Shopify Customer Privacy API
Shopify's Customer Privacy API is available as a Javascript API on Shopify themes. If you have enabled Shopify's default cookie banner or data sales opt-out page, or you have installed a cookie banner or consent management Shopify app, you're likely capturing customer data preferences with the Customer Privacy API.
Chord offers a consent management wrapper that retrieves customer data preferences from the Customer Privacy API and adds them to Segment events as the consent object. Within Segment, you can map how data preferences should be applied to Segment destinations. Read more about Segment's approach to consent management.
Follow these steps to configure consent management with Shopify's Customer Privacy API and Segment:
- Configure customer privacy in Shopify.
- Configure consent categories in Segment and map to destinations.
- Implement Chord's consent management wrapper to include consent in client-side events.
To implement consent management on a Shopify site using the Customer Privacy API, navigate to Settings > Customer privacy in your Shopify store admin. You’ll see three available privacy settings. The cookie banner privacy setting must be enabled if you’re using Chord's consent management wrapper. If it isn’t, the Customer Privacy API is unavailable, and Chord will never send events to Segment for any visitor. Learn more about Shopify’s customer privacy settings.
The following two privacy settings are recommended by Shopify and should be configured:
Add a banner to ask visitors for permission to manage their data. You can either enable Shopify’s default cookie banner, or add a custom cookie banner from the Shopify app store.
To enable Shopify’s cookie banner, select Cookie banner > Activate cookie banner, choose regions, and select Activate. To use a custom cookie banner, select Cookie banner > More actions > Use custom cookie banner, choose regions, and select Activate.
Allow visitors to define how their data can be shared.
To enable Shopify’s data sales opt-out page, select Data-sales opt-out page, choose regions, and select Activate.
Shopify’s Customer Privacy API supports four categories of consent from users:
- analytics: Customer analytics about how the storefront was used and interactions made on the storefront. By default, this preference is collected by Shopify’s cookie banner as “performance cookies.”
- marketing: Marketing, attribution and targeted advertising from the merchant. By default, this preference is collected by Shopify’s cookie banner as “marketing cookies.”
- preferences: Customer preferences such as language, currency, size, and more. By default, this preference is collected by Shopify’s cookie banner as “preference cookies.”
- sale_of_data: Sharing data with third parties, usually for behavioral advertising. By default, this preference is collected by Shopify’s data sales opt-out page.
You can decide how these four categories map to your Segment destinations.
Add the four categories below as category mappings in your Segment workspace by navigating to Privacy > Consent Management > Create category. You can customize the “Category name” for these category mappings, but the “Category ID” must be exactly the values listed below to connect preferences from Shopify to Segment:
Category Name (can be customized) | Category ID |
|---|---|
Performance cookies | analytics |
Marketing cookies | marketing |
Preference cookies | preferences |
Sale of data | sale_of_data |
For each category, choose the mapped destinations. Mapping a destination to a category means that the destination will only receive the Segment event if Shopify’s Customer Privacy API reports that processing if allowed for that category.
Once you’ve created and enabled the four categories, you should see this in Segment:
Chord publishes a consent management wrapper for Segment's analytics.js that is based on Segment's consent tools.
Before Segment’s analytics library is loaded, Chord's consent wrapper checks to see if user tracking is allowed at all. The wrapper will load Segment’s analytics.js library and send events to Segment only if window.Shopify.customerPrivacy.marketingAllowed() and window.Shopify.customerPrivacy.analyticsProcessingAllowed() both return true. This typically means the customer is:
- Browsing from a region that does not require a cookie banner, or;
- In a region that does require a cookie banner, but has consented to both analytics and marketing cookies.
If the Customer Privacy API doesn't allow user tracking, both Chord and Segment will silently fail and events will not be sent.
Next, if Segment is loaded, the wrapper adds a consent object describing the customer’s consent preferences to each Segment event. Segment will use the consent category mapping we configured earlier in the Segment workspace admin to determine which destinations will receive events based on this consent object.
The wrapper uses the Allowed methods of Shopify’s Customer Privacy API to construct the consentobject and obtain the values for each category:
First, verify your site is loading the Customer Privacy API. It should be available at window.Shopify.customerPrivacy. If not, you can load it as documented here.
Then, add the Customer Privacy API Segment wrapper to your site with a script tag, above your Segment snippet:
Then, replace analytics.load() in your Segment snippet with the following:
This delegates calling analytics.load to the Customer Privacy API Segment wrapper.
You must replace all instances of analytics.load with this code.
Complete example:
Is Global Privacy Control (GPC) supported?
Segment’s Customer Privacy API recognizes the Global Privacy Control signal as an opt-out of data sales in regions where opting out is supported. The sale_of_data category in the consent object will be false if the customer has activated the Global Privacy Control signal in their browser and is browsing from a region where opting out of data sales is an option.