When the GDPR regulation comes into effect later this month, it will impact all websites trading with EU citizens. That means any ecommerce site with customers in Europe! Is your Shopify store ready to comply?
In addition to automatic fixes to help your store comply, we include recommendations for how to update your site content (such as Terms and Conditions), and how to deal with the new ‘two year rule’. If you’re running a Shopify store, the time to act is now.
Automatic fixes with our Shopify app
The first two steps are done automatically when you install our GDPR-ready Shopify app. If you’re already using Littledata’s Shopify app, these two fixes can be applied when you upgrade to our latest tracking script (version 3.2).
Here’s what they address.
1. Anonymise customer IP addresses
The IP address of your website visitor is considered personal information under GDPR, and to remove any risk that this is sent to Google’s servers in the USA, our script scrambles the last few digits of the IP address. Google already promises not to store the IP address, so this step is an extra level of safety. This slightly reduces the accuracy of tracking which city your visitor came from — but we believe that this is a small price to pay for ensuring anonymity.
2. Filter personal emails and ZIP/postcodes from pageviews
Many sites accidentally send personal data in the page URLs or titles tracked by Google Analytics. For example, apps with their own checkout often send the user email as a URL parameter like ‘/firstname.lastname@example.org’. Our script now filters that personal data out at source, so the page path you’ll see in Google Analytics is ‘/url?email=REMOVED’.
Additional manual steps
There are two additional manual steps to ensure that Google Analytics for your Shopify store is GDPR-compliant.
3. Update your terms and conditions
You need to update your website T&Cs to ensure users are aware of the Google Analytics Advertising Features that our Shopify app activates and Google uses to identify user demographics, such as gender and interests.
We are not lawyers, but we suggest using something similar to these sentences to describe what data is collected, how you (and we) use the data, and how how users can opt out:
Our site uses Google Analytics Advertising Features to deduce your gender, age group and interests based on other types of websites you have visited. We use this in aggregate to understand which demographics engage with areas of our website. You can opt out with Google’s browser add-on.
4. Remove user-specific information after 2 years
You should also change the data retention period for your Google Analytics web property, so that Google removes all user-specific information from their database after 2 years.
To make this change, logging to your GA account and go to the Settings cog, and then Property > Tracking info > Data Retention.
Use the ‘data retention’ drop-down menu to select to keep user data for 26 months, and mark ‘reset on new activity’ to ON. This means that after 26 months, if the user has not come back to your website, any user cookie will be deleted. We think this sensible to comply with the Right to Erasure without making any practical limits to your analysis.
Right to Erasure feature coming soon!
We’re also working on a feature to help websites comply with the Right to Erasure or Right to be Forgotten. Here’s a summary of that aspect of the regulation, from the summary of key changes at EUGDPR.org.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject’s withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Littledata’s Right to Erasure feature will ensure that when you delete a customer from your Shopify admin interface, any references to that customer are deleted from Google Analytics. This won’t affect aggregate reporting, such as number of web sessions or transactions.
When do GDPR regulations take effect?
The official enforcement date for General Data Protection Regulation (GDPR) is 25 May 2018. At that time any organisations in non-compliance may face heavy fines.
In short, we recommend implementing the fixes above ASAP for your Shopify store. All you need is Google Analytics account and our Shopify app.
And do check our blog regularly for updates. This is the best place to hear about new Littledata features relating to GDPR, as well as news and analysis about how the regulations affect different types of online businesses, including ecommerce websites, subscription businesses, and membership-based sites such as large charities and nonprofits.
Looking for additional support? Contact us about GDPR consulting for analytics setup.