Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Big Cartel is a US based hosted ecommerce platform popular with artists and makers. Storefronts set strictly necessary cart and session cookies. Because the platform is hosted in the United States, European merchants must disclose the EU US data transfer and obtain consent for any optional analytics or advertising cookie.
Big Cartel is a hosted ecommerce platform founded in 2005 by Big Cartel LLC in Salt Lake City, Utah. It targets independent artists, designers and small makers who want a simple online shop with low monthly fees and a fast setup. The storefront runs on a customer subdomain (myshop.bigcartel.com) or a custom domain. The admin is at my.bigcartel.com. Themes can be customized with the Big Cartel theme language and additional analytics or marketing scripts can be embedded.
Big Cartel sets a cart cookie that stores the basket identifier, a _bigcartel_session cookie that maintains the shopper context, a CSRF token to protect the checkout and a few feature flag cookies. These are strictly necessary for the cart and checkout. If the shop owner adds third party tags (Google Analytics, Meta Pixel, Pinterest Tag) through the theme code, those tags create their own cookies and must be governed by a consent banner.
Strictly necessary cart and session cookies fall under the Article 5(3) ePrivacy carveout. Article 6(1)(b) GDPR (performance of a contract) covers the order processing flow. Any analytics or advertising tag added to the theme requires prior opt in consent under Article 5(3) ePrivacy. The shop owner is the controller, Big Cartel LLC is the processor under Article 28 GDPR with a DPA in the merchant terms of service.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Big Cartel shop data is hosted in the United States on AWS US East 1. European merchants must include this transfer in the privacy notice with the legal basis (Standard Contractual Clauses and the EU US Data Privacy Framework). The Fastly CDN serves static assets globally from edge nodes, which is acceptable since cached HTML and images do not carry personal data. Email notifications for orders go through US based mail providers.
Add a consent banner script to the theme that blocks third party trackers until the visitor opts in. Include the US transfer disclosure in your privacy notice. Sign the Big Cartel DPA (included by reference in the Terms of Service). Document the processor in your record of processing activities with the AWS US East 1 region, the order retention period and the list of third party scripts. Configure a procedure for shopper data access and erasure requests via the Big Cartel admin or email.
Websites using Big Cartel must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for European Big Cartel shops because the platform stores all order and customer data in the United States, triggering Schrems II considerations. Document the legal basis for the transfer (SCCs and the EU US Data Privacy Framework), the retention period for orders, the consent management strategy for added analytics or advertising tags, and the procedure for data subject access and erasure requests.
Sample consent text
This shop is powered by Big Cartel. Big Cartel sets a cart cookie and a session cookie that are strictly necessary for the checkout to work. Your shop data is stored on Big Cartel servers in the United States. Optional analytics or advertising cookies (Google Analytics, Meta Pixel) added by the shop owner are activated only after you accept them.
Third-party domains contacted
bigcartel.commy.bigcartel.combigcartel-assets.comcdn.bigcartel.netimages.bigcartel.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cart | first-party | 30 days | Stores the basket identifier so the shopper can return to their cart on later visits. Strictly necessary for ecommerce. |
| _bigcartel_session | first-party | Session | Maintains the shopper session context across pages on the Big Cartel storefront. Strictly necessary. |
| _bigcartel_csrf_token | first-party | Session | CSRF protection token used on the checkout to prevent unauthorized state changes. Strictly necessary. |
| bigcartel_admin_session | first-party (admin only) | Session | Authentication cookie for the my.bigcartel.com admin. Strictly necessary, not set on the shop storefront. |
Big Cartel uses cookies for user preferences — inform visitors with a consent banner.
Yes. Big Cartel sets cart, _bigcartel_session, a CSRF token and feature flag cookies that are strictly necessary for the cart and checkout. Optional analytics or advertising cookies appear only when the shop owner adds the corresponding script to the theme.
No consent is required for the strictly necessary cart and session cookies. Prior opt in consent is required for any analytics or advertising cookie added to the theme, including Google Analytics, Meta Pixel and Pinterest Tag.
Article 6(1)(b) GDPR (performance of a contract) for order processing, Article 6(1)(f) (legitimate interest) for strictly necessary cookies, Article 6(1)(a) (consent) for optional tracking cookies. The merchant is the controller, Big Cartel LLC is the processor with a DPA in the merchant terms.
Yes. Big Cartel hosts all shop data on AWS US East 1 in Virginia. The transfer is covered by Standard Contractual Clauses and the EU US Data Privacy Framework. European merchants must disclose this transfer in the privacy notice.
A DPIA is recommended for European Big Cartel shops because all customer data is transferred to the United States. Document the transfer legal basis, the retention period and the consent management strategy for any added analytics or advertising tag.
Add a consent banner to the theme that blocks analytics and advertising scripts until opt in, include the US transfer in the privacy notice, document the processing in your RoPA, sign the Big Cartel DPA via the merchant terms, and set up a DSAR procedure to handle access and erasure requests for shoppers.
Other ecommerce platforms suitable for small makers include Shopify, Ecwid (by Lightspeed), Squarespace Commerce, Wix Stores, Etsy (marketplace), Tictail, Cratejoy, Sellfy and self hosted options like WooCommerce, PrestaShop (France) and Shopware (Germany).
List the strictly necessary Big Cartel cookies (cart, _bigcartel_session, CSRF, feature flags) in your cookie disclosure with purpose and duration. Add an entry for each third party script added to the theme (Google Analytics, Meta Pixel) with retention and EU US transfer information.