We have a lot of customers that are using Shopify to run their webshops, also in the EU. Regularly we get questions how to deal with the cookies Shopify sets while using their stores. In this article we try to shed some light on the potential risks of using Shopify and how to mitigate them.
What is Shopify?
Shopify is one of the leading SaaS providers for ecommerce shops. It is very untuitive, (relatively) cheap and has a great amount of features that make it easy for merchants to setup their ecommerce activities. The platform handles ecommerce transactions for over 700,000 shops worldwide.
Is the use Shopify Schrems II compliant?
This is a bit of a grey area. Shopify being a US provider is the first thing you need to be aware of. By using a US provider for your ecommerce activities you might be in violation of the Schrems 2, in short, the violation of transfer of personal data outside of the EU to countries that do not meet the required level of data protection. Why, you might think? Because Shopify deploys their platform on servers outside the EU and on US cloud providers. And all your customer data, when people buy something in your store, will be saved on these servers. So to answer this question, we would urge you to consult a legal professional.
Does Shopify set cookies?
Yes, by using the platform there are quite a few cookies being set when users browse your webshop. Most of them are necessary for the shop to even function. A lot of these cookies have very long expiry times, obviously this helps to get better analytics and statistical data from your visitor in the Shopify backend. So how can we make sure to make it as compliant as possible?
If you’re an EU merchant you need to make sure you activate restrictions on your data collection before consent. This can be done by navigating to Preferences > Customer privacy section. Enable the recommended option “Collected after consent”. So what does it do? It will limit data collection before consent, it will make sure the cookies from Shopify that are non-necessary to be session cookies which are destroyed once a visitor closes their browser. If they do consent then these cookies return to their persistent state and will collect more visitor data.
You are prompted to use the privacy banner app from Shopify, but that is very limited. We recommend to give the users more granularity when it comes to their cookie management, as some users might still want to enjoy all the features of your shop but not agree on advertising pixels. The CookieFirst banner will allow you to do this. Our banner can also integrate with the Shopify API for consent to make sure you get the most out of your visitor data when they do give permission. Read more about that here.