Customer Privacy API

The customer privacy API is a browser-based, Javascript API that enables developers to read and write cookies related to a buyer's consent to be tracked. The API is implemented as a property on the global window.Shopify object and is accessible to all Shopify online stores.

You can use the API to build consent collection mechanisms such as banners for General Data Protection Regulation (GDPR) compliance. For marketing and analytics use cases, you can use the API when tracking or exporting data about storefront visitors to cover both GDPR compliance and accordance with the California Consumer Privacy Act (CCPA).

What you'll learn

You can use the following methods for consent collection:

If the API fails to load, then the banner won't initialize.

To initialize the Customer Privacy API, you need to use the loadFeatures method and initialize your banner in the callback function.

window.Shopify.loadFeatures(
 [
   {
     name: 'consent-tracking-api',
     version: '0.1',
   },
 ],
 error => {
   if (error) {
     throw error; // if you want to raise
   }
   new Banner(); // or whatever method your banner uses to initialize
 },
);

shouldShowGDPRBanner(): boolean

You can use this method to determine if you should show a GDPR banner.

Request data

window.Shopify.customerPrivacy.shouldShowGDPRBanner();

Response

This method returns a boolean value that indicates if you should show a GDPR banner to the visitor.

The response aggregates the visitor’s location, the merchant’s preference, and whether the visitor has already provided a consent value in the past year.

Visitor consent provided in past year Visitor in EU Merchant limits tracking for customers in Europe Boolean value
Not applicable Not applicable false
true
false
false
false

You can use this method to set a buyer's response to a tracking consent request.

Request data

window.Shopify.customerPrivacy.setTrackingConsent(consent: boolean, callback: function);

Request parameters:

Name Type Description
consent boolean Indicates the buyer's response to the tracking consent request. You can obtain the response using a banner UI element or other similar mechanism. If set to true, then the API returns a custom event called trackingConsentAccepted. If set to false, then no custom event is returned but the callback function is still executed.
callback function A function that executes after the API has set tracking consent. You can use this function to hide the UI banner element or execute a similar task.

Example request:

The following example request shows a Javascript function that sets consent to true and executes another function to hide the banner. For a complete implementation, see Create a cookie compliance banner for your online store.

function handleAccept(e) {
  window.Shopify.customerPrivacy.setTrackingConsent(true, hideBanner);
  document.addEventListener("trackingConsentAccepted", function () {
    console.log("trackingConsentAccepted event fired");
  });
}

Response

The API executes the callback function and optionally emits a custom event called trackingConsentAccepted.

Example response:

A successful request returns an empty object:

{}

If there is an error with the request, then an error object is returned:

{error:[string]}

Visitor tracking

You can use the Customer Privacy API to check if customers have consented to be tracked and if merchants have decided to disallow the sale of visitor data. Your implementation must include a loading pattern to ensure that the API is available. For visitor tracking consent, you should implement a mechanism for listening to consent collection events that can fire asynchronously on the page, to ensure that you don't miss any tracking opportunities.

You can use the following methods for consent collection:

If userCanBeTracked is set to false, then the following behaviour must be observed:

  • No persistent, non-essential cookies should be set
  • No data should be emitted to third-party platforms

If userDataCanBeSold is set to false, then the following behaviour must be observed:

  • Data can be emitted (if tracking isn't blocked)
  • Data can't be sold to third-parties

If the Customer Privacy API isn't available, then tracking and data emission can proceed. All methods should be preceded with a check that the API is available before checking that tracking or sale of data is blocked.

Example API check:

if (!window.Shopify.customerPrivacy || window.Shopify.customerPrivacy.userCanBeTracked()) { startTracking() }

Loading pattern for visitor tracking

To initialize the Customer Privacy API, you need to use the loadFeatures method to ensure that the API is available on the page.

window.Shopify.loadFeatures(
 [
   {
     name: 'consent-tracking-api',
     version: '0.1',
   },
 ],
 error => {
   if (error) {
     throw error; // or no-op if you don't care about raising
   }
 },
);

userCanBeTracked(): boolean

You can use this method to return whether the storefront visitor has consented to be tracked.

Request data

window.Shopify.customerPrivacy.userCanBeTracked();

Response

The API returns a boolean value that indicates whether a user can be tracked.

The response aggregates the visitor’s consent and location, as well as the merchant’s preference.

Visitor consent Visitor in EU Merchant limits tracking for customers in Europe Boolean value
Not applicable Not applicable false
true
true
false
false
Undeclared false
Undeclared true

A trackingConsentAccepted event fires when positive tracking consent is collected on the page.

By listening for this event and calling your custom start tracking method when it fires, you avoid any possible data loss due to missing asynchronous consent collection.

document.addEventListener('trackingConsentAccepted', () => {
  // fire custom method to start tracking
});

userDataCanBeSold(): boolean

You can use this method to determine if the merchant has decided to explicitly disallow the sale of data to third parties for visitors located in California. This enables compliance with CCPA.

Request Data

window.Shopify.customerPrivacy.userDataCanBeSold();

Response

The API returns a boolean value indicating whether data can be sole to third parties for visitors located in California.

The API response aggregates the merchant’s preferences and the visitor’s location. However, you can't use the API to enable visitors to opt-out of the sale of their data.

User consent Visitor in California Merchant limits the third-party sale of California customers’ data Boolean value
Not applicable> false
Not applicable true
Not applicable true
Not applicable true