Skip to main content

Using cookie consent banners for GDPR compliance

Littledata automatically integrates with the native Shopify cookie banner and most cookie consent apps to respect customer privacy and comply with regulations such the ePrivacy Directive (GDPR) in Europe.

Littledata uses Shopify's Customer Privacy API to adjust tracking based on customer consent. The required setup depends on which customer privacy solution your store is using:

  1. Shopify's Customer Privacy Banner app
  2. External Shopify Consent apps
  3. OneTrust

Littledata offers an easy way to get GDPR cookie compliance right. First let's take a look at how cookie banners work in general.

The ePrivacy Directive requires that, in Europe, a website asks for the users' consent before storing cookies that are not strictly necessary for the basic functioning of the website.

The most common way to get informed consent from a user is to show them a cookie banner or popup explaining that your store uses cookies, then allow them to accept or reject being those cookies.

For example, when a visitor first lands on Kay Nine Supply’s website they’re shown a banner, and any tracking or setting of cookies has to wait.

A customer privacy banner live on a Shopify store

After the first page of the visit loads, the user has a choice: Ok or No thanks.

shopify cookie popup example

  • Users who click Ok can be immediately tracked
  • Users that click No thanks - or do not click - must not be tracked

Compatible Shopify apps

Littledata automatically integrates with apps using Shopify's Customer Privacy API, which lets an app share whether and when the user consented to be tracked. The most popular privacy apps are:

info

Even if your privacy app handles showing the cookie banner, you must also enable Regions in the Shopify Customer Privacy settings. See here

Here’s how to enable the native cookie banner:

  1. In your Shopify admin, click Settings
  2. Click Customer privacy > Cookie banner
  3. Enable the cookie banner on your store.

Customer privacy settings

How customer privacy affects tracking

After a privacy app or the native cookie banner is enabled, Littledata uses Shopify's Customer Privacy API to decide if the user can be tracked.

Our tracking script waits for the user to grant consent, then whenever that happens — on the first page or later — we send the tracking to your chosen data destinations.

The user will be tracked when:

  1. They are not in Europe (or the )
  2. They did not previously opt out of tracking
  3. They are in Europe and opted in

Under Settings > Customer Privacy > Regions and content you can edit the regions and countries where a cookie banner is shown.

Your store may have disabled the cookie banner in all countries, thinking this setting only applies to the native cookie banner, but Littledata uses Regions to know when to wait for consent. If so, under Regions you'll see 'Not visible in any region'.

This quickest way to fix this is to click Use automated settings and then turn off the native cookie banner. This will reset Regions to use the recommended countries. Please check this matches the countries where your privacy app loads the cookie banner.

Adding back Regions to privacy settings

Analytics use vs Marketing use

Some cookie consent banners allow customers to choose if their data is being collected for analytics or for marketing purposes.

Littledata respects this specific choice so:

  • Google Analytics runs if the user consents to analytics tracking
  • Meta, Google Ads, Klaviyo, TikTok, Pinterest tracking runs if the user consents to marketing tracking

How the ePrivacy Directive (GDPR) affects Google Analytics tracking

tip

Read our longer guide on cookies and attribution.

Each time the Google Analytics script loads on your website, it adds a cookie (the _ga cookie) with an identifier to track the user across multiple pages and sessions. Next, it sends that cookie identifier to Google’s servers with each page view and event.

This is a first-party cookie, but since GA is not 'strictly necessary' to your website functioning the user must be allowed to opt in to its usage.

To be compliant, you can’t allow Google Analytics to set that cookie before the user has opted in. The common mistake online stores make is that the cookie banners are showing, but Google Analytics still tracks users before they opt in.

The challenge is to ensure the landing page - campaign source (UTM tags) - is tracked as soon as the user consents, but not before.

If the user never consents and continues to checkout and purchase, Littledata’s server-side tracking will record the sale without any link to the marketing campaign which brought them. In Google Analytics, these non-consenting users will appear in the “Direct” marketing channel.

In reality, most users consent for sites to track them, so respecting consent with a cookie banner will reduce but not remove all marketing attribution in Google Analytics or other tools.

If you are using Shopify with Segment the same principles apply.

Segment's AnalyticsJS library uses localstorage rather than cookies to track the user, but to be compliant with the ePrivacy Directive users still need to consent before events are sent to Segment.

The analytics object is available when the page loads - so you can enqueue other tracking events to send as soon as the user consents - but no events or page views will be sent from the browser until the user has opted in.

If the user never consents and continues to checkout and purchase, the checkout and Order Purchased events will still track in Segment, but without being linked to a web session and without marketing attribution.

Opting out of using the Customer Privacy API

If you want to limit tracking for other apps but capture maximum data into Google Analytics you can turn off waiting for consent in the data pipeline settings.

This will mean users are tracked in all cases, even in regions where they should consent to cookies first.

Tracking with CPRA / VCDPA / CPA

Regulation in various US states also requires users to be able to opt out of tracking:

  • California Privacy Rights Act (CRPA) - along with California Consumer Privacy Act (CCPA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)

These all cover "information that is linked or reasonably linkable to an identified or identifiable individual". The rules apply to any company "conducting business" in the state with information on 100,000 or more consumers.

Businesses affected must give web users the right to opt out of processing their data. Littledata's tracking is also compliant with this obligation, when the Shopify Customer Privacy API is used.