Quick Verdict: Shopify vs WooCommerce for Cookie Compliance
| Feature | Shopify | WooCommerce |
|---|---|---|
| Server access | None (SaaS) | Full (self-hosted) |
| Default cookies set | _shopify_y, _shopify_s, _shopify_sa_t, cart cookies | woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_* |
| Script blocking method | Customer Privacy API / pixel system | Server-side, functions.php, plugins, .htaccess |
| Consent tool integration | Shopify App Store apps | WordPress plugins or any JavaScript-based CMP |
| Checkout domain | Separate (checkout.shopify.com or custom subdomain) | Same domain |
| Google Consent Mode v2 | Via apps or custom pixel | Via plugins, GTM, or direct code |
| Data processor role | Shopify is a sub-processor | You are the sole controller and processor |
WooCommerce offers deeper technical control. Shopify offers a simpler starting point. The right choice depends on your team's technical capacity and how much control you need over cookie behaviour.
Cookies Each Platform Sets by Default
Every e-commerce store sets cookies before you install a single analytics tool. The difference is how many and what kind.
Shopify sets several first-party cookies automatically. _shopify_y persists for 12 months and tracks visitor identity across sessions. _shopify_s tracks the current session. _shopify_sa_t and _shopify_sa_p handle referrer attribution. Cart and checkout cookies like cart_sig and secure_customer_sig are strictly necessary for the purchase flow.
The critical compliance point: _shopify_y and _shopify_s are analytics cookies, not strictly necessary ones. Under Article 5(3) of the ePrivacy Directive, they require consent before being set. Shopify's Customer Privacy API can block these until consent is granted, but only if you configure it correctly.
WooCommerce is leaner out of the box. woocommerce_cart_hash and woocommerce_items_in_cart power the shopping cart. wp_woocommerce_session_* maintains the server-side session. WordPress itself adds wordpress_logged_in_* for authenticated users and wp_lang for language preferences. All of these qualify as strictly necessary under GDPR and ePrivacy rules.
WooCommerce does not set analytics or tracking cookies by default. Those arrive only when you install plugins like Google Analytics, Meta Pixel, or similar tools.
Script Blocking and Consent Enforcement
Shopify: The Customer Privacy API
Shopify provides a JavaScript-based Customer Privacy API that consent apps hook into. When a visitor makes a consent choice, the API updates permission states for analytics, marketing, preferences, and sale of data. Scripts registered through Shopify's pixel system respect these signals automatically.
The limitation is manual scripts. If you added tracking code directly to your theme's Liquid templates (through theme.liquid or snippet files), those scripts bypass the consent framework entirely. They fire on every page load regardless of what your visitor chose. Migrating manual scripts to the pixel system or wrapping them in Customer Privacy API checks is a common compliance gap on Shopify stores.
You cannot modify server configuration, set HTTP headers like Set-Cookie attributes directly, or use .htaccess rules. Every consent enforcement mechanism runs client-side.
WooCommerce: Full Server-Side Control
WooCommerce on WordPress gives you every tool available on a standard web server. You can conditionally load scripts through functions.php using WordPress hooks like wp_enqueue_scripts. You can set cookie attributes (Secure, HttpOnly, SameSite) at the server level. You can use .htaccess to strip cookies from static assets or block specific cookie domains.
WordPress consent plugins can dequeue scripts server-side before the page even renders. This is a stronger enforcement model than client-side blocking, where a brief flash of unconsented tracking can occur before JavaScript executes.
The trade-off is responsibility. With full control comes full liability. No platform handles compliance for you - you configure everything yourself or through a consent management platform.
The Checkout Domain Problem
Shopify's checkout runs on a separate domain. Historically, this was checkout.shopify.com. Shopify now allows custom checkout subdomains (such as checkout.yourstore.com), but the checkout page still operates within Shopify's infrastructure, not your theme code.
This creates a consent continuity issue. A visitor grants consent on your storefront, then moves to checkout on a different subdomain. If cookies cannot be shared across these domains, the consent signal may not carry over. Shopify's built-in banner can appear at checkout, but third-party consent apps may struggle to maintain state across the domain boundary.
WooCommerce checkout runs on the same domain as the rest of your store. There is no domain handoff. Consent cookies set on any page are available throughout the entire purchase flow, including the payment gateway integration pages.
For merchants selling across the EU, where the CNIL fined SHEIN 150 million euros in September 2025 partly for placing cookies before consent, checkout consent continuity is not a minor detail.
Installing a Consent Management Platform
Shopify: App-Based Installation
Consent tools on Shopify are installed through the App Store. Installation typically involves adding the app, configuring categories, and enabling the Customer Privacy API integration. The app injects a banner script into your storefront automatically.
Kukie.io provides a step-by-step Shopify installation guide that covers the app embed, pixel migration, and checkout banner activation. The process takes roughly 15 minutes for a standard store.
Shopify apps run within a sandbox. They cannot access your server, modify .htaccess, or alter HTTP response headers. This limits what a CMP can do compared to a server-side integration.
WooCommerce: Plugin or Code-Level Integration
WooCommerce stores can install consent tools as WordPress plugins, giving the CMP access to WordPress hooks, the database, and server-side rendering. A plugin can block scripts before they reach the browser, not just after page load.
Kukie.io offers a dedicated WordPress plugin alongside a standard JavaScript snippet option. The plugin approach integrates with the WordPress hook system, providing tighter control over when scripts load relative to the consent state.
Google Consent Mode v2 integration works on both platforms, though WooCommerce stores can implement it through Google Tag Manager, the plugin, or direct code in functions.php. Shopify stores typically rely on their consent app or a custom pixel to fire the gtag('consent', 'update', ...) call. Kukie.io's Consent Mode v2 integration handles this automatically on both platforms.
Data Processing and Legal Responsibility
Shopify acts as a data processor (and sub-processor) under GDPR. Your store's customer data passes through Shopify's servers, CDN, and payment infrastructure. You need a Data Processing Agreement with Shopify, which they provide as part of their terms of service. Shopify also processes data for its own purposes, including fraud detection and platform analytics, which means your visitors' data flows to Shopify regardless of your consent configuration.
WooCommerce is open-source software running on your server. There is no third-party data processor unless you add one through plugins or external services. You control where data is stored, which jurisdictions it passes through, and who has access. For organisations with strict data residency requirements, this is a significant advantage.
Both platforms require you to maintain a cookie policy, respond to data subject access requests, and keep records of consent. The EDPB guidelines on consent make clear that the controller bears responsibility for demonstrating valid consent was obtained, regardless of which platform hosts the store.
Which Platform Should You Choose for Compliance?
Choose Shopify if your team lacks developer resources and you want a managed environment where platform updates handle security patches and infrastructure. Accept that you will have less granular control over cookies and scripts, and plan for the checkout domain consent gap.
Choose WooCommerce if you need full server-side script blocking, same-domain checkout, and control over data processing location. Be prepared to manage hosting, updates, and security yourself.
Both platforms can achieve full e-commerce cookie compliance with the right CMP configuration. The difference is how much technical effort that requires. If you are comparing Shopify against other SaaS platforms, the consent implementation differences are smaller - see the comparisons with BigCommerce, Squarespace, and Wix for those breakdowns.
Frequently Asked Questions
Does Shopify set tracking cookies without consent by default?
Yes. Shopify's analytics cookies _shopify_y and _shopify_s fire by default unless you configure the Customer Privacy API to block them until consent is granted. Without this configuration, your store is not compliant with GDPR or the ePrivacy Directive.
Are WooCommerce cart cookies exempt from consent?
Yes. Cookies like woocommerce_cart_hash, woocommerce_items_in_cart, and wp_woocommerce_session_* are strictly necessary for the shopping cart to function. Article 5(3) of the ePrivacy Directive exempts these from the consent requirement.
Can I block scripts server-side on Shopify?
No. Shopify is a SaaS platform with no server access. All script blocking happens client-side through the Customer Privacy API or consent app JavaScript. WooCommerce on WordPress allows server-side script blocking through functions.php hooks.
Does the Shopify checkout domain break cookie consent?
It can. If your consent cookie is not shared with the checkout subdomain, consent state may not carry over. Shopify's built-in banner handles this natively, but third-party consent apps may need additional configuration to maintain consent across the domain boundary.
Which platform is better for GDPR compliance?
WooCommerce offers more technical control for compliance, including server-side blocking and same-domain checkout. Shopify is simpler to set up but gives you less control. Both can achieve compliance with a properly configured consent management platform.
Do I need a separate cookie policy for Shopify checkout?
No, but your cookie policy must cover all cookies set across your entire store, including the checkout subdomain. Shopify's checkout sets its own cookies for fraud detection and payment processing that should be documented in your policy.
Take Control of Your Cookie Compliance
Whether you run Shopify or WooCommerce, a proper cookie consent setup starts with knowing exactly which cookies your store sets. Kukie.io scans your site, categorises every cookie, and gives your visitors a clear choice - on both platforms.
