Cookies and data collection

Countries and regions around the world have introduced regulations that dictate how businesses collect, handle, and share their customer’s data. Collecting customer data, especially cookie data and other data related to browsing activity, is essential to merchants looking for insights on their customer’s behaviour. This data also helps merchants advertise to customers on third-party marketing platforms.

To help merchants comply with these regulations and build trust with their customers, Shopify provides a variety of apps, features, and developers tools.

You can install the Customer Privacy Banner app created by Shopify, or browse the Shopify App Store for third-party privacy banners.

When making a decision about what your business needs to do to comply with various privacy regulations it’s important to consult with your lawyer.

Data sharing with ad networks

To improve your marketing campaigns, your customer data is used to optimize and personalize the ads targeting existing and prospective customers. Ad networks require personal information about your customers to match those same customers in their network.

This personal information might include email addresses, phone numbers, IP addresses, names, mailing addresses, and third-party data collection cookies. If any of this personal information matches users in the ad network's database, then ads can be targeted towards those users, or that information can be used for marketing attribution to determine when a campaign should take credit for a sale.

When you share your customer's personal information, make sure that you do so with a marketing partner that you trust. It's important to tell your customers how you share data, and to decide what type of data, or how much data, you want to collect and share. Make sure that your privacy policy is up to date to provide this information to your customers.

Some partners or channels, such as Facebook, let you to customize the type and amount of data you collect and share.

European customers and GDPR compliance

Under the European Union’s General Data Protection Regulation (GDPR), European customers visiting your online store must give consent before data can be collected. The most common way of collecting data from customers to your online store is using browser cookies. These browser cookies are referred to as non-essential cookies and must be limited in use until consent is given by the customer.

Limit data collection for visitors from Europe

To limit the data collection of European customers visiting your online store, as determined by their IP address, you can choose the level of restrictions for marketing and analytics data collection for customers from the EU, EEA, UK, and Switzerland.

Steps:

  1. In your Shopify admin, click Online Store and then click Preferences. Scroll down to the Customer privacy section.

  2. Choose the level of restrictions for European customers: Collected before consent, Partially collected before consent, or Collected after consent. Selecting partially collected before consent or collected after consent prompts you to install a privacy banner app. To learn more about customer privacy, cookies, and restriction levels, refer to the ePrivacy Directive documentation.

How Shopify limits data collection

Shopify limits data collection by downgrading its own non-essential cookies, outlined in our Cookie Policy, to session cookies. Session cookies are generally deleted when the customer closes their browser. If a customer consents to data collection, then the non-essential cookies are upgraded to persistent cookies, which are not deleted when the customer closes their browser.

How Shopify limits third-party data collection

Because Shopify can’t control if a third-party app or script collects data from a customer, we provide third parties with a consent collection API for them to integrate with. The consent collection API tells the third party if a customer has provided consent for data to be collected.

Review the terms of service and privacy policies of third-party apps and scripts that you’re working with to determine how they are respecting customer consent.

Gathering customer consent lets you collect data from customers in countries and regions that require consent before collecting data. The most common way of gathering this consent is through privacy banners or cookie banners. These banners often appear at the bottom of websites and prompt the user with the option to accept non-essential cookies for analytics and marketing.

If you're looking to implement your own privacy banner, or use a third-party cookie banner, then verify that the banner uses Shopify’s consent collection API for reading and collecting the customer’s consent. Without the consent collection API, Shopify non-essential cookies will continue to be limited, which affects your online store's analytics and marketing performance.

Third-party sale of California customer data and CCPA compliance

Under the California Consumer Privacy Act (CCPA), customers in California should be able to opt-out of the sale of their data. If you don't provide these customers with an option to opt-out, then they should be automatically exempt from the sale of their data. Before deciding if this is something you should be doing, you should review the CCPA thresholds and talk to your lawyer to determine if your business is affected by this regulation.

Limit the third-party sale of your California customers’ data

Under the California Consumer Privacy Act (CCPA), customers in California have the right to opt out of the sale of their data. You can limit data collection for customers in California through the Customer privacy section in your Shopify admin, which will prompt you to install the Customer Privacy app for CCPA compliance.

Steps:

  1. In your Shopify admin, click Online Store and then click Preferences. Scroll down to the Customer privacy section.
  2. Limit data collection for customers in California by clicking Activate.
  3. Click the Install app button to download and install Shopify's Customer Privacy app.

When deciding to share your customer’s data with third parties note that Shopify can't control how the data is used by third parties, and can only inform them how data should be handled. You should review the privacy policies of third-party apps and scripts that you’re working with and consult your lawyer.

Shopify never sells your data as the term is defined by the CCPA. For more information, refer to Shopify's position on sale of personal information.

Opting out of targeted ads

Anyone can opt-out of targeted ads served by specific third-party vendors by visiting the Digital Advertising Alliance’s Opt-Out page or the Network Advertising Initiative’s Opt-Out page.

Ready to start selling with Shopify?

Try it free