Disclaimer: This article is not legal advice and, per the terms and conditions of purchase, Out of the Sandbox cannot guarantee compliance with GDPR. Examples and suggestions provided are for demonstration purposes only and not guaranteed to be compliant. For detailed information about compliance issues for your business, consult a licensed attorney.
The European Union's new General Data Protection Regulation, or GDPR, became effective May 25, 2018.
All of the information Out of the Sandbox has about GDPR is listed on this page. We are unable to provide specific or additional advice on GDPR compliance.
Out of the Sandbox themes mainly control the design of your store and as such are not directly involved in collecting, processing or storing personally identifiable information, which is handled by Shopify servers or third party app developers.
Because of this, there are select aspects of themes that might be affected by GDPR, which are outlined below.
- For complete details about Shopify's GDPR compliance, click here.
- For details about server configurations, which are controlled by Shopify, click here.
- For third party apps, contact the individual app developer.
- To add a cookie notice and consent feature, you will need a third party app.
- Out of the Sandbox also has a blog post about GDPR here.
Forms
While Out of the Sandbox theme code does not directly process or store personal information submitted via the forms included in themes (this is handled by Shopify's servers), you may want to review the header and description text around each form to ensure that it clearly outlines the purpose of each form and that personal information is collected, stored and used for marketing purposes.
This includes all of these forms:
- Contact forms
- Back in stock forms
- Email newsletter sign up forms
- Account creation
- Password request
To change the text that appears near your forms, you can edit your theme language file or edit the page text where the form appears.
Consent checkbox
At this time, Out of the Sandbox themes do not include a "consent" checkbox on any forms and Shopify has not required this to be added as part of its own GDPR compliance efforts.
Specifically, here are Shopify's official statements on consent checkboxes:
"In regard to adding additional checkboxes to the newsletter sign-up form or to the cart page, specifically, the checkbox function is unable to gather or store the information that is required under the GDPR, so it would not provide any meaningful benefit to add it to your site. This means that adding the checkbox remains an unsupported customization under the Shopify design policy.
Instead, merchants may want to consider including this consent notice in the header and description text of forms. It is also worth considering if the language you use clearly states that personal information is collected and used for marketing and other requirements of GDPR.
If you want to move forward with adding a consent checkbox, this is a third party customization and you would need to work with a developer.
Please note that simply adding a checkbox to any form does not make you automatically GDPR compliant. There are other areas of your business or theme that may need to be modified in order to be compliant with GDPR.
Newsletter signup form
As mentioned in Shopify's official statement, there are technical limitations to recording user consent with newsletter sign up forms. Consent checkboxes are not required by Shopify but can be added as a customization.
Instead, as outlined above, merchants should edit the text and heading around newsletter signup forms to emphasize that email addresses and, if applicable, names, entered in this form will be for marketing practices, as appropriate.
Additional form disclaimer
The newer versions of Out of the Sandbox Shopify themes include a rich text field in the newsletter section that can contain links to your privacy policy and additional text informing your users of what happens to their personal data.
Another option is to use your email provider's form builder to create an embedded form that has a required checkbox. For details on this advanced integration, click here. However, please keep in mind that adding an additional required field could cause your newsletter sign up rates to be affected.
However, please note that having or using this field will not automatically make your forms GDPR compliant. You will still need to consider the wording of each field and how the data is handled.
Double opt-in
Many email providers are also recommending that store owners enable "double opt in." For more information about GDPR and email marketing, please consult your email marketing provider's documentation (MailChimp's information can be found here).
Contact and back in stock forms
When a customer submits a contact form or back in stock request form, no contact record is created in Shopify. Because of this, unless you are adding email addresses to an email list another way, against best practices, these contacts should not be added to any email marketing lists.
How you reply to these requests may be subject to additional GDPR regulations, but this can vary depending on how you process these requests and if you're using third party apps, so this is something you'll need to analyze and make a decision on yourself.
Again, you may want to review your language file to ensure that any text used above or near these forms clearly indicates that the user will receive an email response from you.
Due to technical limitations of recording consent, Out of the Sandbox has no plans to add checkboxes to contact or back in stock forms unless required by Shopify.
Account creation form
By default, any accounts created via the default account creation form have the "accepts_marketing" value set to false unless you are using Turbo and the customer checks the appropriate box.
Checkout consent field
Please note that, during the checkout process, you have the option to display an option for a user to opt in to receiving promotional material from you under Settings > Checkout > Order processing.
Store owners should consider if hiding, disabling or automatically selecting this option is GDPR compliant and if the "By default, customer doesn't agree to receive promotional emails" should be used instead (here's how to change it).
Cookies
In Turbo, the "recently viewed items" feature uses a cookie (called "recentlyViewed") to store and remember a user's product browsing history. This cookie expires, by default, after 30 days but this time may be extended if a user returns to the site.
In all Out of the Sandbox themes, a cookie is also used, if enabled, to store information about when a user last visited a site to determine when to display popup windows ("popup"). This cookie expires after a set number of days, as defined by the store owner.
Select Out of the Sandbox themes also use a cookie to determine if a user has closed the promotion bar or not ("promo_banner"). This cookie expires, by default, after 30 days but this time may be extended if a user returns to the site.
By default, these cookies are not associated with any personally identifiable information and do not contain a unique identifier, though third party tracking or other apps may add this functionality. Contact your app developers for further details on GDPR compliance.
All of these cookies may also be deleted by the user at any time. In addition, as store owner, you can disable the features associated with these cookies at any time.
Cookie consent features
If applicable under GDPR, it is the store owner's responsibility to include notices about these cookies through compliant consent features, privacy policy notices or other method.
If you need to add a cookie acceptance features, you will need a third party app or this free tool. You will need to paste the code generated by this tool and add it to theme.liquid just before the </head>
tag.
Store owners can also opt to disable the features that use cookies.
Finally, please note that Shopify also uses a variety of cookies — but Out of the Sandbox does not control these.
Other areas
GDPR may also affect many other areas of your business as well. For details on if these activities are compliant, contact a licensed attorney or see Shopify's GDPR resources.