Why BigCommerce Stores Need a Cookie Banner
Every BigCommerce store sets cookies the moment a visitor lands on a page. Session identifiers keep shopping carts alive. Analytics scripts like Google Analytics 4 drop _ga and _ga_* cookies. Marketing pixels from Meta set _fbp, and retargeting tools add their own tracking identifiers.
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device requires prior consent - unless the cookie is strictly necessary for a service the user explicitly requested. That means your checkout session cookie is fine without consent, but your Google Analytics cookie is not.
CNIL issued over 100 million euros in cookie-related fines between 2022 and 2024. The ICO in the United Kingdom and data protection authorities across the EU have made cookie compliance a top enforcement priority heading into 2026. Running a BigCommerce store without a proper consent mechanism is a measurable legal risk, not just a theoretical one.
Which Cookies Does BigCommerce Set?
BigCommerce generates several categories of cookies out of the box. Some are essential for store functionality; others require explicit consent before they can be placed on a visitor's device.
| Cookie Name | Purpose | Category | Consent Required? |
|---|---|---|---|
SHOP_SESSION_TOKEN | Maintains the shopping session and cart contents | Strictly Necessary | No |
RECENTLY_VIEWED_PRODUCTS | Tracks recently viewed product pages | Functional | Yes (in EU/UK) |
_ga / _ga_* | Google Analytics 4 visitor identification | Analytics | Yes |
_gid | GA4 session-level identification | Analytics | Yes |
_fbp | Meta Pixel browser identification | Marketing | Yes |
_gcl_au | Google Ads conversion linker | Marketing | Yes |
STORE_VISITOR | Identifies returning visitors for personalisation | Functional | Yes (in EU/UK) |
Third-party apps from the BigCommerce marketplace often inject their own cookies and scripts. A live chat widget, a product recommendation engine, or a loyalty programme extension can each add tracking that falls outside the strictly necessary category. Scanning your store regularly is the only reliable way to know exactly what cookies are active.
BigCommerce Built-in Cookie Consent vs a Dedicated CMP
BigCommerce includes a native cookie consent tracking feature. You can enable it under Settings, then Security and Privacy, by ticking the Cookie Consent Tracking checkbox. When enabled, BigCommerce blocks its built-in analytics integrations (GA4, Facebook) until the visitor accepts cookies.
This built-in option has clear limitations. It does not provide granular category-based consent. Visitors cannot choose to accept analytics cookies while rejecting marketing cookies. There is no mechanism for recording proof of consent, which GDPR Article 7 requires. The banner design and wording cannot be customised to meet the specific requirements of different jurisdictions.
A dedicated consent management platform gives you category-based consent controls, consent logging, geo-targeted banner rules, and automatic script blocking. For stores selling to customers in multiple countries, this granularity is not optional - it is a regulatory requirement.
Installing a Cookie Banner via Script Manager
BigCommerce Script Manager is the recommended method for adding third-party scripts to your store. It avoids editing theme files directly and survives theme updates.
Step-by-step Installation
Log in to your BigCommerce admin panel
Go to Storefront and select Script Manager
Click Create a Script
Set a descriptive name (e.g. "Cookie Consent Banner")
Under Location on Page, select Head
Under Select pages where script will be added, choose All Pages
Set Script category to Essential (the banner itself must load without consent)
Select Script as the script type
Paste your CMP script snippet into the Script contents field
Click Save
The banner script must be categorised as Essential in Script Manager. If you categorise it as Analytics or another non-essential type, BigCommerce will block it until after consent - defeating the entire purpose.
For a detailed walkthrough with screenshots, see the BigCommerce installation guide in the Kukie.io Help Centre.
Handling Checkout Pages
BigCommerce checkout runs on a separate, more restricted page context. Script Manager scripts set to All Pages do load on checkout, but some third-party scripts behave differently there. Test your cookie banner on the checkout page specifically to confirm it renders correctly and that consent choices carry over from the storefront.
Blocking Analytics and Marketing Scripts Before Consent
Displaying a banner is only half the requirement. The other half is ensuring that non-essential cookies are not set until the visitor actively consents. Under GDPR, loading a tracking script that drops cookies before consent is a violation, regardless of whether a banner is visible.
There are two main approaches for BigCommerce stores.
Script Manager Categories
BigCommerce Script Manager lets you assign each script to a category: Essential, Analytics, or Functional. When the built-in cookie consent tracking is enabled, BigCommerce blocks non-essential scripts until the visitor accepts. This works for scripts added through Script Manager but does not cover scripts injected by BigCommerce apps or hardcoded in theme files.
CMP-based Script Blocking
A consent management platform can conditionally load scripts based on the visitor's specific consent choices. This approach gives you finer control. Analytics scripts fire only when analytics consent is granted. Marketing scripts fire only when marketing consent is granted. This method also integrates with Google Consent Mode v2, which sends cookieless pings to Google when consent has not been given - preserving some conversion modelling data without violating privacy rules.
GDPR, CCPA, and Regional Requirements for Online Stores
The legal obligations vary depending on where your customers are located, not where your store is hosted.
If you sell to customers in the European Economic Area or the United Kingdom, GDPR and the ePrivacy Directive apply. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are invalid. A "Reject All" option must be as prominent as "Accept All" - CNIL has fined multiple organisations specifically for hiding the reject option behind extra clicks.
Stores with customers in California must comply with the CCPA/CPRA. The requirement is opt-out rather than opt-in: you must provide a "Do Not Sell or Share My Personal Information" link and honour Global Privacy Control signals from the browser.
Brazilian customers bring LGPD obligations. Canadian customers trigger PIPEDA requirements. South African customers mean POPIA applies. A BigCommerce store with international traffic needs a consent solution that adapts its behaviour based on the visitor's location.
Kukie.io supports geo-targeted consent rules, displaying the correct banner type and legal basis depending on where the visitor connects from.
Common Compliance Mistakes on BigCommerce
Running a cookie audit on BigCommerce stores regularly reveals the same issues.
The first is marketplace apps that inject tracking scripts outside Script Manager's control. These scripts fire on every page load regardless of consent status. Check each installed app's documentation to understand what cookies it sets, and remove any app you cannot bring under consent management.
The second mistake is relying solely on BigCommerce's built-in consent toggle without customising the banner text. Generic wording like "This site uses cookies" does not meet GDPR's informed consent requirement. The banner must identify cookie categories, explain their purposes, and name the data recipients.
Third: ignoring the checkout flow. Payment-related cookies from processors like Stripe or PayPal are strictly necessary and do not require consent. But analytics and remarketing scripts that fire during checkout still need consent. Verify that your consent state persists across the storefront-to-checkout transition.
Testing Your Cookie Banner
After installation, verify your setup using Chrome DevTools. Open the Application tab, select Cookies from the sidebar, and load your store in a fresh incognito window without accepting the banner. Only strictly necessary cookies should appear.
Accept all cookies and reload. Analytics and marketing cookies should now be visible. Reject all cookies and reload again - only essential cookies should remain. Test this flow on product pages, category pages, and the checkout page.
You can also use a free cookie scanner to get a complete list of cookies your store sets and identify any that fire without consent.
Frequently Asked Questions
Does BigCommerce have a built-in cookie consent banner?
Yes. BigCommerce offers a basic cookie consent tracking toggle under Settings then Security and Privacy. It blocks built-in analytics integrations until the visitor accepts, but it lacks granular category consent, consent logging, and geo-targeted rules.
Where do I add a cookie banner script in BigCommerce?
Use Script Manager under Storefront in your BigCommerce admin. Create a new script, set it to load in the Head on All Pages, and categorise it as Essential so the banner loads before any consent decision.
Do I need cookie consent for BigCommerce checkout pages?
Payment processing cookies are strictly necessary and do not require consent. Analytics or remarketing scripts that run during checkout still require consent under GDPR and the ePrivacy Directive.
Does BigCommerce support Google Consent Mode v2?
BigCommerce added native support for Google Consent Mode in its GA4 integration in March 2024. This sends cookieless pings to Google along with the visitor's consent status, enabling conversion modelling even when cookies are declined.
What cookies does Google Analytics set on a BigCommerce store?
Google Analytics 4 sets _ga (a client ID cookie lasting two years), _ga_* (a session cookie specific to your measurement ID), and _gid (a 24-hour session cookie). All three require consent before being placed.
Can BigCommerce marketplace apps set cookies without consent?
Yes, some marketplace apps inject scripts that set cookies outside Script Manager's control. You should audit each app to determine what cookies it places and ensure those scripts are blocked until the visitor grants consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your BigCommerce store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
