make sure that your website is compliant with privacy regulations of your customers’ countries. The most stringent regulations being the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA).
These regulations offer customers access, transparency, and control over their personal data. The regulations apply to any business, regardless of the location of the business, that processes the data of citizens in the regulated country or state. Failing to comply with these regulations can result in huge fines depending on the severity and type of violation, so it’s in a business’ best interest to do their best to comply in order to build customer trust and protect the brand.
The below is not legal advice and we do recommend seeking the advice of a legal expert who specializes in GDPR and data protection.
To meet compliance of these regulations, you’ll need to make sure you’re doing a few things:
-
Show a cookie consent bar on your website, which blocks tracking technologies until users manage their privacy preferences.
-
Provide a privacy policy page & cookie policy pages.
-
Provide a way to collect and manage customer data and data requests.
To get started on this, there are some necessary elements to implement in a store:
1. Cookie Consent Bar
You must get explicit consent from customers before using cookies to collect their data. You cannot assume that they have consented because they have not objected. A cookie bar or pop-up provides visitors with information about which cookies you use and what they’re used for. This appears on the customer’s first visit, and they usually have to accept all cookies, or manage their preferences to select which types of data the website can collect (as some cookies are necessary for the site to function).
You’ll need to install a cookie consent app which will quickly and easily add a cookie banner to your site. Our personal favorite is Consentmo GDPR which is very robust, offering compliance tools for various privacy regulations as seen below:
It also offers a lot of customization options within the app to style it and configure content to your needs. There is a free plan to start with, and depending on usage, you may need to upgrade to a paid tier.
Shopify has its own cookie bar app, Shopify Privacy & Compliance. This app integrates well with any Shopify store, but like most apps made by Shopify, its customization options are more basic. Once you’ve set it up, you’re ready to test it.
Cookie Bar Testing
You’ll only be able to see the cookie bar in places that you’ve set it to show. For example, if you’re in Toronto, you won’t be able to see a the notice that is set up for customers in California. Visibility depends on your IP address, so in order to see how it looks on your site, you’ll need to use a VPN and select the location you’d like to test.
Once your VPN is set to the correct location, open your store in an Incognito browser window. Without clicking on the cookie banner, open the browser dev tools by: Right click > Inspect > select the Application tab at the top > under the Storage section, select Cookies > select your store’s URL. This will open a list of the site’s active cookies. You should only see the cookies that are strictly required. See here for a list of Shopify’s necessary cookies for the functioning of the site. If you are seeing other cookies such as ones from Google Analytics or Facebook, then the cookies are not being correctly blocked and you need to do some troubleshooting. Click “Decline” on the cookie bar, and confirm that no new cookies are added. Repeat the process but this time click “preferences” on the cookie bar, adding some cookie permissions and see how more cookies become active on the site.
Continued consent
Although the cookie bar shows only on the first visit, if you change your processes about how you collect or store data, then you need to request consent again, which these apps make it easy to do.
2. Adjust your store Customer Privacy Settings
From the Shopify Admin, go to Online Store > Preferences > Customer Privacy. Here you can adjust how data is collected from customers in different locations. Be sure to select that data should be “collected after consent” to block cookies from functioning before the user gives consent.
In the same section, you’re also able to make adjustments that refer specifically to US laws. Activating this on does require the Shopify Privacy & Compliance app.
3. Add a Privacy Policy
Every store should have a privacy policy. This privacy policy should be linked in the cookie banner, as well as in your website footer.
Make sure that it includes:
- A list of the cookies your website collects (defining which are necessary and which are optional)
- What personal data you collect from customers, and how this is stored and accessed
- How customers' personal data is processed by third-party services
- A description of the rights of individuals under different privacy policies
- Description of how you will respond in the event of a data breach
- Information regarding request for parental consent (when applicable)
- More details depending on your products
We recommend this Terms & Conditions + Privacy Policy which is specifically created by for e-commerce stores, and it is GDPR and CCPA Compliant. It even comes with a GDPR checklist written by a lawyer to help you make sure you’ve covered all your bases. Or, you can use Shopify’s template that’s added from your store Policies section.
Some regulations may also require you to have cookie policy pages. The Consentmo GDPR app also has a feature to automatically add these pages to your store:
4. Manage customer personal data requests
You must provide customers a way to make requests about their personal data. They have the right to know what data you have collected from them, why you have collected it and how you are using it. At a minimum, in your privacy policy you can provide instruction on how customers can contact you to make a request and what the process is. However, some US State Laws require a specific data collection opt-out page, otherwise called a “do not sell or share my personal information” page.
Visitors have the right to delete their data and you are required to delete it from your and any third-party applications that you use when it is requested. Third-party applications would include anything that receives customer data out of Shopify, such as an email marketing app, CRM or accounting software.
For example, when deleting a profile from Klaviyo, it will ask you if you’d like to “Delete profile in compliance with data privacy request”. Make sure to select the checkbox if this is the case.
You must respond to customer requests in a timely manner. GDPR requires you to respond to a customer request within 30 days.
Hopefully this has given you a good start to making your website GDRP & CCPA compliant. Please note that we’re not experts on this matter. Privacy laws can be complex and we recommend consulting a lawyer who is familiar with data protection laws if you have specific questions.
Hana Drdla
