Using cookie consent banners for GDPR compliance

Updated on 2023-11-17

Littledata automatically integrates with many common cookie banners and cookie consent apps to respect customer privacy and comply with regulations such the ePrivacy Directive (GDPR).

Littledata uses Shopify's Customer Privacy API to control tracking based on customer consent. The required setup depends on which customer privacy solution your store is using:

  1. Shopify's Customer Privacy Banner app
  2. Another cookie consent Shopify app
  3. OneTrust
  4. TrustArc

How the ePrivacy Directive (GDPR) affects Google Analytics tracking

tip:

Read our longer guide on cookies and attribution

Each time the Google Analytics script loads on your website, it adds a cookie (the _ga cookie) with an identifier to track the user across multiple pages and sessions. Next, it sends that cookie identifier to Google’s servers with each page view and event.

This is a first-party cookie, but since GA is not 'strictly necessary' to your website functioning the user must be allowed to opt in to its usage.

To be compliant, you can’t allow Google Analytics to use that cookie before the user has opted in. The common mistake online stores make is that the cookie banners are showing, but Google Analytics still tracks users before they opt in.

The challenge is to ensure the landing page - campaign source (UTM tags) - is tracked as soon as the user consents, but not before.

If the user never consents and continues to checkout and purchase, Littledata’s server-side tracking will record the sale without any link to the marketing campaign which brought them. In Google Analytics, these non-consenting users will appear in the “Direct” marketing channel (although in a future feature we are planning to clarify that they Opted Out).

In reality, most users do consent for sites to track them, so this feature will limit but not remove all marketing attribution in Google Analytics or other tools.

Littledata offers an easy way to get GDPR cookie compliance right. First let's take a look at how cookie banners work in general.

Tracking with CPRA / VCDPA / CPA

Regulation in various US states also requires users to be able to opt out of tracking:

  • California Privacy Rights Act (CRPA) - along with California Consumer Privacy Act (CCPA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)

These all cover "information that is linked or reasonably linkable to an identified or identifiable individual". The rules apply to any company "conducting business" in the state with information on 100,000 or more consumers.

Businesses affected must give web users the right to opt out of processing their data. Littledata's tracking is also compliant with this obligation.

Analytics use vs Marketing use

Some cookie consent apps allow customers to choose if their data is being collected for analytics or for marketing purposes.

Littledata respects this specific choice so:

  • Google Analytics runs if the user consents to analytics tracking
  • Meta / Facebook, TikTok and Pinterest tracking runs if the user consents to marketing tracking

The ePrivacy Directive requires that, in Europe, a website asks for the users' consent before storing cookies that are not strictly necessary for the basic functioning of the website in their browser.

The most common way to get informed consent from a user is to show them a cookie banner or popup explaining that your store uses cookies, then allow them to accept or reject being tracked.

To use the example given by Shopify’s own banner app, when a visitor first lands on Kay Nine Supply’s website they’re shown a banner, and any tracking or setting of cookies has to wait. A customer privacy banner live on a Shopify store

After the first page of the visit loads, the user has a choice: Ok or No thanks.

shopify cookie popup example

Users who click Ok can be immediately tracked (even though the click happens after the page load), and users that click No thanks must not be tracked.

Compatible Shopify apps

Littledata automatically integrates with apps using Shopify's Customer Privacy API, which lets an app share whether and when the user consented to be tracked.

The following apps mention Customer Privacy API in their app store listing, but there may be others:

Limiting tracking in Shopify admin

note:

Shopify made 'Collect after consent' the default in November 2023

You may need to change your store settings so that, for European customers, Littledata waits for the user to grant consent before tracking. Here’s how to check that setting:

  1. In your Shopify admin, click Online Store
  2. Click Preferences > Customer privacy
  3. Choose Collected after consent option

Customer privacy settings

How customer privacy affects tracking

After this tracking limit is enabled, Littledata uses Shopify's Customer Privacy API to decide if the user can be tracked.

Our tracking script waits for the user to grant consent, then whenever that happens — on the first page or later — we send the tracking calls to your chosen data destinations.

The user will be tracked when:

  1. They are not in Europe
  2. They did not previously opt out of tracking
  3. They are in Europe and opted in

If you are using Shopify with Segment the same principles apply.

Segment's AnalyticsJS library uses localstorage rather than cookies to track the user, but to be compliant with the ePrivacy Directive users still need to consent before events are sent to Segment.

The analytics object is available when the page loads - so you can enqueue other tracking events to send as soon as the user consents - but no events or page views will be sent from the browser until the user has opted in.

If the user never consents and continues to checkout and purchase, the checkout and Order Purchased events will still track in Segment, but without being linked to a web session and without marketing attribution.

Opting in/out of using the Customer Privacy API

If you want to limit tracking for other apps but capture maximum data into Google Analytics you can turn off respectUserTrackingConsent in the data pipeline settings.

This setting was turned off for stores installing before 2021, to prevent disruption to the data collection.