Update

Please check the post marked as the answer. My original findings were done improperly and it looks like blocking Cookiebot in any capacity breaks its consent logic, which is what happened.

Checking the source of the home page, or any other page for that matter, reveals a very concerning fact: Meta Pixel is being loaded before cookie consent even appears. Opening the Network tab in a clean browser profile shows that the script downloads regardless of the cookie consent.

Here is a snippet of the first few lines on the website for reader’s convenience:

<!doctype html>
<html class="js" lang="en">
  <head>
<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="96ce03de-0700-4dab-81db-199b7aedee7a" data-blockingmode="auto" type="text/javascript"></script>

<!-- Meta Pixel Code -->
<script>
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', '1341568853879500');
fbq('track', 'PageView');
</script>
<noscript><img height="1" width="1" style="display:none"
src="https://www.facebook.com/tr?id=1341568853879500&ev=PageView&noscript=1"
/></noscript>
<!-- End Meta Pixel Code -->  

<!-- Privacy-friendly analytics by Plausible -->
<script async src="https://plausible.io/js/pa-u2WnOZTVbHaYqdopi3Ox-.js"></script>
<script>
  window.plausible=window.plausible||function(){(plausible.q=plausible.q||[]).push(arguments)},plausible.init=plausible.init||function(i){plausible.o=i||{}};
  plausible.init()
</script>

Luckily for me and anyone with an adblock, or even Firefox’s tracking protection (edit: nope), this doesn’t get loaded.

However, please explain to me why this conflict of interest exists for a company that boasts privacy as one of their core values? If this was unintentional, please fix this.

Yes I saw that too and thankfully have blocked all FB via Ublock Origin. It is rather perplexing they are using FB of all sites….?

I suppose that is what you get out of the box from Shopify: an easy to set-up shop with every BigTech integration anyone could dream of.

As sad as this is, I can understand the decision. Probably not too many options to choose from, when you need a minimum-effort (installation+maintenance) solution.

I verified this across multiple other Shopify instances (including Shopify’s own demo) and that is not the case. It has Google Analytics set up instead, which is a different setup from Meta Pixel + Plausible.

Clearly someone decided to replace GA with Plausible, which makes Meta Pixel’s inclusion even more unusual, as well as the incorrectly set up cookie prompt.

Oh, looks like a bad bug, then. Pinging @rainemak for escalation.

I am told the pixel should now only be loaded if consent is given. Would you have the time to verify?

As far as I can tell, it is the same as when I first tested. I didn’t confirm a cookie preference, the request was made. I clicked on deny, the request was made regardless after page refresh. Checking the page source, the script is still being loaded by the page itself.

Edit: This should illustrate the issue, clearly the Meta script is running as it left a cookie even though I didn’t even touch cookie preferences.

image1912×935 133 KB

Not good. I assume you refreshed the page. Will ping Jolla again…

Yes, I did a hard refresh, disabled cache in some circumstances, cleared cookies, used a clean browser profile with all blocking disabled.

Yeah, it sounded like you would avoid some pitfalls

Anyway, thank you for reporting! Since you are a new forum member, and probably can’t PM people, I have suggested to Jolla that they contact you for further bug hunting. Edit: (As I think a direct chat is better suited for this than the forum.)

Jolla are overwhelmed by the response to the launch and preorders, so this may not get resolved immediately. However, they are definitely on the case.

Not sure what’s wrong, but at least for me it no longer loads the fb script if marketing cookies are not allowed.

After more testing, I concluded that if consentcdn.cookiebot.com is blocked by DNS, scripts like Meta Pixel get loaded despite cookie consent not allowing it, but the cookie banner itself does appear.

Since the Cookiebot script is responsible for letting scripts run or not, blocking it or even just one of its domains is enough to make all scripts it controls run regardless of setting consent or not.

In the end, while the ethical issue of using Meta Pixel in any capacity remains, I made a bad bug report. I apologise for misrepresenting the issue at hand.

AFAIK initially there was also some mistake in the cookiebot setup, so thank you for reporting this.

The fact that it does not work correctly if cookiebot it self is blocked is a bit unfortunate, but that is probably out of our control at the moment.

What I noticed: ‘Powered by Google’ on the website and a display from Google maps with my address too. That is Shopify’s doing. However we cannot expect from Jolla that developers do administrative work. When Jolla grows bigger, perhaps they can attract their own administrators.
Wish Jolla luck!

Well, I think bug reporting is often an iterative process, so not an issue on my eyes. In fact, this lead to you uncovering that blocking the consent manager thing meant some unwanted code was run. Not something I had given much thought, but now I know. And that is good.

All my phones block 3rd party servers and to hell with the consequences. If the site breaks or can’t handle it, I go some where else. The way I see it from my reference frame as a potential customer or client, it’s their problem not mine. Someone will probably shoot me down in flames now because blocking 3rd party servers doesn’t always solve the problem, if that is the case I thank you for the heads up however, I already have FB on my list of UBO blocked servers.