How do I configure GDPR controls in Propel Replays?
Propel Replays has two GDPR controls under Settings → GDPR: a hard block for EU/EEA/UK shoppers, and a consent-enforcement option that controls when recording requires explicit analytics consent. You can use either independently or together depending on how strict you want to be.
1. EU / EEA / UK shopper block
Section titled “1. EU / EEA / UK shopper block”The fastest way to make Propel Replays GDPR-safe is to turn on Block all EU / EEA / UK shoppers. With this on, Propel Replays will never record any shopper from these regions, regardless of consent.
The block adds all 30 EU/EEA/UK countries to your recording-block set at ingest:
- EU — 27 countries
- EEA — Norway, Iceland, Liechtenstein
- UK
This is the highest-priority rule. When enabled, EU/EEA/UK shoppers are never recorded — even if they consent, and even if consent enforcement below is set to Disabled.
One quirk to know: turning the toggle off later does not remove any countries you blocked manually. Those stay blocked until you remove them from the block list directly.
2. Consent enforcement
Section titled “2. Consent enforcement”For shoppers who aren’t blocked by the region rule above, you have three options for when recording requires consent.
Disabled — record everyone (except blocked countries)
Section titled “Disabled — record everyone (except blocked countries)”Recording starts immediately on every page load. Use this only if you have other reasons not to require consent — e.g., 100% non-EU traffic and no PII in replays.
EU / EEA / UK shoppers only (Recommended)
Section titled “EU / EEA / UK shoppers only (Recommended)”Shoppers from these regions must grant analytics/tracking consent before recording starts. Everyone else is recorded as usual. Reads and writes through Shopify’s Customer Privacy API — no theme changes required.
This is the right choice for most merchants — it gives you GDPR-required consent gating where it’s needed and full recording everywhere else.
All shoppers
Section titled “All shoppers”Every shopper, regardless of region, must grant analytics/tracking consent before recording starts. The most conservative option.
How consent is captured
Section titled “How consent is captured”All consent reads and writes go through Shopify’s Customer Privacy API — Propel Replays never reads or sets Shopify’s privacy cookies directly.
A few specific things to know:
- You’re responsible for surfacing the consent prompt to shoppers, typically through Shopify’s default cookie banner or another compatible privacy app. Make sure that’s enabled before relying on consent enforcement.
- If a shopper changes consent mid-session, Propel reacts immediately — recording starts if consent is granted, stops if it’s withdrawn.
- If Shopify’s Customer Privacy API fails to load, Propel Replays fails closed — no recording, no cookies, no replay events.
A note on compliance
Section titled “A note on compliance”This setup is designed to be GDPR-ready, but you should still have your privacy notice reviewed before marketing your store as “GDPR compliant.” Tooling helps; it isn’t a substitute for legal review.