Using cookie consent banners for GDPR compliance

Updated on 2022-10-06

Littledata automatically integrates with many common cookie consent apps to respect customer privacy and comply with data regulations such the ePrivacy Directive (which is often considered part of GDPR).

Littledata integrates with the top cookie banner apps, including apps using Shopify's Customer Privacy API. The required setup depends on which customer privacy solution your store is using:

  1. Shopify's Customer Privacy Banner app
  2. Another cookie consent Shopify app
  3. OneTrust
  4. TrustArc

How does the ePrivacy Directive (GDPR) affect Google Analytics tracking?

Each time the Google Analytics script loads on your website, it adds a cookie (the _ga cookie) with an identifier to track the user across multiple pages and sessions. Next, it sends that cookie identifier to Google’s servers, along with each page view and event.

This is a first-party cookie, but since GA is not 'strictly necessary' to your website functioning the user must be allowed to opt in to its usage.

To be compliant, you can’t allow Google Analytics to use that cookie before the user has opted in. The common mistake online stores make is that the cookie banners are showing, but Google Analytics still tracks users before they opt in.

The challenge is to ensure the landing page - campaign source (UTM tags) - is tracked as soon as the user consents, but not before.

If the user never consents and continues to checkout and purchase, Littledata’s server-side tracking will record the sale without any link to the marketing campaign which brought them. In Google Analytics, these non-consenting users will appear in the “Direct” marketing channel (although in a future feature we are planning to clarify that they Opted Out).

In reality, most users do consent for sites to track them, so this feature will limit but not remove all marketing attribution in Google Analytics or other tools.

Littledata offers an easy way to get GDPR cookie compliance right. First let's take a look at how cookie banners work in general.

The ePrivacy Directive requires that, in Europe, a website asks for the users' consent before storing cookies that are not strictly necessary for the basic functioning of the website in their browser.

The most common way to get informed consent from a user is to show them a cookie banner or popup explaining that your store uses cookies, then allow them to accept or reject being tracked.

To use the example given by Shopify’s own banner app, when a visitor first lands on Kay Nine Supply’s website they’re shown a banner, and any tracking or setting of cookies has to wait. A customer privacy banner live on a Shopify store

After the first page of the visit loads, the user has a choice: Ok or No thanks.

shopify cookie popup example

Users who click Ok can be immediately tracked (even though the click happens after the page load), and users that click No thanks must not be tracked.

Compatible Shopify apps

Littledata automatically integrates with apps using Shopify's Customer Privacy API, which lets an app share whether and when the user consented to be tracked.

The following apps mention Customer Privacy API in their app store listing, but there may be others:

Limiting tracking in Shopify admin

You must change your store settings so that, for European customers, Littledata waits for the user to grant consent before tracking. Here’s how to set that up:

  1. In your Shopify admin, click Online Store
  2. Click Preferences > Customer privacy
  3. Choose Collected after consent option (recommended)

Partial data collection before consent option will also cause Littledata to wait before tracking. Settings in Shopify admin

Who will be tracked after this is enabled?

After this tracking limit is enabled, Littledata uses Shopify's Customer Privacy API to decide if the user can be tracked.

Our tracking script waits for the user to grant consent, then whenever that happens — on the first page or later — we send the tracking calls to your chosen data destinations.

The user will be tracked when:

  1. They are not in Europe
  2. They did not previously opt out of tracking
  3. They are in Europe and opted in

If you are using Shopify with Segment the same principles apply.

Segment's AnalyticsJS library uses localstorage rather than cookies to track the user, but to be compliant with the ePrivacy Directive users still need to consent before events are sent to Segment.

The analytics object is available when the page loads - so you can enqueue other tracking events to send as soon as the user consents - but no events or page views will be sent from the browser until the user has opted in.

If the user never consents and continues to checkout and purchase, the checkout and Order Purchased events will still track in Segment, but without being linked to a web session and without marketing attribution.

Opting in/out of using the Customer Privacy API

If you want to limit tracking for other apps but capture maximum data into Google Analytics you can turn off respectUserTrackingConsent in the data pipeline settings.

This setting was turned off for stores installing before 2021, to prevent disruption to the data collection.