At DPOaaS, we get countless questions from site owners and digital entrepreneurs about global data regulations like the GDPR. And rightfully so; these international laws affect practically everyone on the internet and come with hefty fines for those who don’t comply. You don’t even have to be located within the EU to fall within the GDPR’s purview – just process its citizens’ data in some way.
In the context of ecommerce, this can become particularly problematic. Most online stores operate on an international level or use platforms that do so. Shopify is a great example – while it’s a leader in ecommerce, few who use it are aware of its potential implications on GDPR compliance.
In this article, we’ll discuss Shopify’s ecommerce solutions and how using them with their default settings may be putting you at risk for privacy law violations.
We suggest that you use a Shopify Cookie Consent solution like the CookieFirst App in the Shopify App store.
What is Shopify?
Shopify is a cloud-based, multi-channel ecommerce platform designed to help people and businesses create an online store. With Shopify, entrepreneurs and store owners have an easy-to-use interface to set up their online shop, manage inventory, accept payments, fulfill orders, and track analytics. Shopify stores are also fully customizable, allowing entrepreneurs to choose the look and feel of their store as well as add features like product reviews, blogs, and product filters. The platform is very popular for its user-friendly interface and easy-to-set-up solutions, which allow people of all technological backgrounds to create an aesthetically pleasing and functional ecommerce space. Shopify currently hosts over 700,000 online stores around the world and is the backbone of many entrepreneurs’ success.
Is Shopify Schrems II compliant?
The Court of Justice of the European Union (CJEU) made major waves in the world of data privacy on July 16, 2020, when it published a judgment in the Schrems II case. The ruling effectively called the EU-US Privacy Shield – one of the main frameworks used to move data between the United States and European Union – invalid and created tons of ambiguity around what can and can’t be done with data.
Shopify is just one of many platforms that does not guarantee compliance with Schrems II. Based in North America, most of its servers operate outside of the EU and in regions without GDPR ‘adequacy status’. This means that anyone using Shopify, whether they’re in Europe or not, inadvertently processes data outside of the GDPR’s jurisdiction.
While it’s all a gray area, in most cases, even European ecommerce businesses that only deal directly with EU customers on Shopify are at risk of violating Schrems II. Our best advice is to speak with a legal professional to better understand your unique situation.
Does the Shopify system set cookies?
Also keep in mind that you might use other third-party technologies in combination with Shopify. It can be Google Analytics for conversion measurement tracking, or advertising services like Google Ads. If you are using these kinds of third-party services in your Shopify store, then you will need to obtain consent from your visitors before activating them.
What you can do to make sure that your Shopify webshop is GDPR and ePrivacy compliant
If you’re an ecommerce merchant that works with EU customers, it’s important to take the necessary steps to ensure your store is compliant with the GDPR. This starts with adapting its settings in Shopify – open the ‘Preferences’ tab and enable the recommended ‘Collected after consent’ cookie option in the ‘Customer Privacy’ section. It will stop Shopify from placing cookies until a customer has given their explicit consent.
You should also implement a cookie banner. While Shopify offers a built-in solution, it’s important to note that a cookie banner is more than just an ‘I agree’ checkbox. It should include text explaining what types of cookies the site uses and why, as well as how customers can revoke their consent.
We recommend using CookieFirst’s Shopify Cookie Consent Banner, which integrates with the Shopify API to display a GDPR-compliant consent banner. It’s incredibly easy to set up and can be customized to fit your unique needs and brand style.
Although Shopify remains a leader in its domain, data privacy is a complex arena and it’s important to make sure that your store adheres to all necessary laws. We hope this article has helped clarify the Schrems II situation and given you a starting point for improving the privacy of your Shopify store. Good luck!