Why Headless Commerce Changes the Cookie Compliance Equation
Saleor is an open-source, API-first commerce platform built on Python and GraphQL. Unlike monolithic systems such as Magento or Shopify, Saleor does not ship a default storefront. You build your own - typically with React, Next.js, Vue, or another JavaScript framework - and connect it to the Saleor backend through its GraphQL API.
This architectural split has a direct consequence for cookie consent. The Saleor backend itself sets only strictly necessary cookies for session handling and authentication. But the moment you add Google Analytics, a Meta Pixel, a live chat widget, or any third-party marketing tool to your storefront, you introduce non-essential cookies that require prior consent under European privacy law.
Responsibility for compliance sits with whoever controls the storefront code. That is you.
Which Cookies Does a Saleor Storefront Typically Set?
A bare Saleor storefront - one connected only to the Saleor API with no third-party scripts - uses minimal cookies. The backend relies on JWT tokens and session identifiers that qualify as strictly necessary. These do not require consent under Article 5(3) of the ePrivacy Directive.
The picture changes as you layer on analytics, advertising, and personalisation tools. Below is a breakdown of cookies you will commonly encounter on a Saleor-powered store.
| Category | Example Cookies | Source | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Session token, CSRF token, cart ID | Saleor API / storefront | No |
| Analytics | _ga, _ga_*, _gid | Google Analytics 4 | Yes |
| Marketing | _fbp, _fbc | Meta Pixel | Yes |
| Marketing | li_sugr, bcookie | LinkedIn Insight Tag | Yes |
| Functional | pll_language, locale preferences | Storefront i18n | Depends on implementation |
| Performance | _hjSessionUser_* | Hotjar | Yes |
Running a cookie scan on your storefront is the only reliable way to identify every cookie in play, especially when third-party scripts inject their own trackers dynamically.
The Legal Framework: GDPR, ePrivacy, and Beyond
Two regulations govern cookie consent for websites serving EU visitors. The ePrivacy Directive (Article 5(3)) requires prior consent before storing or accessing information on a user's device, unless the cookie is strictly necessary. The GDPR sets the standard for what counts as valid consent: freely given, specific, informed, and unambiguous, as defined in Article 7.
The European Commission formally withdrew the proposed ePrivacy Regulation in February 2025, which means the existing Directive remains the governing text for cookie rules. Enforcement has not slowed. France's CNIL fined SHEIN EUR 150 million in September 2025 for installing cookies before users gave permission and for providing an inadequate reject mechanism.
Outside the EU, the UK GDPR and PECR impose near-identical requirements. The ICO launched a systematic review of the top 1,000 UK websites in January 2025, issuing 134 warnings from the first 200 sites alone. US state laws like the CCPA/CPRA require an opt-out mechanism rather than opt-in, but still demand clear disclosure.
Headless Architecture Means Frontend-Level Consent
On a traditional platform like WordPress or Shopify, a cookie consent plugin can hook into the CMS and control script loading from a single point. Saleor does not work that way. Your storefront is a standalone application, and you have full control - and full responsibility - over what scripts load and when.
This is both an advantage and a challenge. You can implement consent precisely, blocking every non-essential script until the visitor actively opts in. But you must handle this yourself in your frontend framework.
How Script Blocking Works in a Saleor Storefront
The principle is straightforward: no analytics or marketing script should execute before consent is recorded. In practice, this means your consent management tool must sit above all other scripts in the page load order and prevent them from firing until a positive consent signal exists.
For Saleor storefronts built with React or Next.js, the consent script should be loaded in the document head before any third-party tags. If you use Google Tag Manager, the container itself should be blocked until consent is granted, or configured with Google Consent Mode v2 to respect the visitor's choice.
A common mistake in headless setups is initialising analytics inside a React component's useEffect hook without checking the consent state first. This fires tracking on every page load regardless of permission.
Adding a Cookie Banner to Your Saleor Storefront
The installation method depends on which framework powers your storefront. Saleor's documentation references React-based storefronts as the default, but teams use everything from Next.js and Nuxt to Astro and SvelteKit.
Script Tag Installation
The most reliable approach is adding a consent management script tag directly in your storefront's HTML head. For a Next.js storefront, this goes in your root layout or _document.tsx. For a plain React app, place it in index.html before any other scripts.
Kukie.io provides a step-by-step walkthrough for Saleor storefronts in the Saleor installation guide. The process involves adding a single script tag and configuring your cookie categories to match the third-party tools you use.
Handling Consent in Single-Page Applications
Saleor storefronts are SPAs. Page transitions happen client-side without full page reloads. Your consent tool must persist consent state across route changes and re-check it when the visitor returns. Storing consent in a cookie (ironically, a strictly necessary one) is the standard approach.
You should also ensure that scripts load conditionally based on the categories the visitor accepted. A visitor who consents to analytics but declines marketing should not have the Meta Pixel fire on their session.
Geo-Detection and Multi-Region Stores
Saleor supports multiple channels, currencies, and warehouses - making it popular with merchants who sell across borders. A store serving customers in Germany, the United States, and Brazil faces three different consent regimes.
German visitors require a full opt-in banner under the GDPR and the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG). US visitors in California need a "Do Not Sell" link under the CPRA. Brazilian visitors fall under the LGPD, which requires a legal basis for processing - typically consent for marketing cookies.
Geo-detection solves this by presenting the correct consent model based on the visitor's location. Showing an opt-in banner to every visitor worldwide is the safe default, but it reduces conversion rates in regions where a simpler notice-and-opt-out approach is legally sufficient.
Common Compliance Mistakes on Saleor Stores
Headless commerce stores are not immune to the errors that regulators flag across all websites. Research from 2025 indicates that 67% of Google Consent Mode v2 implementations contain technical errors, with most defaulting to a "granted" state before the user acts. Below are pitfalls specific to the Saleor ecosystem.
| Mistake | Why It Happens | How to Fix |
|---|---|---|
| Analytics fires before consent | GA4 initialised in a component without consent check | Wrap initialisation in a consent callback or use GTM with Consent Mode |
| No reject button on banner | Custom banner built without equal-prominence reject option | Add a visible reject or "Decline All" button at the same level as "Accept" |
| Consent not persisted across subdomains | Multi-channel Saleor setup with separate storefront domains | Use subdomain consent sharing or set cookie domain correctly |
| Missing cookie policy | Headless build skips legal page templates | Generate and link a cookie policy from the banner |
| Pre-checked consent categories | Default state set to "granted" in code | Default all non-essential categories to "denied" and require affirmative action |
Verifying Your Implementation
After adding consent management to your Saleor storefront, run a full cookie scan to confirm that non-essential cookies are blocked until consent is given. Open your browser's developer tools, clear all cookies, reload the page, and check that only strictly necessary cookies appear before you interact with the banner.
Test both the accept and reject flows. When a visitor declines all non-essential cookies, no _ga, _fbp, or similar tracking cookies should be present. If they are, your script blocking configuration needs adjustment.
Check your consent analytics to monitor opt-in rates over time. A sudden drop may indicate a broken banner after a storefront deployment.
Frequently Asked Questions
Does Saleor set cookies that require consent?
The Saleor backend sets only strictly necessary cookies for authentication and session management. These do not require consent. Non-essential cookies come from third-party scripts you add to your storefront, such as Google Analytics or marketing pixels.
How do I add a cookie banner to a Saleor React storefront?
Add the consent management script tag in your storefront's HTML head, before any analytics or marketing scripts. For detailed steps, see the Saleor installation guide in the Kukie.io Help Centre.
Do I need cookie consent if my Saleor store only serves US customers?
US states like California (CPRA), Colorado, Connecticut, and others require cookie disclosure and opt-out mechanisms. While the rules differ from the EU's opt-in model, you still need a consent or notice mechanism for compliance.
Can I use Google Consent Mode v2 with a Saleor storefront?
Yes. Google Consent Mode v2 works with any website regardless of platform. Configure your consent management tool to send the correct consent signals to Google tags, and ensure the default state is set to "denied" for visitors in the EU.
What happens if I do not add cookie consent to my Saleor store?
If you serve visitors in the EU or UK without a valid consent mechanism, you risk enforcement action from data protection authorities. Fines under the GDPR can reach EUR 20 million or 4% of global annual turnover, whichever is higher.
How do I handle cookie consent across multiple Saleor channels?
Use geo-detection to present the correct consent model per region, and configure subdomain consent sharing if your channels run on different subdomains of the same root domain.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Saleor storefront sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
