Why Shopify stores need cookie compliance

GDPR applies to any business that processes personal data of EU residents — regardless of where your store is headquartered. If a shopper in Germany buys from your Shopify store, you're in scope. Cookies that track that shopper (analytics, advertising, retargeting) require their prior consent.

The ePrivacy Directive (the "cookie law") reinforces this: non-essential cookies cannot be set until the user actively opts in. Pre-ticked boxes don't count. Continued browsing doesn't count. Consent must be freely given, specific, informed, and unambiguous.

đŸšĢ
The fines are real and hitting e-commerce

In 2024 and 2025, Data Protection Authorities issued enforcement actions against dozens of Shopify and WooCommerce merchants for loading Google Analytics, Meta Pixel, and TikTok Pixel before consent. Fines ranged from â‚Ŧ2,500 to â‚Ŧ300,000. The "we're a small store" defence does not hold.

The risk isn't theoretical. Cookie banners that don't block trackers until consent, or that have dark-pattern "Reject" buttons that are deliberately harder to click, are being actively targeted by regulators and privacy NGOs. Shopify's built-in consent framework does not make you compliant by itself — you still need to implement it correctly.

What cookies does Shopify set by default?

Before you can get consent, you need to know what you're getting consent for. Shopify stores typically set cookies from three distinct sources:

Cookie Set by Purpose Category Consent needed?
_shopify_y Shopify Unique visitor analytics for Shopify's internal reporting Analytics Yes
_shopify_s Shopify Session identifier for Shopify analytics Analytics Yes
_shopify_sa_p / _shopify_sa_t Shopify Marketing attribution (source / referral tracking) Marketing Yes
cart Shopify Stores shopping cart contents Essential No (strictly necessary)
_secure_session_id Shopify Checkout session (required for purchases) Essential No (strictly necessary)
_ga, _gid Google Analytics Visitor identification and session tracking Analytics Yes
_fbp, _fbc Meta Pixel Facebook/Instagram ad targeting and retargeting Marketing Yes
_ttp TikTok Pixel TikTok ad attribution and audience building Marketing Yes
_gcl_au Google Ads Conversion measurement for Google Ads campaigns Marketing Yes
klaviyo_* Klaviyo Email marketing personalisation and tracking Marketing Yes
⚠ī¸
This list is not exhaustive for your store

Every Shopify app you install can add its own cookies. Loyalty apps, reviews platforms, live chat tools, upsell widgets — each one is a potential compliance gap. The only way to know what your store actually sets is to scan it. Manual lists go stale the moment you install a new app.

How to audit your Shopify store's cookies

A cookie audit tells you every cookie your store sets, which third parties set them, and whether you're disclosing them correctly in your cookie policy. Do this before you configure your consent banner — you can't get consent for cookies you don't know about.

Option 1: Manual audit with Chrome DevTools

1
Open your store in an incognito window

Incognito ensures no existing cookies interfere. Open Chrome DevTools (F12), go to Application → Storage → Cookies, and select your domain.

2
Load each key page

Visit your homepage, a product page, a collection page, and the checkout. Each page type may load different scripts and set different cookies. Watch the cookie list expand as you navigate.

3
Check the Network tab for third-party requests

Filter the Network tab by "3rd-party" to see every external script loading. Each domain loading on your store is a potential cookie setter. Cross-reference with your installed apps.

4
Categorise each cookie

Sort discovered cookies into: Essential (checkout, cart, security), Analytics (Google Analytics, Shopify analytics), Marketing (Meta Pixel, Google Ads, Klaviyo). Essential cookies don't need consent. Everything else does.

ℹī¸
Manual audits miss dynamic cookies

Some cookies only appear after specific actions (adding to cart, reaching checkout, triggering a pop-up). A manual scan of the homepage alone will give you an incomplete picture. You also need to re-audit every time you install or update an app.

Option 2: Automated scanning

The faster approach is automated scanning. CookieGuard crawls your Shopify store, discovers every cookie set across all pages, classifies them by category, and generates a compliance report. It catches cookies that manual audits miss — including those set only after user interaction — and re-scans automatically when your store changes.

Scan your Shopify store for free

CookieGuard finds every cookie your store sets — including ones from apps you forgot you installed. Takes 30 seconds, no account needed.

Scan my store →

Setting up a cookie consent banner on Shopify

Shopify's Customer Privacy API (introduced in 2022 and updated in 2024) provides the foundation for consent management. It gives you a JavaScript API to check consent state and block Shopify's own tracking pixels until consent is granted. But using it correctly requires configuration — it does not automatically make your store compliant.

What Shopify's built-in tools cover

The Privacy and Compliance section in Shopify Admin lets you enable the built-in cookie consent banner. This banner:

⚠ī¸
Shopify's banner only covers Shopify-managed pixels

If you load Google Analytics, Klaviyo, or other scripts via theme code, custom scripts, or third-party apps rather than Shopify's Pixel framework, Shopify's consent banner does NOT block them. Those scripts will fire without consent.

Enabling Shopify's built-in consent banner

1
Go to Settings → Customer Privacy in Shopify Admin

Enable Cookie consent for the relevant regions. At minimum, enable it for Europe (EEA + UK). If you have US traffic, consider enabling it for California as well.

2
Migrate your tracking pixels to Shopify Pixels

In Shopify Admin go to Settings → Customer Events. Remove any hardcoded GA4, Meta Pixel, TikTok Pixel, or Google Ads tags from your theme code. Add them as Shopify-managed Customer Events pixels instead. Only Shopify Pixels are automatically blocked until consent is granted.

3
Check your theme for hardcoded scripts

Go to Online Store → Themes → Edit code and search your theme.liquid and product.liquid files for gtag, fbq, _tfa, klaviyoAnalytics, and similar tracking calls. Any hardcoded tracker bypasses Shopify's consent system entirely.

❌ This in theme.liquid = tracking fires without consent

<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){ dataLayer.push(arguments); }
  gtag('js', new Date());
  gtag('config', 'G-XXXXXXXXXX');
</script>
✅ Correct — use Shopify Customer Events instead
// In Shopify Admin → Settings → Customer Events → Add pixel
// Select "Google Analytics (GA4)" and enter your Measurement ID
// Shopify automatically blocks this until analytics consent is granted

// If you need custom GA4 config, use the Pixel API:
analytics.subscribe('page_viewed', (event) => {
  gtag('event', 'page_view', {
    page_location: event.context.document.location.href
  });
});

Configuring Google Consent Mode v2 for Shopify

If you use Google Analytics 4 or Google Ads, you also need to implement Consent Mode v2. Shopify's native GA4 pixel handles the basic consent signals when you use the Customer Events framework. But if you use Google Tag Manager loaded via a custom pixel, you need to configure GTM's Consent Initialisation trigger to call gtag('consent', 'default', ...) before any other tag fires.

ℹī¸
Shopify + GTM consent setup

If you load GTM via a Shopify Custom Pixel, add a Consent Initialisation trigger in GTM with a tag that sets all four consent signals to denied by default. Then configure a Consent Update tag that fires when Shopify's visitorConsentCollected Customer Event fires. See our Consent Mode v2 guide for the full signal mapping.

CookieGuard for Shopify: automated compliance scanning

Manually auditing and maintaining cookie compliance on a Shopify store is a recurring task, not a one-time setup. Every new app install, every theme update, every pixel configuration change is a potential compliance gap. CookieGuard automates this.

What CookieGuard does for Shopify stores

✅
No Shopify app required

CookieGuard works by scanning your live store URL — no app install, no theme code changes, no Liquid templating required. Enter your store URL, get a full compliance report. Integrations for ongoing monitoring connect via your Shopify URL, not through the app store.

CookieGuard vs manual compliance

Task Manual approach CookieGuard
Initial cookie audit 2–4 hours in DevTools, error-prone 30 seconds, automated
After new app install Manual re-audit needed (rarely done) Automatic re-scan + alert
Violation detection Only if you know what to look for Automatic with specific fix guidance
Ongoing monitoring Not realistic without dedicated resource Continuous, background
Compliance reports for legal Manual documentation Generated on demand

Scan your Shopify store — it's free

Get a full cookie compliance report in 30 seconds. See exactly what's firing without consent, and which apps are responsible.

Start free scan →

Shopify GDPR Cookie Compliance Checklist

Use this checklist to verify your store's compliance status. Every item marked Critical is a potential fine.

📋 Shopify GDPR Cookie Compliance Checklist (2026)

1
Cookie consent banner is enabled and working
Shopify Admin → Settings → Customer Privacy → Cookie consent is active. Test in incognito: the banner must appear before any non-essential cookies are set.
Critical
2
All tracking pixels use Shopify Customer Events
Google Analytics, Meta Pixel, TikTok Pixel, Google Ads, and Klaviyo must be configured as Shopify Pixels — not hardcoded in theme.liquid or loaded via custom scripts.
Critical
3
No analytics cookies set before consent is granted
Open your store in incognito without clicking Accept. Check DevTools → Application → Cookies. You should see only essential cookies (cart, session). No _ga, _fbp, _shopify_y, etc.
Critical
4
Reject option is equally prominent as Accept
Regulators have fined stores for "dark patterns" where Accept is a prominent green button and Reject requires multiple clicks or is buried. Both must be equally accessible.
Critical
5
Google Consent Mode v2 is configured
If you use GA4 or Google Ads, all four consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) must default to denied and update on consent. Non-compliance blocks remarketing and conversion modelling.
High
6
Cookie policy is accurate and up to date
Your cookie policy must list every non-essential cookie your store sets, who sets it, why, and for how long. A generic Shopify template policy that doesn't mention your specific analytics and marketing cookies is non-compliant.
High
7
New app installs are audited for cookie compliance
Every Shopify app you install can add new cookies. Before installing any app that includes analytics, marketing, or personalisation features, check what cookies it sets and whether your consent banner covers them.
Medium
8
Consent is stored and respected across sessions
A user who clicked Reject should not be shown the banner again on their next visit, and their rejection must still be respected. Shopify's Customer Privacy API handles this if implemented correctly — verify with DevTools.
Medium
9
Cookie consent banner loads for EU and UK visitors
Shopify's geo-targeting should trigger the banner for EEA and UK visitors automatically. Test with a VPN set to Germany or France to confirm the banner appears as expected.
Medium
10
Automated scanning is in place for ongoing compliance
Compliance is not a one-time setup. As your store evolves, new cookies will appear. Set up automated scanning (CookieGuard or equivalent) to alert you when new cookies are detected so you can address them before they become violations.
Ongoing

Common Shopify cookie compliance mistakes

These are the issues we see most often when scanning Shopify stores:

1. Using the Shopify consent banner but still loading scripts via GTM

A common pattern: the Shopify consent banner is enabled, but Google Tag Manager is loaded via a custom <script> tag in theme.liquid. GTM then fires all its tags — including GA4 and Meta Pixel — immediately on page load, before any consent is collected. Shopify's banner has no visibility over GTM-loaded scripts.

Fix: Load GTM as a Shopify Custom Pixel. Configure a Consent Initialisation tag in GTM that sets all consent to denied by default. Use Shopify's visitorConsentCollected event to trigger consent updates in GTM.

2. Klaviyo and SMS apps firing before consent

Email and SMS marketing platforms (Klaviyo, Attentive, Postscript) often set persistent cookies for visitor identification and pop-up suppression. Many Shopify merchants install these via theme code rather than Shopify Pixels, meaning they bypass the consent framework entirely.

Fix: Check if your email/SMS provider supports the Shopify Customer Events framework. If not, ensure their script is loaded conditionally — only after marketing consent is granted — using the Customer Privacy API's currentVisitorConsent() method.

3. Consent banner not appearing on checkout pages

Shopify's checkout is hosted on a separate subdomain (checkout.shopify.com or a custom checkout domain). Your theme's consent banner typically does not appear on checkout pages. If checkout pages set additional marketing cookies, those may not have a valid consent basis.

Fix: Review what cookies are set on your checkout pages specifically. Shopify's native checkout pixels (set through Customer Events) are automatically consent-gated. Third-party checkout extensions with their own cookies may need separate handling.

4. Cookie policy not updated after installing new apps

Your cookie policy is a legal document that must accurately reflect the cookies your store sets. A standard Shopify privacy policy template does not automatically update when you install new apps. Most Shopify stores have outdated cookie policies that don't disclose half the cookies being set.

Fix: Re-audit your cookies every time you install a new app. Update your cookie policy to reflect the current state. Automated scanning (see above) eliminates the risk of missing new cookies.

✅
Start with a scan, not a policy update

The most common mistake is updating the cookie policy first and then discovering the actual cookies on the store don't match. Scan first, know what you're actually setting, then document it accurately. CookieGuard's free scan gives you the ground truth in 30 seconds.