Update: New Cookie Laws from Information Commissioner's Office (ICO) in the UK

Stacey Hsu


A few days ago, the Information Commissioner’s Office (ICO) in the United Kingdom began enforcing a new Cookie law. The law is supposed to help educate internet users about cookies, protect them from unwanted marketing, and safeguard their privacy.

Though we’re not convinced that this law will do much of that, nonetheless, here’s how to make the folks at the ICO happy:

For you, the new law means that all UK based Shopify stores should provide information about the purposes of any cookies they use, and obtain consent from website users before any cookies can be set.

Enforcement of the law officially began on May 26th, 2012, but if you haven’t made any changes yet, it’s ok. As long as you’re taking steps now, it’s unlikely you will be penalized.

What is a Cookie?

A cookie is a small text file that is downloaded onto your computer when you visit a website. It allows the website to recognize and tailor their site to you.

Who Needs to Comply With This Law?

If you're in the UK, yes! If you're in France, Germany, Spain, the Netherlands or other European Union (EU) member state, you have a choice. The UK is one of the first of the EU member states to implement the law. So it’s worth making these changes now, since similar laws will be enacted in EU countries in the near future. Essentially, you can choose to start caring about it now or likely be forced to care about it later.
 

Even if you’re in none of these countries, if you have customers in the UK, it’s a good idea to make information about cookies available on your website. But don’t worry, the laws don’t technically apply to you.

How to Comply

Because the law is new, there’s no one way to comply with it and so different websites are using different methods. A lot of UK websites have created a webpage on cookies and linked it to their homepage. A few websites have downloaded a pop-up module telling users that cookies are being set. The ICO itself suggests that if you give “a clear and unavoidable notice that cookies will be used”, this may be enough. Also, they’ve stated that they likely won’t be fining anyone anytime soon. Right now, what they may do is send out information notices to major UK websites asking them what steps they are taking to comply. It’s likely the rules will continue to evolve as the ICO begins enforcement. Because of this, the best approach right now is to wait and see how the ICO will respond, and that's exactly what Shopify is doing. 

Follow These 3 Easy Steps

1. In your Shopify store's UI, create a page called “Cookies” 
2. Create a prominently displayed link on your homepage called “Read about how we use Cookies” 
3. On the Cookie page, you should explain what cookies are, their purpose and which ones your store uses. See the example below.

Here's an Example

What Are Cookies? 
A cookie is a small file that is downloaded onto your computer when you visit a website.  It allows us to recognize and tailor our site to you and it won’t harm your computer.  

Opting Out of Cookies
If you prefer, you can restrict, block or delete cookies by changing your browser settings but that may mean that you won’t be able to add and buy products from our store.

Which Cookies Do We Use?

Name
Domain
Purpose Data Kind Sessional or Persistent?
_session_id
storefront
Allows Shopify to store information about your session (referrer, landing page, etc..) Unique Token Sessional
_shopify_visit
storefront and checkout.shopify.com
Used by our internal stats tracker to record the number of visits to the shop None Persistent for 30 minutes from the last visit
_shopify_uniq
storefront and checkout.shopify.com
Counts the number of visits to a store by a single customer None Expires midnight (relative to the visitor) of the next day
cart
storefront
Stores information about the contents of your cart Unique token Persistent for 2 weeks
_secure_session_id
storefront
Stores session information for the checkout process Unique token Sessional
storefront_digest
storefront
If the shop has a password, this is used to determine if the current visitor has access Unique token Indefinite

Keep in mind that what cookies you set depends on what Apps you may have. For example, if you use Google Analytics, then you will have a cookie named PREF. Other examples include Google maps, social sharing buttons or embedded youtube videos. For these, you should contact the App developer for information on what specific cookies are used and what they’re used for. 

If you have Apps installed on your Shopify online store, you should also include a chart that looks something like this: 

Do I Have This Cookie? Name Who Sets It? Purpose Sessional or Persistent?
Yes if my store uses
Google Analytics
PREF Google Tracking who visits 
the store and from
where
Persistent for
a very short 
period
Yes if my store uses
PayPal
Unique to 
each user
PayPal Payment transactions Sessional


For more insight: You may want to read the ICO’s own guidelines here.

Disclaimer: The above information is only opinion and not legal advice. Please consult independent legal advice.