Glossary
Privacy terms in plain English.
The acronyms and concepts you'll run into when you start taking privacy compliance seriously on Shopify.
CCPA
California's privacy law, expanded in 2023 by the CPRA. Requires a 'Do Not Sell or Share' link and honouring of GPC for California residents.
Consent (GDPR)
Freely given, specific, informed, and unambiguous indication of agreement. No pre-checked boxes, no implied consent from continued browsing.
Cookie
A small piece of data stored in the browser. Used for session state, preferences, analytics, advertising — and the trigger for most consent law.
Data controller
Under GDPR, the entity that decides why and how personal data is processed. For a Shopify store, that's you — Shopify is your processor.
Data processor
An entity that processes personal data on behalf of a controller. Shopify, Klaviyo, Gorgias are processors when working for a merchant.
Do Not Sell or Share
Required CCPA/CPRA opt-out link visible on every page of a California-targeting site. Renamed from 'Do Not Sell' in 2023.
DSAR
Data Subject Access Request — when an EU/UK resident asks you for a copy of, or deletion of, their personal data.
ePrivacy Directive
EU directive (2002/58/EC, amended 2009) requiring opt-in consent for cookies and similar storage. Enforced together with GDPR.
GA4 (Google Analytics 4)
Google's current analytics product. Triggers consent obligations because it sets a client identifier and tracks behaviour across sessions.
GDPR
EU regulation governing how organisations process personal data of EU/EEA residents. Applies to any Shopify store with EU visitors.
Global Privacy Control
Browser-level signal that automatically opts users out of data sale or sharing. CPRA requires Californian-targeting sites to honour it.
Google Consent Mode v2
Google's framework for sending consent signals to GA4 and Google Ads. Mandatory for EU/EEA traffic since March 2024.
GTM (Google Tag Manager)
A container that loads other tracking scripts. Common pitfall: setting consent defaults inside GTM is too late.
Lawful basis
Under GDPR, you must have one of six legal grounds to process personal data. For ecommerce: contract, legitimate interest, or consent.
Modeled conversions
Google's machine-learning estimate of conversions when consent has been denied. Restored when GCM v2 is properly configured.
Strictly necessary cookies
Cookies essential to a service the user has explicitly requested. Exempt from consent requirements under ePrivacy.