How Shopify Merchants Can Be GDPR Compliant
Validation - Is your store really GDPR - compliant?
GDPR Solutions for
Analyzify & GDPR
GDPR Enforcements - Fines
Technical Details & Definitions
Dear merchants, we have some bad news for you: Showing a cookie notice banner doesn’t make your Shopify store GDPR-compliant. What’s worse, even enabling the Customer Privacy setting in Shopify or using a GDPR app may not be enough at all.
We know how important GDPR is to you as a Shopify merchant – and how many EU companies have been fined as a result of being non-compliant to these regulations.
Let’s make it clear first: This is not a scare story. We have just prepared this guideline with a bunch of reliable information to so that you can:
According to GDPR, if a user does not give their consent , data cookies and tracking shouldn’t be allowed. However, this is not the case for many websites. Most of the time, tracking begins before consent is even given, or some pixels continue to function even if the user does not provide their consent.
So, we’ll take a closer look at the matter and see if your Shopify store is GDPR-compliant. We’ll most likely discover that it is not – but don’t worry, we’ll also provide you with a road map so that you can fix this. Let’s jump right in!
Important: As this is a rather complicated and significant subject, you may not be able to completely comprehend the essential takeaways. This is only a synopsis, so please read through each section thoroughly to make sure your Shopify store is GDPR-compliant.
You are going to discover a completely straightforward & actionable set of information in this guide. If you are interested in technical details and theoretical knowledge, don’t hesitate to scroll down to the last section of the page.
You will also see a bookmark for the table of contents mentioned in this guide. You can click on them to jump into the related section of information.
Here are the assets and functions you need to have to make your Shopify store GDPR-compliant. To prepare this list, we got help from the official GDPR guidelines: Regulation 2016/679.
This is the #1 point on our list because it is where the majority of Shopify merchants fail. As a business owner, you are responsible for ALL data collection, tracking, and cookies that occur through your store – no matter if they are first-party or third party. Let’s go into details with an example:
Let’s say you have Google Analytics, TikTok Pixel, and a survey software on your website. Each of these tools has their own tracking, data collection activities, and cookies, and they collect user information on their own databases. In this case, you need to:
Following the same example, if the user doesn’t provide their consent, even though some cookie/consent notice banners block Google Analytics, TikTok Pixel keeps working no matter what.
So, it’s extremely important for you to know the toolset that you use to collect, process, and store data.
Here are some important notes about the issue though:
Another important point: You should also remember to include Terms & Conditions, and add some extra paragraphs about GDPR in it. Luckily, Shopify also helps you with this: Terms and conditions generator.
We have arrived at the most complex part of the topic. Here, we will go through the most important requirements and common mistakes, but you can check out our more extensive version which covers a complete setup guide where we discuss all of these settings in greater detail.
“Personal data” includes information such as a person’s name, address(es), email, IP address, cookie ID, credit card number, order number, and social media account.
Your visitors from the EU must be able to view, modify, and/or rectify their data. So, you must allow them to delete, modify, or access their data as a store owner.
Some GDPR apps also offer this feature as you’ll see down below.
We have prepared this step-by-step and in-depth guide to help you make sure that your Shopify store is GDPR-compliant and clarify the problems in case you have any.
All you need to do is just read this through and take the needed steps and actions carefully.
Are Google Analytics, Facebook, and other targeting and tracking platforms mentioned, and do you provide an option for your user to opt-out? Shopify's policy generator includes Google Analytics, Google Ads, Facebook Pixel, and Bing by default. You should also add other tracking tools (such as Pinterest, Snapchat, TikTok, Twitter, LinkedIn, Klaviyo, etc.) if you are using any.
Have you added all the vendors with whom you share customer/order/visitor information with (such as payment types, sales channels, fulfillment centers, customer service support, etc.)?
You should block all the cookies and requests until the user’s consent is given. This is a technical step and most merchants fail at this. That’s why we have included a step-by-step technical tutorial for you here. You don’t need to be a developer or have any technical knowledge to perform this check. A Chrome browser is all you need!
Open your website in an incognito window. You need a clear window so that you can make sure you don’t have any cookies on your website. If you are not located in the EU, use a VPN, as the GDPR solutions mostly work in the EU.
You should be seeing the consent banner that checks the conditions explained above. DO NOT provide any consent and move to step 3.
Open Google Chrome Developer tools (Windows: Ctrl +Shift + J / Mac: Option + ⌘ + J).
If you haven’t seen “Application” in the first place; it should be hidden under the arrows as seen below.
Here under the cookies section, you SHOULD NOT be seeing any other cookie group other than your own website. If you see anything related with Facebook, TikTok, or the Google group here, that’s a GDPR violation because the user hasn’t provided their consent and yet there is a Facebook 3rd Party cookie.
It doesn’t always need to be Facebook.com. There could be other examples as well unless the cookies are strictly necessary - they shouldn’t be here.
Your cookie consent solution is NOT working properly if this is the case for your store. On your Chrome Developer Console, click "Network". It is not only about cookies - network requests can also be dangerous. Check the "3rd-party requests" tickbox and it will list down all the requests.
Let’s make one thing clear: not all 3rd party requests are prohibited – they could be strictly necessary as well. As an example, if you are playing a Youtube video on your website, there will be a request to YouTube; or if you have a Google font, there will be a request to fonts.google.com – these are innocent requests.
However, that’s not the case with Google Tag Manager, Facebook, Klaviyo, Google Analytics, etc. You will understand when you see it. You can also search and filter keywords like “collect”, “facebook”, “analytics” to go ahead and see.
These requests should NOT be here before the user provides or doesn’t give their consent.
You should save all the consent that have been provided by users. Most consent tools already do this, so you don’t have to do anything else. Just make sure it is there and accessible for you.
What if you failed?
There are many GDPR solutions for merchants that can be found in the Shopify App store. Some of them are external solutions that can be integrated with your store.
We came up with this list considering the best choices for Shopify merchants.
Here is our priorities when choosing data analytics tools for GDPR-compliance:
GDPR Compatible Tracking:
Some GDPR tools block the tracking completely or partially even after the user provides consent. You wouldn’t want this scenario either, because you have the right to use tracking & cookies if the user provides their consent.
Important: This is a rough summary. You can check out our page for the most detailed and up-to-date information: Shopify GDPR Solutions to be 100% GDPR Compliant
Shopify has built the Customer Privacy Banner app to provide you with an easy GDPR consent solution to implement. It works together with customer privacy settings within the Preferences section. Unfortunately, we do not recommend this as it is not fully GDPR-compliant. You can learn more about this solution and read PROs and CONs on this page.
This is another great option from the Shopify ecosystem that delivers everything you need for GDPR compliance. Make sure to read our in-depth review on this app and compare it with others before you make up your mind, or check our detailed guide to learn how to set the app with Analyzify. For more information on integration between Pandectes GDPR Compliance & Analyzify, check out here
Cookiebot is an external solution and it is not a Shopify app. It provides you with all the features to be GDPR-compliant, and it also gives you the tools to have GDPR-friendly tracking on your website. This is one of our top recommended solutions. You can learn more about this solution, read PROs and CONs, and compare with others our detailed guide on this page. You can also check out our setup guide on to see how you can set the app with Analyzify.
Axeptio is another great option which works through Google Consent Mode, and creates a quick and compliant cookie banner by connecting to your store. You can learn more about how to set up Axeptio with Analyzify through here.
Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You can refer to this page for more information, but to cut-it-short, there are 2 options you can choose in our app to have GDPR-compliant tracking:
This is our self-service option – Analyzify mainly works as a self-service tool with comprehensive guides at each step to empower its users. It is a detailed, video-guided, and risk-free process that comes with a GDPR-enabled GTM container. Since setting up GDPR is a relatively complex process which requires a few technical steps, we recommend this option for merchants who are experienced with code blocks and GTM containers in general.
We provide all the guidance possible in our Knowledge Base including detailed documentation, but again, if you don’t have any experience with editing your theme and adjusting the app settings, please note that this might be hard for you.
GDPR compliant setup – done by Analyzify specialists at no extra cost. Recommended for merchants who want a professional setup and may not be experienced with the related technical concepts or simply not have the time.
Here is a list of what’s included:
Yes, many companies actually do get fined. Depending on the violation type, GDPR fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
As you can see from the image, there are fines ranging from €2000 to €130.000 for January 2022. And the record fines go to:
- Amazon: €746M
- Whatsapp: €225M
- Google: €90M + €60M + €60M
- H&M: €35M
Analyzify experts can take care of your GDPR setup completely at no extra cost! Simply install the app and choose the “Done-For-You GDPR” option as your setup method, and our team will provide you with a GDPR audit, consent management tool adjustments, and validation & tests.
Please note that showing a cookie notice banner doesn’t make your Shopify store GDPR-compliant. (Learn more)
Analyzify offers a Google Tag Manager setup that is completely GDPR compliant and uses the Google Consent Mode. You will have the GDPR section at the end of your regular setup.
Depends on the store. Merchants are responsible for their stores to be GDPR compliant themselves, as Shopify doesn’t own the stores and doesn’t carry a responsibility to make the stores GDPR compliant.
This is how Shopify explains it on their related page:
As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.
Shopify provides merchants with a platform that can be configured to be GDPR compliant, but it is up to merchants on how they would like to run their businesses.
Here’s the short answer: Yes and no.
It does help your site to be GDPR compliant, but it can also enable every users’ data to be treated in a different way based on their consent status, processing some of them as anonymous and some of them as normal. Because of this, it is not enough to only use Consent Mode to be GDPR compliant.
No, it is unfortunately not enough.
Although those settings limit the data transfers, they are still not sufficient, as GDPR regulations are much more complex and you need to have many other features to be GDPR compliant as a Shopify merchant.
No. A cookie consent banner is only one of the requirements of GDPR, not to mention most cookie consent banners on Shopify fail the requirements of the banner functions and visuals.
Follow our detailed guideline and checklist to make sure your store is GDPR compliant.
As of May 2021, Google Tag Manager has been updated with an integrated consent feature that allows for each tag you create to have built-in consent checks. So, GTM now asks for a cookie consent to be able to function in accordance with your website.
At its default state, the answer is no.
As a Shopify merchant, it is your legal responsibilty to be GDPR compliant if you are serving to the clients in the European Union (EU).
We have prepared a detailed guidance and a checklist for Shopify merchants on the GDPR topic, so please follow it carefully to ensure your store passes as compliant.
What is GDPR?
The General Data Protection Regulation (or GDPR in short) is a EU regulation law that covers data protection and privacy. You can discover more about it by visiting: “What is GDPR? by EU.”
What is consumer privacy?
Consumer privacy refers to information privacy related to product and service users.
What is ‘Terms & Conditions’?
It covers the legal agreements between a service provider and a person that wants to benefit from it.
What is the importance of cookies with GDPR?
Cookies are little text files that websites save on your computer or mobile device while you are surfing the web. They are generally harmless and can usually be viewed and removed with ease. However, they can also store a lot of information about you. Because of the amount of data they might hold, they may be considered personal data under certain situations and thus be subject to GDPR. Find out more.
What is consent?
It’s a voluntary agreement to another’s proposition.
What is a consent management platform (CMP)?
It’s a platform that publishers can use to request, receive, and store user consent, which then can be saved as list of preferred vendors that explain why they’ve been collecting the users’ information.
What is PII?
Personally Identifiable Information (or PII in short) is any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, etc. You can learn more about it here.