Customer Privacy API
The customer privacy API is a browser-based, JavaScript API that enables developers to read and write cookies related to a buyer's consent to be tracked. The API is implemented as a property on the global window.Shopify object and is accessible to all Shopify online stores.
You can use the API to build consent collection mechanisms such as banners for General Data Protection Regulation (GDPR) compliance. For marketing and analytics use cases, you can use the API when tracking or exporting data about storefront visitors to cover both GDPR compliance and accordance with the California Consumer Privacy Act (CCPA).
What you'll learn
Anchor link to section titled "What you'll learn"- Build consent collection into your app
- Build visitor tracking into your app
Consent collection
Anchor link to section titled "Consent collection"You can use the following methods for consent collection:
window.Shopify.loadFeatures- Loading pattern that must be used to ensure that the API is available when your banner initializes.shouldShowGDPRBanner(): boolean- Determines whether to show a GDPR banner on the storefront.setTrackingConsent(consent: boolean, callback: function)- Sets the visitor’s consent as accepted or declined after they interact with the banner.
If the API fails to load, then the banner won't initialize.
Loading pattern for consent collection
Anchor link to section titled "Loading pattern for consent collection"To initialize the Customer Privacy API, you need to use the loadFeatures method and initialize your banner in the callback function.
shouldShowGDPRBanner(): boolean
Anchor link to section titled "shouldShowGDPRBanner(): boolean"You can use this method to determine if you should show a GDPR banner.
Request data
Anchor link to section titled "Request data"window.Shopify.customerPrivacy.shouldShowGDPRBanner();
This method returns a boolean value that indicates if you should show a GDPR banner to the visitor.
The response aggregates the visitor’s location, the merchant’s preference, and whether the visitor has already provided a consent value in the past year.
| Visitor consent provided in past year | Visitor in EU | Merchant limits tracking for customers in Europe | Boolean value |
|---|---|---|---|
| Not applicable | Not applicable | ✘ | false |
| ✘ | ✔ | ✔ | true |
| ✘ | ✘ | ✔ | false |
| ✔ | ✔ | ✔ | false |
| ✔ | ✘ | ✔ | false |
setTrackingConsent(consent: boolean, callback: function)
Anchor link to section titled "setTrackingConsent(consent: boolean, callback: function)"You can use this method to set a buyer's response to a tracking consent request.
Request data
Anchor link to section titled "Request data"window.Shopify.customerPrivacy.setTrackingConsent(consent: boolean, callback: function);
Request parameters:
| Name | Type | Description |
|---|---|---|
consent |
boolean | Indicates the buyer's response to the tracking consent request. You can obtain the response using a banner UI element or other similar mechanism. If set to true, then the API returns a custom event called trackingConsentAccepted. If set to false, then no custom event is returned but the callback function is still executed. |
callback |
function | A function that executes after the API has set tracking consent. You can use this function to hide the UI banner element or execute a similar task. |
Example request:
The following example request shows a JavaScript function that sets consent to true and executes another function to hide the banner. For a complete implementation, refer to Create a cookie compliance banner for your online store.
The API executes the callback function and optionally emits a custom event called trackingConsentAccepted.
Example response:
A successful request returns an empty object:
If there is an error with the request, then an error object is returned:
Visitor tracking
Anchor link to section titled "Visitor tracking"You can use the Customer Privacy API to check if customers have consented to be tracked and if merchants have decided to disallow the sale of visitor data. Your implementation must include a loading pattern to ensure that the API is available. For visitor tracking consent, you should implement a mechanism for listening to consent collection events that can fire asynchronously on the page, to ensure that you don't miss any tracking opportunities.
You can use the following methods for consent collection:
window.Shopify.loadFeatures- Loading pattern to ensure the API is available on the storefront.userCanBeTracked(): boolean- Covers the scenario of tracking a visitor (GDPR).userDataCanBeSold(): boolean- Covers the scenario of selling visitor data (CCPA).
If userCanBeTracked is set to false, then the following behaviour must be observed:
- No persistent, non-essential cookies should be set
- No data should be emitted to third-party platforms
If userDataCanBeSold is set to false, then the following behaviour must be observed:
- Data can be emitted (if tracking isn't blocked)
- Data can't be sold to third-parties
If the Customer Privacy API isn't available, then tracking and data emission can proceed. All methods should be preceded with a check that the API is available before checking that tracking or sale of data is blocked.
Example API check:
if (!window.Shopify.customerPrivacy || window.Shopify.customerPrivacy.userCanBeTracked()) { startTracking() }
Loading pattern for visitor tracking
Anchor link to section titled "Loading pattern for visitor tracking"To initialize the Customer Privacy API, you need to use the loadFeatures method to ensure that the API is available on the page.
userCanBeTracked(): boolean
Anchor link to section titled "userCanBeTracked(): boolean"You can use this method to return whether the storefront visitor has consented to be tracked.
Request data
Anchor link to section titled "Request data"window.Shopify.customerPrivacy.userCanBeTracked();
The API returns a boolean value that indicates whether a user can be tracked.
The response aggregates the visitor’s consent and location, as well as the merchant’s preference.
| Visitor consent | Visitor in EU | Merchant limits tracking for customers in Europe | Boolean value |
|---|---|---|---|
| Not applicable | Not applicable | ✘ | false |
| ✔ | ✔ | ✔ | true |
| ✔ | ✘ | ✔ | true |
| ✘ | ✔ | ✔ | false |
| ✘ | ✘ | ✔ | false |
| Undeclared | ✔ | ✔ | false |
| Undeclared | ✘ | ✔ | true |
Listening for consent collection
Anchor link to section titled "Listening for consent collection"A trackingConsentAccepted event fires when positive tracking consent is collected on the page.
By listening for this event and calling your custom start tracking method when it fires, you avoid any possible data loss due to missing asynchronous consent collection.
userDataCanBeSold(): boolean
Anchor link to section titled "userDataCanBeSold(): boolean"Use this method to determine if the merchant has explicitly disallowed selling data to third parties for visitors located in California or Virginia. This enables compliance with the CCPA and VCDPA.
Request Data
Anchor link to section titled "Request Data"window.Shopify.customerPrivacy.userDataCanBeSold();
The API returns a Boolean value indicating whether data can be sold to third parties for visitors located in California (CA) or Virginia (VA).
The API response aggregates the merchant’s preferences and the visitor’s location. However, you can't use the API to enable visitors to opt-out of the sale of their data.
| User consent | Visitor in CA or VA | Merchant limits the third-party sale of CA or VA customers’ data | Boolean value |
|---|---|---|---|
| Not applicable | ✔ | ✔ | false |
| Not applicable | ✘ | ✔ | true |
| Not applicable | ✔ | ✘ | true |
| Not applicable | ✘ | ✘ | true |