Why Ecwid Stores Need a Dedicated Cookie Banner
Ecwid works differently from standalone e-commerce platforms. Rather than hosting your entire site, Ecwid embeds a storefront widget into an existing webpage - whether that page runs on WordPress, Wix, a custom HTML site, or Ecwid's own Instant Site. This architecture means cookies come from two sources: your host website and the embedded Ecwid store.
Both sources set tracking cookies. Both fall under the same privacy regulations.
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a visitor's device requires prior consent unless the cookie is strictly necessary for a service the user explicitly requested. The GDPR then governs how that consent must be obtained: freely given, specific, informed, and unambiguous. These rules apply regardless of whether the cookie originates from your host site's analytics script or from Ecwid's embedded checkout.
Ecwid does offer a built-in cookie consent banner, accessible through Settings then Legal in your Ecwid admin panel. Visitors can accept, partially accept, or decline cookies. But this built-in banner only covers cookies set by the Ecwid storefront itself. If your host website uses Google Analytics, Meta Pixel, Hotjar, or any other third-party script, those cookies fall outside Ecwid's built-in controls.
Which Cookies Does an Ecwid Store Set?
Ecwid categorises its cookies into four groups. Understanding these categories helps you configure your banner correctly and write an accurate cookie policy.
| Category | Example Cookies | Purpose | Consent Required? |
|---|---|---|---|
| Essential | XSRF-TOKEN, ec_session | Cart functionality, security tokens, session management | No |
| Analytics | _ec_store_stats | Aggregate store performance data, page views | Yes |
| Personalisation | ec_customer_id, recently_viewed | Remembering browsing history, customer preferences | Yes |
| Marketing | _fbp, _gcl_au (via integrations) | Advertising pixels, conversion tracking | Yes |
Essential cookies - those powering the shopping cart, checkout flow, and CSRF protection - do not require consent. They exist solely to deliver the service your visitor requested.
Analytics, personalisation, and marketing cookies all require opt-in consent before being set. If you have connected Facebook Pixel, Google Analytics, or other tracking tools through Ecwid's built-in integrations, those scripts will drop additional cookies such as _ga, _fbp, and _gcl_au that absolutely require consent.
The Embedded Store Problem: Two Cookie Sources, One Banner
The core challenge with Ecwid is that your visitors experience a single website but cookies arrive from two distinct systems. Your host site might set _ga and _gid through a Google Analytics snippet. Ecwid's widget sets its own session and analytics cookies. A Meta Pixel installed on your host site drops _fbp independently of anything Ecwid does.
Ecwid's built-in cookie banner cannot block scripts that live on your host page. It only manages cookies that Ecwid's own JavaScript creates. This gap means relying solely on Ecwid's native banner leaves your host-site cookies completely unmanaged - a compliance risk under both the GDPR and the CCPA.
The solution is a site-wide cookie consent tool that sits on your host page and governs all cookies, including those from the embedded Ecwid store. Ecwid supports this through its JavaScript API, which lets an external consent management platform pass the visitor's consent choice directly to the Ecwid widget.
How to Add a Cookie Banner to Your Ecwid Store
The exact installation method depends on your host platform. The general process follows three steps.
Step 1: Install the Consent Script on Your Host Site
Add the cookie consent script to your host website's <head> section. If your host site runs on WordPress, this goes into your theme's header or through a plugin. On a static HTML site, paste it directly into the HTML. For Ecwid's Instant Site, use the custom code injection area under Settings.
Kukie.io provides a lightweight script snippet that you paste once. The Ecwid installation guide walks through each placement option.
Step 2: Connect Consent Signals to Ecwid
Ecwid's storefront JavaScript API accepts consent signals from external tools. When a visitor clicks "Accept" or "Reject" on your site-wide banner, the consent management platform can relay that decision to Ecwid using the Ecwid.setConsentData method. This ensures Ecwid respects the same choice your host site does - no double banners, no conflicting states.
Step 3: Scan and Categorise All Cookies
Run a cookie scan across your entire domain. This detects cookies from your host site, from Ecwid, and from any third-party integrations. Each cookie gets assigned to a category - essential, analytics, personalisation, or marketing - so your banner can present visitors with a clear, granular choice.
Ecwid Instant Site vs Embedded Store: What Changes?
If you use Ecwid's Instant Site (the free standalone storefront Ecwid provides), the built-in cookie banner may be sufficient, provided you have not added external tracking scripts through the custom code area. Instant Site is a controlled environment where Ecwid manages most of the page.
The moment you embed Ecwid into another platform - WordPress, Squarespace, Wix, a custom-coded site - the built-in banner becomes inadequate. Your host page introduces its own cookies and scripts that Ecwid cannot see or control. A site-wide consent tool becomes a practical necessity, not an optional extra.
For those running Ecwid on WordPress specifically, the WordPress cookie consent guide covers the host-side setup in detail. Shopify store owners migrating from or running alongside Ecwid can consult the Shopify compliance guide.
Regulatory Requirements Across Jurisdictions
Cookie consent rules vary by region, and your Ecwid store likely serves customers across borders. Enforcement has intensified throughout 2025 and into 2026, with supervisory authorities issuing fines specifically for non-compliant cookie banners.
| Regulation | Region | Consent Model | Key Requirement |
|---|---|---|---|
| GDPR + ePrivacy Directive | EU/EEA | Opt-in | Prior consent before non-essential cookies |
| UK GDPR + PECR | United Kingdom | Opt-in | Clear accept/reject options with equal prominence |
| CCPA/CPRA | California, US | Opt-out | "Do Not Sell or Share" link, honour GPC signals |
| LGPD | Brazil | Opt-in | Informed consent with clear purpose specification |
| PIPEDA | Canada | Implied/Express | Meaningful consent, sensitivity-based approach |
| POPIA | South Africa | Opt-in | Justification required for processing personal data |
CNIL, the French data protection authority, has issued several six-figure fines since 2023 specifically targeting websites that loaded analytics and advertising cookies before obtaining consent. The ICO in the United Kingdom has published guidance stating that a "Reject All" option must be as easy to select as "Accept All" - no hidden toggles or extra clicks.
A properly configured cookie banner with geo-detection can display the correct consent model based on each visitor's location, applying opt-in rules for EU visitors and opt-out rules for Californians.
Common Mistakes with Ecwid Cookie Consent
Several pitfalls catch Ecwid store owners off guard.
Relying on the built-in banner alone. As covered above, Ecwid's native banner does not manage host-site cookies. If your host page runs Google Analytics or any advertising pixel, those scripts fire without consent.
Double banners. Running both Ecwid's built-in banner and a site-wide consent tool creates confusion for visitors. Disable the Ecwid banner when using an external CMP and pass consent signals via the JavaScript API instead.
Forgetting to scan after adding integrations. Every time you connect a new Ecwid app or install a tracking pixel, new cookies may appear. Scheduled cookie scans catch these additions automatically.
Pre-ticked consent boxes. Both the EDPB and national supervisory authorities have confirmed that pre-selected checkboxes do not constitute valid consent. Your banner must load with all non-essential categories unchecked.
Ignoring opt-out requirements for US visitors. Under the CCPA, California residents must be able to opt out of the sale or sharing of personal information. Cookie-based advertising typically qualifies as "sharing" under the CPRA amendments.
Frequently Asked Questions
Does Ecwid have a built-in cookie consent banner?
Yes. Ecwid offers a native cookie consent banner through Settings then Legal in the admin panel. It covers cookies set by the Ecwid storefront but does not manage cookies from your host website or third-party scripts installed outside Ecwid.
Do I need a cookie banner if I only use Ecwid Instant Site?
If you have not added any external tracking scripts, Ecwid's built-in banner may be sufficient. The moment you add Google Analytics, Facebook Pixel, or any other third-party tool via custom code, you need a site-wide consent solution.
Can I use a separate cookie consent tool with Ecwid?
Yes. Ecwid's JavaScript API allows external consent management platforms to pass consent signals directly to the storefront widget, ensuring a single unified consent experience for visitors.
What cookies does Ecwid set on my store?
Ecwid sets essential cookies for cart and session management, analytics cookies for store performance data, and personalisation cookies for browsing history. Marketing cookies appear when you connect advertising integrations like Facebook Pixel or Google Ads.
Is Ecwid GDPR compliant by default?
Ecwid provides GDPR-related tools including a cookie consent banner and data export features. But compliance depends on how you configure your entire site - including host-page scripts, privacy policy, and consent mechanisms - not just the Ecwid widget.
How do I avoid showing two cookie banners on my Ecwid store?
Disable Ecwid's built-in cookie banner in your admin settings and use a site-wide consent tool instead. Connect the external tool to Ecwid via the JavaScript API so consent decisions apply to both your host site and the embedded store.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Ecwid store and host site set, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie across your entire domain - so your visitors get a clear choice, and you stay on the right side of the law.
