Quick Verdict: Shopify vs Magento Cookie Consent
| Feature | Shopify | Magento (Adobe Commerce) |
|---|---|---|
| Default cookies | _shopify_sa_t, _shopify_sa_p, cart tokens, session cookies | PHPSESSID, form_key, mage-cache-sessid, mage-cache-storage |
| Built-in consent tools | Customer Privacy API with native cookie banner | Cookie Restriction Mode (blocks non-essential cookies until opt-in) |
| Third-party script control | Limited - relies on Customer Privacy API signals and app sandbox | Full - server-level control over every script and cookie |
| Google Consent Mode v2 | Supported via Customer Privacy API and third-party apps | Supported via GTM or server-side tagging |
| Ease of adding a CMP | Install from App Store; limited theme-level customisation | Install extension or embed script; full template control |
| Checkout cookie handling | Locked down - Shopify controls checkout scripts | Full access to checkout templates and server configuration |
The table above gives the short version. The reality is more nuanced, and the right choice depends on your technical resources, compliance obligations, and tolerance for complexity.
Shopify: Cookie Behaviour in a Managed Environment
Shopify is a closed SaaS platform. You do not have access to the server, the database, or the core application code. Every cookie that Shopify sets on your storefront is controlled by Shopify itself or by apps you install through the App Store.
By default, Shopify sets several first-party cookies for session management, cart persistence, and fraud detection. The Customer Privacy API is the central mechanism for consent on Shopify stores - it recognises four consent categories: analytics, marketing, preferences, and sale of data.
The native cookie consent banner that ships with Shopify handles basic region-based display rules. It can detect whether a visitor is in the EU or California and show the appropriate prompt. For many small stores, this covers the minimum requirement under Article 5(3) of the ePrivacy Directive.
The limitations show up quickly, though. Shopify's built-in banner lacks granular category controls, automated cookie scanning, and detailed consent logging. Script blocking depends on whether the app developer has integrated with the Customer Privacy API. If a third-party app does not respect the API signals, its cookies fire regardless of visitor consent. You cannot edit server configuration or inject middleware to enforce blocking at a deeper level. Adding a dedicated consent management platform through the App Store or a direct script installation solves most of these gaps.
Magento: Full Server Control and Its Consequences
Magento (now branded Adobe Commerce for the paid tier) is open-source software that runs on your own server - or on Adobe Commerce Cloud if you choose the managed hosting option. This distinction matters for cookie consent because you control the entire technology stack.
The default Magento installation sets PHPSESSID for PHP session handling, form_key for CSRF protection, and several mage-cache-* cookies for front-end caching. These are all strictly necessary cookies that do not require consent under the GDPR. A vanilla Magento store sets no analytics or marketing cookies - those only appear when you add third-party integrations like Google Analytics or advertising pixels.
Magento includes a built-in Cookie Restriction Mode. When enabled in the admin panel under Stores > Configuration > General > Web, it displays a consent notice and blocks non-essential cookies until the visitor opts in. The system stores the decision in a user_allowed_save_cookie cookie. It is basic but functional. Because you have access to the source code, you can extend or replace it with a full-featured Magento consent solution or install a CMP through a direct integration.
Server-side consent enforcement is where Magento truly differs from Shopify. You can configure your web server (Apache or Nginx) to strip cookie headers before they reach the browser. You can write custom middleware that checks consent status before any script executes. You can implement server-side tagging with full control over what data leaves your infrastructure. None of this is possible on Shopify.
Script Blocking: The Practical Difference
How each platform handles third-party scripts - Google Analytics, Meta Pixel, advertising tags - is where the SaaS vs open-source divide becomes most visible.
On Shopify, script management happens through the App ecosystem and the Customer Privacy API. When a visitor declines marketing cookies, the API sends a signal. Apps that have integrated with the API will respect that signal and suppress their tracking. Apps that have not integrated will continue to fire. You have no way to block them at the server level. Your only option is to remove the app or contact the developer.
On Magento, you can conditionally load scripts based on consent status using multiple methods. You can modify layout XML files to wrap script blocks in consent checks. You can use a tag manager with consent-aware triggers. You can edit the Content Security Policy headers. You can even rewrite HTTP responses at the server level to strip tracking scripts before the page reaches the browser.
The trade-off is that all of this requires developer time and expertise.
Google Consent Mode v2 Support
Both platforms support Google Consent Mode v2, but the implementation paths differ. Google now requires Consent Mode v2 for stores that want to run personalised ads and remarketing for EEA and UK visitors. Non-compliant stores lose access to conversion modelling and audience features in Google Ads.
Shopify's Customer Privacy API can relay consent signals to Google tags. Several App Store apps provide turnkey Consent Mode v2 integration. The setup is straightforward - install the app, configure the mapping between Shopify's consent categories and Google's consent types (ad_storage, analytics_storage, ad_user_data, ad_personalization), and the app handles the rest.
Magento merchants typically implement Consent Mode v2 through Google Tag Manager or via server-side tagging. The GTM approach works identically to any other website - you set default consent states in GTM and update them when a visitor interacts with the banner. Server-side GTM gives you an extra layer of control, letting you filter and modify tag requests before they reach Google's servers. For a detailed walkthrough of the Magento consent configuration, see the dedicated guide.
Checkout and Payment Cookies
Checkout pages are a particular compliance challenge for e-commerce sites because they involve payment gateway cookies, fraud detection scripts, and conversion tracking.
Shopify's checkout is entirely locked down. Even Shopify Plus merchants have limited ability to customise checkout scripts. Shopify manages the payment processing environment, which means you cannot control which cookies the checkout sets or how fraud detection scripts behave. On the positive side, Shopify takes responsibility for the security and PCI compliance of this environment, and most checkout cookies qualify as strictly necessary.
Magento gives you full access to the checkout templates, payment gateway integrations, and server configuration. You can audit exactly which cookies the checkout process sets, remove unnecessary tracking from the payment flow, and implement server-side consent checks that prevent non-essential scripts from loading during checkout. This level of control comes with the responsibility of maintaining PCI DSS compliance yourself (unless you use Adobe Commerce Cloud, which handles some of this).
Complexity vs Control: Choosing by Compliance Need
The choice between Shopify and Magento for e-commerce cookie compliance is not about which platform is better in the abstract. It depends on your specific situation.
Shopify suits merchants who want a working consent setup with minimal development effort. If your store targets the EU and California, the Customer Privacy API plus a well-integrated consent app covers the core requirements. You accept certain limitations - no server-side blocking, no deep checkout customisation, dependency on app developers respecting the API - in exchange for a maintained, hosted environment where Shopify handles security updates and infrastructure.
Magento suits merchants who need granular control over every cookie and script, particularly those operating in heavily regulated sectors or across many jurisdictions. If your compliance team demands server-side consent enforcement, complete audit trails, or custom integration with internal data governance tools, Magento delivers that flexibility. The cost is higher: you need developers who understand both Magento's architecture and privacy regulations, and you bear full responsibility for keeping the platform secure and compliant.
Adobe Commerce Cloud sits between the two extremes. It offers Magento's codebase with managed hosting, reducing some operational burden while preserving code-level control. Cookie consent implementation remains your responsibility, but you do not need to manage the server infrastructure.
For broader platform comparisons, see the Shopify vs WooCommerce and Shopify vs BigCommerce consent breakdowns, or the Shopify vs Squarespace comparison if you are evaluating other SaaS options.
Frequently Asked Questions
Does Magento block cookies by default without a consent banner?
No. Magento's Cookie Restriction Mode must be manually enabled in the admin panel under Stores > Configuration > General > Web. Once enabled, it displays a consent notice and blocks non-essential cookies until the visitor opts in. Without enabling this setting, Magento does not block any cookies.
Can I use the same CMP on both Shopify and Magento?
Yes. Many consent management platforms support both Shopify and Magento through different installation methods - an app or script embed for Shopify and an extension or direct script injection for Magento. The consent logic and banner appearance remain consistent across platforms.
Which Shopify cookies are strictly necessary and do not need consent?
Session cookies, cart tokens, and fraud detection cookies are classified as strictly necessary on Shopify. These are required for the store to function and do not need visitor consent under the ePrivacy Directive or GDPR. Analytics and marketing cookies do require consent before firing.
Is Magento GDPR compliant out of the box?
Not fully. Magento provides Cookie Restriction Mode and does not set analytics or marketing cookies by default, which is a solid starting point. Full GDPR compliance requires a proper consent banner with granular categories, a cookie policy, consent logging, and data subject request handling - none of which ship with the core platform.
Does Shopify let me block third-party scripts before consent?
Shopify relies on the Customer Privacy API to signal consent status to apps. Apps that integrate with this API will respect visitor choices. You cannot block scripts at the server level on Shopify. If an app does not support the API, its scripts and cookies will fire regardless of consent.
What cookies does Magento set during checkout?
During checkout, Magento uses PHPSESSID for session management, form_key for CSRF protection, and mage-cache-storage for page caching. Payment gateway integrations may set their own cookies depending on the provider. All core checkout cookies are strictly necessary and do not require consent.
Take Control of Your Cookie Compliance
Whether you run a Shopify store or a self-hosted Magento instance, proper cookie consent starts with knowing exactly what your site sets. Kukie.io detects, categorises, and helps you manage every cookie on your store - so your visitors get a clear choice, and you stay on the right side of the law.
