Why eCommerce Websites Face Tougher Cookie Scrutiny
Online stores collect more personal data than most websites. Between cart sessions, payment processing, remarketing pixels, and product recommendation engines, a typical eCommerce site can set 30 to 60 cookies per visitor before checkout even begins.
Regulators have noticed. In 2025, France's CNIL imposed a record 150 million euro fine on fashion retailer SHEIN for dark patterns in its cookie banner and failure to obtain valid consent before firing tracking scripts. The fine followed a pattern of enforcement against online retailers across the EU, with data protection authorities in Germany, Italy, and Spain issuing similar decisions targeting eCommerce cookie practices.
Article 5(3) of the ePrivacy Directive requires consent before storing or accessing information on a user's device, unless the cookie is strictly necessary for the service the user has requested. For an online store, that distinction between "strictly necessary" and "everything else" is where compliance begins.
Which eCommerce Cookies Count as Strictly Necessary?
Strictly necessary cookies are exempt from consent requirements under both the ePrivacy Directive and the GDPR. For an online store, this category covers cookies that the shop cannot function without.
A session cookie that holds items in your visitor's cart (cart_token, wc_cart_hash) qualifies as strictly necessary because the user has explicitly requested to add products. The same applies to authentication cookies that keep a logged-in customer signed in during checkout, and CSRF tokens that protect form submissions from cross-site attacks.
Payment gateway cookies from providers like Stripe, PayPal, and Klarna present a grey area. Stripe sets a __stripe_mid cookie for fraud detection. Most DPAs accept fraud prevention cookies as strictly necessary, but only when they are genuinely required to complete the transaction the user initiated.
Currency and language preference cookies (pll_language, cart_currency) also fall into the strictly necessary category when they directly support the service requested.
Cookies That Always Require Consent
Every cookie that tracks behaviour beyond the immediate transaction needs consent before it fires. This includes analytics, advertising, and personalisation cookies.
Analytics and Performance Cookies
Google Analytics 4 sets _ga and _ga_* cookies that track visitors across sessions. These require consent under GDPR, regardless of whether you anonymise IP addresses. The same applies to Hotjar session recording cookies, Microsoft Clarity, and similar tools.
Marketing and Remarketing Cookies
The Meta Pixel (_fbp, _fbc), TikTok Pixel, Google Ads conversion tracking, and Pinterest Tag all set cookies that build advertising profiles. These fall squarely into the marketing category and must be blocked until a visitor grants consent.
Personalisation and Recommendation Cookies
Product recommendation engines that track browsing history to suggest items are not strictly necessary. A visitor browsing your shop has not requested personalised recommendations - they have requested to view products. The EDPB's guidelines on consent confirm that personalisation based on tracking requires opt-in consent.
Cookie Categories for a Typical Online Store
The table below maps common eCommerce cookies to their correct consent category. Use this as a starting point when auditing your store's cookies.
| Cookie | Purpose | Category | Consent Required? |
|---|---|---|---|
cart_token | Shopping cart session | Strictly Necessary | No |
PHPSESSID | Server session (WooCommerce) | Strictly Necessary | No |
__stripe_mid | Stripe fraud detection | Strictly Necessary | No |
pll_language | Language preference | Functional | No |
_ga | Google Analytics tracking | Analytics | Yes |
_fbp | Meta Pixel browser ID | Marketing | Yes |
_ttp | TikTok Pixel tracking | Marketing | Yes |
_pin_unauth | Pinterest Tag | Marketing | Yes |
_clck | Microsoft Clarity user ID | Analytics | Yes |
nosto_id | Product recommendations | Personalisation | Yes |
Platform-Specific Compliance Steps
Each eCommerce platform handles cookies differently. The approach to blocking non-essential cookies before consent depends on the platform's architecture.
Shopify
Shopify's Customer Privacy API provides a built-in mechanism for checking consent status before firing tracking pixels. Since late 2023, Shopify web pixels run in a sandboxed environment, which means they respect the consent signals you configure through the API. Set up your cookie banner to communicate with the Customer Privacy API, and configure each pixel's consent requirements in the Shopify admin under Customer Privacy settings.
Be aware that third-party Shopify apps may inject their own cookies outside the pixel sandbox. Audit your installed apps regularly.
WooCommerce
WooCommerce runs on WordPress, which means cookie management depends on your theme, plugins, and custom code. The WP Consent API provides a standardised way for plugins to register their cookies and respect consent status. Use a CMP that integrates with the WP Consent API to ensure plugins only fire cookies after consent is granted.
WooCommerce itself sets wc_cart_hash, wc_fragments, and woocommerce_items_in_cart as session cookies. These are strictly necessary.
Magento (Adobe Commerce)
Magento's cookie restriction mode provides a built-in toggle that blocks non-essential cookies until consent. Enable it under Stores > Configuration > General > Web > Default Cookie Settings. Third-party extensions frequently add their own cookies, so audit every extension after installation.
Abandoned Cart Tracking and Consent
Abandoned cart recovery is one of the highest-revenue email automation flows in eCommerce. It also sits in a legal grey zone.
If a visitor adds items to their cart and enters their email address during checkout but does not complete the purchase, you have their email. Under GDPR, that email was provided for the purpose of completing an order, not for receiving abandoned cart recovery emails. Sending a reminder email without a separate legal basis risks a complaint.
The GDPR's "soft opt-in" for existing customers (Recital 47 and national implementations like the UK's PECR Regulation 22) may cover abandoned cart emails if the visitor was already a customer. For first-time visitors who never completed a purchase, you need explicit consent or a clearly communicated legitimate interest basis.
The cookies that power abandoned cart tracking - session identifiers linked to email addresses - require consent when they go beyond what is strictly necessary for the cart session itself.
Google Consent Mode v2 for Online Stores
Google Consent Mode v2 affects every online store running Google Ads, GA4, or Google Shopping campaigns. Since March 2024, Google requires websites serving ads to EEA users to implement Consent Mode v2 with a Google-certified CMP.
For eCommerce, Consent Mode v2 introduces two new parameters: ad_user_data and ad_personalization. These control whether user data is sent to Google for advertising purposes. Your CMP must pass these signals correctly, or your Google Ads remarketing audiences and conversion modelling will stop working for EEA traffic.
Regulation-Specific Requirements for Online Stores
Cookie compliance rules differ by jurisdiction. An online store shipping internationally must account for multiple frameworks.
| Regulation | Consent Model | Key Requirement for eCommerce |
|---|---|---|
| GDPR / ePrivacy (EU) | Opt-in | Consent before all non-essential cookies |
| UK GDPR / PECR | Opt-in | ICO expects clear accept/reject options |
| CCPA / CPRA (California) | Opt-out | "Do Not Sell or Share" link required |
| LGPD (Brazil) | Opt-in | Consent must be free, informed, unambiguous |
| PIPEDA (Canada) | Implied/Express | Express consent for sensitive data tracking |
| POPIA (South Africa) | Opt-in | Consent for direct marketing via cookies |
A geo-targeting CMP that detects visitor location and applies the correct consent model is the most practical solution for stores selling across borders. Showing a full opt-in banner to a US visitor who only needs an opt-out link creates unnecessary friction.
Frequently Asked Questions
Do shopping cart cookies need consent under GDPR?
No. Shopping cart cookies that hold items a visitor has added are strictly necessary for the service they requested. You do not need consent for these, but you should still list them in your cookie policy.
Are payment gateway cookies like Stripe strictly necessary?
Fraud detection cookies set by payment providers such as Stripe are generally accepted as strictly necessary by most DPAs, provided they are genuinely required to process the transaction. Stripe's __stripe_mid and __stripe_sid cookies fall into this category.
Can I send abandoned cart emails without cookie consent?
The email itself may be covered by the soft opt-in exception for existing customers, but the cookies that track cart abandonment and link sessions to email addresses may require consent if they go beyond strictly necessary session management.
Does Shopify handle cookie compliance automatically?
Shopify provides a Customer Privacy API and basic cookie banner settings, but these do not cover all compliance requirements. You still need a CMP to manage consent categories, block third-party scripts, and generate consent records.
What happens to Google Ads if visitors reject cookies?
With Consent Mode v2, Google receives a "denied" signal and uses conversion modelling to estimate conversions. Your remarketing audiences for those visitors will not be populated, but basic campaign measurement continues through statistical modelling.
Do product recommendation cookies need consent?
Yes. Cookies that track browsing behaviour to personalise product suggestions are not strictly necessary. The EDPB considers personalisation based on tracking a non-essential function that requires opt-in consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your online store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
