Cookies and data collection
Countries and regions around the world have introduced regulations that dictate how businesses collect, handle, and share their customer’s data. Collecting customer data, especially cookie data and other data related to browsing activity, is essential to merchants looking for insights on their customer’s behaviour. This data also helps merchants advertise to customers on third-party marketing platforms.
To help merchants comply with these regulations and build trust with their customers, Shopify provides a variety of apps, features, and developers tools.
When making a decision about what your business needs to do to comply with various privacy regulations it’s important to consult with your lawyer.
Data sharing with ad networks
To improve your marketing campaigns, your customer data is used to optimize and personalize the ads targeting existing and prospective customers. Ad networks require personal information about your customers to match those same customers in their network.
This personal information might include email addresses, phone numbers, IP addresses, names, mailing addresses, and third-party data collection cookies. If any of this personal information matches users in the ad network's database, then ads can be targeted towards those users, or that information can be used for marketing attribution to determine when a campaign should take credit for a sale.
Some partners or channels, such as Facebook, let you to customize the type and amount of data you collect and share.
European customers and GDPR compliance
Under the European Union’s General Data Protection Regulation (GDPR), European customers visiting your online store must give consent before data can be collected. The most common way of collecting data from customers to your online store is using browser cookies. These browser cookies are referred to as non-essential cookies and must be limited in use until consent is given by the customer.
Limit data collection for visitors from Europe
To limit the data collection of European customers visiting your online store, as determined by their IP address, you can choose the level of restrictions for marketing and analytics data collection for customers from the EU, EEA, UK, and Switzerland.
In your Shopify admin, click Online Store and then click Preferences. Scroll down to the Customer privacy section.
Choose the level of restrictions for European customers: Collected before consent, Partially collected before consent, or Collected after consent. Selecting partially collected before consent or collected after consent prompts you to install a privacy banner app. To learn more about customer privacy, cookies, and restriction levels, refer to the ePrivacy Directive documentation.
How Shopify limits data collection
How Shopify limits third-party data collection
Because Shopify can’t control if a third-party app or script collects data from a customer, we provide third parties with a consent collection API for them to integrate with. The consent collection API tells the third party if a customer has provided consent for data to be collected.
Review the terms of service and privacy policies of third-party apps and scripts that you’re working with to determine how they are respecting customer consent.
Getting data collection consent
Gathering customer consent lets you collect data from customers in countries and regions that require consent before collecting data. The most common way of gathering this consent is through privacy banners or cookie banners. These banners often appear at the bottom of websites and prompt the user with the option to accept non-essential cookies for analytics and marketing.
If you're looking to implement your own privacy banner, or use a third-party cookie banner, then verify that the banner uses Shopify’s consent collection API for reading and collecting the customer’s consent. Without the consent collection API, Shopify non-essential cookies will continue to be limited, which affects your online store's analytics and marketing performance.
Third-party sale of California customer data and CCPA compliance
Under the California Consumer Privacy Act (CCPA), customers in California should be able to opt-out of the sale of their data. If you don't provide these customers with an option to opt-out, then they should be automatically exempt from the sale of their data. Before deciding if this is something you should be doing, you should review the CCPA thresholds and talk to your lawyer to determine if your business is affected by this regulation.
Limit the third-party sale of your California customers’ data
Under the California Consumer Privacy Act (CCPA), customers in California have the right to opt out of the sale of their data. You can limit data collection for customers in California through the Customer privacy section in your Shopify admin, which will prompt you to install the Customer Privacy app for CCPA compliance.
- In your Shopify admin, click Online Store and then click Preferences. Scroll down to the Customer privacy section.
- Limit data collection for customers in California by clicking Activate.
- Click the Install app button to download and install Shopify's Customer Privacy app.
When deciding to share your customer’s data with third parties note that Shopify can't control how the data is used by third parties, and can only inform them how data should be handled. You should review the privacy policies of third-party apps and scripts that you’re working with and consult your lawyer.
Shopify never sells your data as the term is defined by the CCPA. For more information, refer to Shopify's position on sale of personal information.