A new set of privacy rules have transformed companies' online relationships with European clients. General Data Protection Regulation (GDPR) is here to stay, and whether you currently trade in Europe or plan to in the future, you need to make sure your website cookie usage complies with it. Fail, and your company could face some very big fines.

How big, you ask? The penalties for getting GDPR compliance wrong are huge: the greater of €20M or 4% of your company's annual revenue. In one case, Vodafone Spain received €8M in fines in 2020 for violations relating to improper marketing data usage.

The good news is that Littledata has you covered; GDPR compliance is as easy as installing our app.

We'll show you exactly how Littledata helps you comply with GDPR and protects you from a major financial headache. But first, let's dive into the details of GDPR for ecommerce sites: how it works, what good and bad compliance look like, and how to check that your store is GDPR compliant.

How does GDPR govern cookie usage?

The European Union ePrivacy Directive (2009), together with GDPR (2018), make it compulsory to ask European internet users for informed consent before using cookies to store their personal data.

In other words, a user needs to opt-in by clicking on a cookie banner or popup before a website can track their activity with analytics tools.

This also gives the user the right to opt-out of their previous consent for cookie usage, and stop any tracking (known as revocable consent).

How does GDPR cookie consent affect Google Analytics tracking?

Each time a user triggers the Google Analytics script to load on your website, it adds a cookie (the _ga cookie) with an identifier to track the user across multiple pages and sessions. Next, it sends that cookie identifier to Google's servers, along with each page view and event.

To be compliant with GDPR, you can't allow Google Analytics to add that cookie before the user has opted in. The problem here is that many online stores track users on Google Analytics before they consent to cookie usage. If they didn't, they could lose valuable marketing attribution by not tracking the user after they opt in.

Littledata now has an easy way to get this right.

How cookie banner consent should work

Right now, the most common way to get informed consent from a user is to show them a cookie banner or popup explaining that your store uses cookies, then allow them to accept or reject being tracked. See this webinar for more discussion on the legality of different wording and displays you can use.

Shopify's app store lists many such cookie banner apps, but just having the Accept Cookies button is not enough. Remember, you need to make sure that you do not track users before they opt in.

To use the example given by Shopify's own banner app, when a visitor first lands on Kay Nine Supply's website they're shown a banner, and any tracking or setting of cookies has to wait.

A customer privacy banner live on a Shopify store

After the first page of the visit loads, the user has a choice: OK or No thanks.

shopify cookie popup example

Users who click OK can be immediately tracked (even though it happens after the page load), and users that click No thanks must not be tracked.

How Shopify's Customer Privacy API helps with cookie consent

Shopify recognized stores had a problem trying to integrate with these myriad cookie consent apps. So, they created a Customer Privacy API where apps can share whether and when the user consented to be tracked.

If you want to integrate Littledata's tracking with your cookie consent app, you need to make sure it's using this Customer Privacy API. That way when the user clicks to consent or not, their choice is shared first with Shopify, then with Littledata's tracking script.

You will also need to change your store settings so that your store waits for the user to grant consent before tracking. Here's how to set that up:

  1. In your Shopify admin, click Online Store.
  2. Click Preferences > Customer privacy.
  3. Click Limit tracking for customers in Europe.

Settings GDPR in Shopify admin

How to configure Littledata to use the Customer Privacy API

If you're already a Littledata customer, you can change to respectUserTrackingConsent in the LittledataLayer settings. We don't enable this by default due to the changes below.

Our tracking script waits for the user to grant consent, then whenever that happens — on the first page or later — we send the tracking calls to either Google Analytics or Segment.

The downside of GDPR cookie compliance for marketing attribution

Complying with GDPR does come at a cost to marketing attribution, which is why Shopify and Littledata let you opt into this feature.

For example, if your landing page contains UTM parameters in the link to track a campaign, and the user does not consent to tracking, then you will lose the source of the user's visit.

If the user continues to checkout and purchase, Littledata's server-side tracking will record the sale without any link to the marketing campaign which brought them. In Google Analytics, these non-consenting users will appear in the "Direct" marketing channel (although in a future feature we are planning to clarify that they Opted Out).

In reality, most users do consent for sites to track them, so this feature will limit but not remove all marketing attribution in Google Analytics or other tools.

What more can your store do to comply with GDPR?

Many of the cookie banners I've seen lack an option for the user to revoke consent or adjust their preference after the first page.

I don't believe this has been tested in court, but some stores may want to go further and use a tool such as OneTrust PreferenceChoice to give users finer control over which cookies they want to allow and when.

Littledata also integrates with OneTrust, making use of Shopify's Customer Privacy API. So, when the user consents to 'Cookies for performance' (category 2), we will start tracking on Google Analytics and stop when the user revokes consent. This requires the addition of another script.

Here's an example of OneTrust setup with Age UK.

Age UK cookie popup

When the user clicks "Accept all Cookies" Littledata's tracking starts.

Age UK cookie settings

Then, if the user opts out of "Cookies for performance," the tracking stops.

How does cookie consent relate to CCPA compliance?

The California Consumer Protection Act (CCPA) does not require you to get cookie consent prior to tracking.

CCPA does require stores to disclose what data they collect through cookies and what they do with the data (i.e. in your cookie policy) so users can opt out of their data being sold. Since there is no way you can sell personal data from Google Analytics, CCPA doesn't apply here.

How can you check if your store is GDPR compliant?

You'll need to be familiar with Chrome's developer tools to run these checks.

Firstly, open your store landing page in an incognito window to make sure no cookies were previously stored.

Next, leave the cookie banner or popup open and check that there is no _ga cookie...

google analytics cookie check

...and that there is no network request to Google Analytics by searching for collect URL that Google uses:

google analytics cookie collection check

Then click to "accept cookies," but stay on the same page. You should now see:

1. The _ga cookie is present

2. A network request is sent to Google Analytics

Didn't pass all these checks? Then you'll need Littledata's help to avoid those GDPR fines.