Here are the assets and functions you need to have to make your Shopify store GDPR-compliant. To prepare this list, we got help from the official GDPR guidelines: Regulation 2016/679.
Beware of Your Toolset
This is the #1 point on our list because it is where the majority of Shopify merchants fail.
As a business owner, you are responsible for ALL data collection, tracking, and cookies that occur through your store – no matter if they are first-party or third party. Let’s go into details with an example:
Let’s say you have Google Analytics, TikTok Pixel, and a survey software on your website. Each of these tools has their own tracking, data collection activities, and cookies, and they collect user information on their own databases.
In this case, you need to:
- Explain all of these in your Privacy Policy (how, why, which data is collected),
- Get your visitor’s consent for all of these tracking types & cookies,
- Allow your visitor/user to download & delete their data.
In most Shopify stores, we just see the classic Google Analytics and Shopify permissions on the Privacy Policy, but the other third-party tools aren’t mentioned.
Following the same example, if the user doesn’t provide their consent, even though some cookie/consent notice banners block Google Analytics, TikTok Pixel keeps working no matter what.
So, it’s extremely important for you to know the toolset that you use to collect, process, and store data.
Privacy Policy
This is an easy one to start with. Shopify alreadys provides a Privacy Policy generator and it works just great. Other than this tool, you can also find tons of privacy policy solutions in the market which perform really well.
Here are some important notes about the issue though:
- Your Privacy Policy has to reflect how you collect, use, share, and secure your customer’s personal information.
- You should state how long you intend to keep your customer’s data in a document.
- Your privacy policy must describe your customer’s preferences regarding use, access, and correction of their personal information.
- You need to make sure your customers can find your Privacy Policy easily.
- You have to update your Privacy Policy if you feel that it does not contain the information mentioned.
You can check out Shopify’s Privacy Policy generator through: Free privacy policy generator
Another important point: You should also remember to include Terms & Conditions, and add some extra paragraphs about GDPR in it. Luckily, Shopify also helps you with this: Terms and conditions generator.
Cookie Consent Bar
We have arrived at the most complex part of the topic. Here, we will go through the most important requirements and common mistakes, but you can check out our more extensive version which covers a complete setup guide where we discuss all of these settings in greater detail.
Requirements:
- You should ask users what type of cookies they allow, and also give them the option to decline any of them.
- You should not try to assume what the users will choose, and “tick” the options in advance for them.
- You have to make sure that cookies & tracking don’t start before the consent is provided. In most cases (as we mentioned with an example above), some pixels do stop, but some of them keep on working even before the user has provided their consent.
- You need to have a cookie banner which the ‘Accept’ and ‘Reject’ buttons are equally visible & noticeable.
- Do not utilize cookie popups that prevent users from visiting your website (cookie walls). Cookie walls do not comply with the GDPR. Even if the user does not consent to the usage of cookies, they should be able to use your website.
Solutions:
- You can find many cookie consent solutions on the Shopify app store such as GDPR apps, and many other external tools.
- Shopify also has its own app called “Customer Privacy Banner”. You can find more details about it in the section called “GDPR Solutions for Shopify Merchants”.
Make Personal Data Manageable & Accessible
“Personal data” includes information such as a person’s name, address(es), email, IP address, cookie ID, credit card number, order number, and social media account.
Your visitors from the EU must be able to view, modify, and/or rectify their data. So, you must allow them to delete, modify, or access their data as a store owner.
Some GDPR apps also offer this feature as you’ll see down below.
Other Points:
Don’t collect the data you don’t need. For example, don’t ask your clients about their company name if you don’t need that information. More data means more responsibility – and it’s not a good idea for you.
As mentioned in the beginning of the chapter, you need to be aware of any 3rd party apps/solutions you are using to deal with your user’s data. Make sure to check this out for each app you are using. Shopify Partners are quite careful with this topic and do their best to be GDPR-compliant.
You’re responsible for any data breaches and security. Therefore, you need to be diligent when they happen. You need to protect your customers from:
Illegal or unauthorized processing,
Unintentional loss,
Destruction or damage.
It’s good to know that Shopify uses the HTTPS protocol to encrypt data that is received and delivered from merchants and buyers.
You can set up some other security features – such as setting up role-based permissions for staff accounts – through your Shopify Admin page.
Validation - Is your really store GDPR - compliant?
We have prepared this step-by-step and in-depth guide to help you make sure that your Shopify store is GDPR-compliant and clarify the problems in case you have any.
All you need to do is just read this through and take the needed steps and actions carefully.
1- Privacy Policy Check
2- Consent Banner Visual & Content Check
- Do your visitors have full control to accept, decline, or change cookie settings on the banner?
- Is your banner accessible and visible from all devices (mobile, desktop, tablet, all browsers etc.)?
- Is the cookie table (with name, type, purpose, and duration) present in the privacy policy or another section of the consent banner?
- Do you have an option (callback widget) for the users to revoke their consent at any time?
3- Auto-block Third-Party Cookies & Requests
You should block all the cookies and requests until the user’s consent is given. This is a technical step and most merchants fail at this.
That’s why we have included a step-by-step technical tutorial for you here. You don’t need to be a developer or have any technical knowledge to perform this check. A Chrome browser is all you need!
Let’s make one thing clear: not all 3rd party requests are prohibited – they could be strictly necessary as well. As an example, if you are playing a Youtube video on your website, there will be a request to YouTube; or if you have a Google font, there will be a request to fonts.google.com – these are innocent requests.
However, that’s not the case with Google Tag Manager, Facebook, Klaviyo, Google Analytics, etc. You will understand when you see it. You can also search and filter keywords like “collect”, “facebook”, “analytics” to go ahead and see.
These requests should NOT be here before the user provides or doesn’t give their consent.
4- Record All User Consent for Proof of Compliance
You should save all the consent that have been provided by users. Most consent tools already do this, so you don’t have to do anything else. Just make sure it is there and accessible for you.
What if you failed?
Check out the next section called “GDPR Solutions for Shopify Merchants” and make sure you benefit from one of our recommended solutions.
If you do, contact your apps or service providers to make your store GDPR-compliant. Don’t hesitate to send them this checklist as well.