Published July 16, 2021.
There is no two ways around it: cookies are the past, the present and the future of online data privacy. The first thing we are faced with when visiting a website is the cookie banner, suggesting cookies are used. Some people hardly notice it any longer and some people might find themselves wondering why we need to accept them all the time. The reason is actually quite simple.
In this blogpost, we break down Shopify cookies, why consent management matters on your web shop, how you can become compliant and what you should look out for. We use the EU’s GDPR requirements as the foundation of the blogpost, but it is important to note that cookie consent management is a requirement in a lot of other data privacy laws.
We focus on Shopify cookies; however, consent is important whether you use Shopify or other templates for your online web shop.
By looking at this from both the shop-owners’ and an overall perspective, the blogpost aims to provide you with knowledge about how your online shop can become more compliant with the regulations in force, while enabling you to understand both the advantages and pitfalls of cookies.
What is Shopify?
Shopify is a subscription-based software that allows anyone to set up an online store and sell their products. Shopify is not a singular product like a store builder or a tool, but it should rather be seen as a customizable commerce platform. To use Shopify’s own words, Shopify is built to be versatile and to grow with you.
The reason why many businesses use a commerce platform like Shopify is to be able to showcase products, ship products, manage their day-to-day finances, get paid and engage with customers. A commerce platform like Shopify groups these different technologies together and creates a base for the business upon which other applications or features can be added or developed.
Shopify have cookies that customers get when they visit one of their merchants’ shops. This could be creating a separate cart for a certain order or tracking cookies to help with analytics and reporting.
If cookies are not enabled or allowed this can have an effect on the function of the online shops, while also affecting the overall browsing experience of the customers. This means that cookies are enabled to give the shop-owner the best possible web-shop when it comes to functionality while providing the customers with an optimal experience.
What are Shopify Cookies – and how do they work?
Essentially a cookie is a small piece of information that is downloaded to your electronic device whenever you engage with a website. The data stored in a cookie is created by the server when you connect to it. The data is then labeled with an ID that is unique to each individual and their computer or other electronic devices.
The cookie is then exchanged between the used computer and the network’s server. In this process, the server reads the ID and subsequently knows what information it needs to give you specifically.
Cookies help the users by simplifying their browsing experience. This is being done by allowing websites to remember the users’ actions and preferences, such as their region, their login or contact information. This helps the user save time, because they don’t have to re-enter the information every single time they return to a website.
On the other hand, cookies also provide information for the websites on how users interact with the website. This includes information about whether it is their first time visiting, if they are a recurrent visitor and what parts of website they have been looking at.
As the owner of a web shop, these are the things you can track about your users. They are also the reason why you need Cookiebot CMP. It will simplify your work, making it easier for you to obtain consent from your users and keep track of your cookies in a compliant way.
Different types of Shopify cookies
Shopify use several different cookies, including performance, advertising, social media, content and strictly necessary cookies.
The most common Shopify cookies are the following:
User-input cookies: These are used for the duration of a session with the purpose of keeping track of the user’s input when filling in forms that span over several pages;
Functional cookies: These are used to remember the choices the users have made or information they have provided, e. g. language, region and username. These cookies come in many different forms and shapes, including:
- Security cookies, used to detect authentication abuses for a limited persistent duration. They are created with the purpose of increasing the security of the webpage and they detect issues such as repeatedly failed login attempts
- Authentication cookies, used for the duration of a session with the purpose of allowing the users to authenticate themselves on subsequent visits. They can also be persistent, if the user agrees to the explicit Shopify cookie consent form called “remember me”. They can also help the user gain access to authorized content across pages
- Multimedia content player session cookies (flash cookies), used only for the duration of a session in order to store the essential data to play audio or video content. The cookie helps improve indicators like buffering parameters, network link speed and image quality
- User interface customization persistent cookies, used to store the users’ preference when it comes to services across different webpages
- Load-balancing session cookies, used to identify the same server in the pool. This needs to be done in order for the load balancer to redirect the users’ requests to the appropriate destinations. These are used for the duration of a session as well.
Shopify use different types of cookies also when it comes to user experience. These are called performance cookies and only gather information for statistical purposes, since they can’t identify the individual user. These include:
- First party analytics cookies
- Third party analytics cookies
First-party analytics cookies are used for several different purposes, for example to improve the Shopify – and its merchants’ – websites, to detect search patterns that lead to webpages and to estimate the number of unique visitors a website gets. The cookies are used to learn about the webpages and make relevant improvements to the users’ browsing experience. These cookies are not used for online marketing purposes.
Third-party analytics cookies describe the measurement of how users interact with the website content. The measurement is performed by Google Analytics and other third-party analytics providers. These could include TikTok, Snapchat and LinkedIn Insight Tag. They work by remembering what the users have been doing on the previous pages, including how they interacted with the website.
Additionally, Shopify use advertising cookies and cookies for social media plugins. The latter could include the “Like” button on Facebook and other tools created with the purpose of improving the content on a website. These are called Social and Content cookies.
Advertising cookies, on the other hand, are probably the ones you are most familiar with, as you engage with them all the time. They are used to tailor marketing on a personal level by remembering what, when and how you visited a page and potentially share the information with third parties like advertisers.
Shopify have stated that, without these cookies, the users would still receive advertisements, but they would seem less relevant or interesting.
Did you know that a website on average has 20 cookies in use?
Scan your website for free to make sure that your users get the best experience
Cookie consent on your online web shop – Why is it important?
As mentioned in the introduction, we are all familiar with the cookie banners and most of us just accept the terms without questioning what we agree to. But why do we need such a banner in the first place?
The answer to the latter question is quite straightforward, simply because the banner is a legal requirement that every single company now has to do. With the introduction of the GDPR in May 2018, it was stated that companies were obliged to obtain consent from the users before being allowed to use their data for marketing purposes.
In simpler terms, this means that you are not allowed to use such data for campaigns or retargeting, which could, ultimately, result in a loss in your ad revenue. Many online shops need the data about their customers in order to make a profit, so it can be quite critical if you don’t obtain a GDPR compliant consent.
While GDPR compliance may be the legal reason you need consent, there are also other motivations. When doing business online, you engage in an information swap that requires trust. For this reason, ethics play a huge role as well, even though it is not formally stated anywhere.
If you want your customers to trust your business, you should clearly state what you intend to do with their data. E-commerce has grown rapidly in the last 10 years and some of the practices associated with web marketing, such as cookies, have raised concerns from internet users. The matter of concern is that information is used specifically for marketing purposes and often sold to third parties. Basically, we often don’t even know what data of ours is stored, and what it is being used for.
Consent management on your web shop
You might wonder how your web shop can become compliant, and that is where a consent management platform like Cookiebot CMP enters the room. Cookiebot CMP provides legally valid consent management, fulfilling all the main legal requirements. This includes obtaining the consent properly, managing the consent and documenting the consent in an audit-proof manner.
Below we have outlined some of the criteria you need to follow to be GDPR-compliant. The consent needs to be:
- Voluntary. This means it requires an ‘accept’ and a ‘decline’ button. This allows consent to be voluntary and provides the user with genuine freedom of choice before making a decision
- Informed. This means the user must know what they are giving consent to. This includes who they are giving consent to, what they are giving consent to, why they are giving consent and for how long the consent is valid. By doing so, the data subject will be aware of all details surrounding the data processing and could then give an ‘informed consent’
- Explicit. This means the user has to actively give consent to the tracking/gathering of information
- Documented. This means there is proof of consent in case of an audit
- In advance. This means that data processing of any kind is not acceptable before consent has been obtained
- Granular. This means users need to consent to every single data processing service. The individual ‘grains’ are the pieces that combined serve as a full consent
- Revocable. This means that, if the user wants to revoke their consent at any time and without any kind of justification, they have the right to do so. The process of revoking your consent also needs to be as simple as it has been giving it in the first place.
The origin of cookies
Many probably believe cookies is a relatively new phenomenon. However, that is not the case. Cookies actually originated in the 1990s and were part of the internet’s breakthrough. Even though they did not look like the ones we know and use today, they played an important part in the evolution of data privacy.
- Cookies were originally developed by Lou Montulli in 1994. He also developed one of the earliest web browsers in 1991 as well as Netscape in 1994. Besides cookies, he was also responsible for a number of other web innovations, such as server push, client pull, HTTP proxying and the blink tag.
- According to Lou Montulli, cookies are named after a computer science term called “magic cookie”. A “magic cookie” was described as something passed between routines or programs that enables the receiver to perform some operation; something like a capability ticket or opaque identifier.
- Montulli wanted to do the same in the Netscape browser. At first, cookies were used to verify whether users had visited the Netscape website before, while at the same time enabling websites to remember their preferences.
- Cookies also worked as a convenient solution when it came to virtual shopping carts. It enabled e-commerce websites to remember the items you were shopping the last time you visited their website.
- It wasn’t until 1996 that the public was made aware of cookies, when the media started reporting on the potential threat to privacy they posed. The concerns focused on the fact that the tracking was being done without the knowledge or consent of the users.
- The fuss started in 1996 led to the U.S. Department of Energy Computer Incident Advisory Capability releasing an information bulletin in 1998. The bulletin assessed that cookies essentially did not break privacy, because they only told web servers whether you had visited a site before, and none of the information could identify you as a person. In short, they believed that information about your online habits was already accessible, and cookies just made it easier to collect the information.
Did you know that cookies have been around longer than camera phones and USB flash drives?
Check for cookies on your website
Shopify cookies compliance with Cookiebot CMP
Cookiebot Consent Management Platform (CMP) is our world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website. This guarantees you that your website complies with all the main data privacy laws around the world. This includes for example the EU’s GDPR, UK’s GDPR, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA and California’s CCPA.
At this point you might wonder: what is Cookiebot CMP exactly? Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the entire cookie tracking procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users. Finally, it helps you safely storing the consents and renewing them at a regular basis. The consent banner could look like the one pictured below.
We believe that the protection of privacy must be an integrated part of each individual website and, by offering you a simple and yet comprehensive overview of every single cookie on your website, Cookiebot CMP qualifies your website to meet the requirements necessary for GDPR, and to comply with many other regulations.
If you have an online shop where you use Shopify cookies, Cookiebot CMP is the optimal solution. You are not only making the job of collecting data in a safe and legal way much easier, but you also give your users all the information they need to be able to trust your website completely. This information includes the purpose of each Shopify cookie, its duration and where it comes from.
Cookiebot CMP provides you with three, fully automatic functions that are very simple to implement on your website: cookie consent, cookie monitoring and cookie control. You can for example customize your consent banners in a way that matches your website’s layout. One of the advantages of this is that it can be shaped to fit the compliance requirements of almost any major privacy law in the world.
Shopify cookies compliance with GDPR
The European Union’s General Data Protection Regulation, commonly known as GDPR, has been in effect since May 2018. One of the main purposes of the GDPR was to impose responsibilities and obligations on data processors and data controllers.
In this blogpost we look at GDPR compliance from the “online merchant’s” perspective, where your role is the controller of your customers’ data. To put it in simple terms, this means that you collect data from your customers and decide how you want to handle this data.
Since this blogpost focuses on GDPR, which is a European regulation, you might think that it does not apply to you if your business is not located in Europe. However, that is not necessarily the case, since it applies to every business that makes goods and services available in the EU, or if you have users from the EU.
Another thing you might consider is Shopify’s role when it comes to handling your customers’ data. As the processor of your customers’ data, Shopify has to be authorized by the controller to process personal data. This is important in order to comply with the GDPR.
In reality this means that, when Shopify function as a processor for a merchant, they process personal data on the basis of clear and documented instructions from the merchant. An example of this is when a merchant installs an application through the Shopify app: by doing so, they instruct Shopify to transmit data to the relevant party.
While it is clear that Shopify needs to comply with the GDPR, it is important to note that, as an online merchant, you have the same responsibility. Both parties process data and, by doing so, you will need to comply with the GDPR rules.
Did you know that cookies have been around since 1994?
Use our free scanner to see if there are any cookies on your website you don’t know about
What is a consent management platform (CMP)?
A CMP helps you provide transparency and control over all the cookies and similar tracking on your website. This guarantees you that your website complies with all the main data privacy laws around the world, including for example the EU’s GDPR.
What are Shopify cookies?
A cookie is a small piece of information that is downloaded to your electronic device whenever you engage with a website. There are a lot of different types of cookies depending on what type of information they process, and Shopify use a number of these, including user-input cookies, security cookies, authentication cookies and advertising cookies.
How do Shopify cookies work?
The data stored in a cookie is created by the server when you connect to it. The data is then labeled with an ID that is unique to the individual and their computer or other electronic devices.
The cookie is then exchanged between the used computer and the network’s server. In this process, the server reads the ID and then knows what information it needs to serve you specifically.
How can my website be in compliance with GDPR?
By using a CMP, you help provide transparency and control over all the cookies and tracking on your website. By doing so, you can make sure that your website complies with all the main data privacy laws around the world, including the GDPR.
How Can I scan my website for cookies and trackers?
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.