CookieFirst’s team gets tons of questions about international data privacy laws, especially the GDPR. It’s one of the biggest regulations of its kind in the world and has far-reaching implications for anyone who does business online. Practically every website falls under the GDPR’s rules in some way – whether it processes citizens’ data within Europe or from another country.
The question of compliance is a major issue for businesses that operate on an international level and with multiple digital tools. Any wrong actions by site owners themselves – or simply the servers their stores run on – can result in hefty fines and charges.
Most people aren’t aware that Shopify can actually put you at risk of violation with its default settings.
This article will discuss the potential risks of using Shopify with EU consumers and how to mitigate them using the Shopify Cookie Consent from the CookieFirst CMP.
What is Shopify?
Shopify is a leading ecommerce platform that enables entrepreneurs around the world to create and manage their own online stores. Shopify allows businesses to easily set up, customize and manage their stores across multiple sales channels, including web, mobile and social media. Shopify also offers a variety of tools and services to help businesses grow their online presence, such as payment processing, inventory management, marketing and customer service. With its easy-to-use platform and wide range of features, Shopify makes it easy for ecommerce businesses to get up and running with little upfront time or investment. It currently supports over 700,000 stores around the world.
Is the use Shopify Schrems II compliant?
On July 16, 2020, the EU’s Court of Justice published a decision in the case Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems. It declared that the EU-US Privacy Shield, one of the core mechanisms used to transfer data between the European Union and United States, is invalid.
Shopify itself, as a platform provider, does not currently provide any guarantees for Schrems II compliance. This is because Shopify is based in Canada and stores its customer data in the United States, the latter of which has had trouble meeting standards for ‘adequacy status’ under the GDPR. Theoretically, all Shopify stores are, therefore, at risk of violating Schrems II if their data is transferred outside of the US, regardless of their location.
Of course, this is an extremely gray area. We highly recommend consulting with a legal expert familiar with international data law to understand the specifics of your situation.
Does Shopify set cookies?
Yes, like many ecommerce platforms, Shopify relies on cookies to both keep essential store functions running and also enhance users’ experiences. This means that under the GDPR, Shopify store owners must obtain consent from customers before placing any of these cookies.
Shopify does provide some basic cookie management tools, however, these are not enough to meet the GDPR’s standards for website privacy. Most Shopify store owners will need to take additional steps in order to be compliant.
What can you do to ensure your Shopify store is GDPR and ePrivacy compliant?
EU merchants that use Shopify must take additional steps to ensure their website remains compliant with regional data laws.
The first and most important is changing your online store’s settings. Open the ‘Preferences’ page and scroll down to the ‘Customer Privacy’ section to enable the recommended ‘Collected after consent’ cookie option. This will prevent Shopify from using any unnecessary cookies until visitors give their consent.
From there, it’s a matter of having a good cookie banner that fully informs users of their data privacy rights under the GDPR. Shopify has a built-in feature for this, although it’s very rigid and not suitable for all businesses.
Our recommended solution is CookieFirst’s Cookie Consent tool. It integrates with the Shopify API to display a GDPR-compliant consent banner that helps you stay Schrems II compliant. It’s easy to set up and customize, so you can create a cookie notice tailored to your needs.
The CookieFirst consent management platform has a Shopify Cookie Banner in the Shopify App Store.
Shopify is a powerful platform, but like any other, it needs to be properly configured in order to comply with GDPR and other data law standards. Taking the extra steps to ensure Schrems II compliance will not only help protect your customers, but also safeguard you from potential regulatory fines.
