Shopify's Built-In Privacy Settings Are Only the Starting Point
Shopify activates automated privacy settings for new stores, displaying a basic cookie banner to visitors in the UK and EEA by default. For many merchants, this creates a false sense of security.
The built-in banner covers a narrow slice of what a fully compliant store requires. It does not account for custom pixels, third-party apps that drop their own cookies, Shopify Audiences data sharing, or the specific consent signals that Google Ads and Meta now demand. Once your store moves beyond the default Shopify theme with no added scripts, the compliance picture changes significantly. Each app installation, each custom pixel, and each remarketing integration adds cookies and tracking that fall outside Shopify's automatic handling.
Understanding what Shopify does and does not manage is the first step toward genuine eCommerce cookie compliance.
How the Customer Privacy API Controls Consent
Shopify's Customer Privacy API is the central mechanism for managing visitor consent. It provides three critical methods: setTrackingConsent records a visitor's consent choices, currentVisitorConsent returns the preferences a visitor has already selected, and shouldShowBanner determines whether a consent banner needs to appear based on the visitor's region.
The API separates consent into three categories: marketing, analytics, and preferences. A cookie management platform must call setTrackingConsent only in response to an actual visitor interaction - accepting or declining via a banner. Automatically granting consent on behalf of a visitor violates both the API's intended use and GDPR consent requirements.
One common mistake: calling setTrackingConsent on page load with all values set to true. Shopify's system will accept this call without error, but it does not constitute valid consent under Article 5(3) of the ePrivacy Directive or under the GDPR's conditions for consent in Article 7.
Web Pixels, Sandboxing, and Consent Signals
Shopify's web pixel system runs tracking code inside a sandboxed environment. There are two types of sandbox: strict (used by app pixel extensions, running in web workers) and lax (used by custom pixels, running in iframes). Both sandbox types limit what the pixel can access on the page, reducing the risk of data leakage.
Pixels respect the consent signals set through the Customer Privacy API. When a merchant configures a pixel's permission settings, Shopify's pixel manager will only load that pixel if the visitor has granted permission for all required categories. This applies to both marketing cookies and analytics cookies.
The catch is that pixels cannot call the Customer Privacy API directly. They can only read the initial consent state via init.customerPrivacy and subscribe to the visitorConsentCollected event for updates. This means a separate consent management tool must handle the actual consent collection and API calls.
Custom Pixels and Checkout Pages
Checkout extensibility does not allow app scripts to run directly on the checkout page. Custom pixels fill this gap, tracking purchase events and sending consent signals to third parties during checkout. If your store uses Google Consent Mode v2, the custom pixel is typically where you send the consent('update', ...) call to Google's tags during the checkout flow.
Without proper consent signals at checkout, conversion tracking breaks for opted-out visitors. Google Ads and Meta both require explicit consent signals to attribute conversions in the EEA.
Shopify Audiences and Data Sharing Consent
Shopify Audiences is a feature available on Shopify Plus and Advanced plans that creates lookalike audiences by pooling anonymised purchase data across participating stores. The data flows from Shopify to advertising platforms like Google and Meta to improve ad targeting.
From a privacy standpoint, this raises questions. Shopify acts as a data controller for Audiences data, and merchants who enable it must ensure their privacy policy discloses this sharing. The Shopify Consumer Privacy Policy should be linked from your store's own policy.
In regions covered by the GDPR, sharing purchase data with advertising networks requires a lawful basis. Shopify's position is that Audiences data is aggregated and anonymised, but regulators have taken a strict view on what constitutes true anonymisation. If the data can be linked back to an individual - even indirectly - it remains personal data under Recital 26 of the GDPR.
Protected Customer Data Scopes for Pixels
Since December 2025, Shopify enforces its protected customer data policy for all web pixel extensions. Personally identifiable information - name, email, phone, and address fields - only appears in pixel payloads when an app has been approved for the corresponding protected scopes.
This change has practical implications for Meta Pixel and other advertising pixels that rely on hashed customer data for advanced matching. If your pixel app has not been approved for protected scopes, those data fields arrive empty, reducing match rates and conversion attribution accuracy.
For merchants, the action is to check that each pixel app in your Shopify admin has the required scope approvals. For developers building custom pixel integrations, scope requests go through the Shopify Partner Dashboard.
Consent Configuration by Region
Shopify allows merchants to configure consent requirements per region through the admin panel. The table below summarises the consent model each major regulation expects and whether Shopify's default settings cover it.
| Region | Regulation | Consent Model | Shopify Default Banner | Additional CMP Needed |
|---|---|---|---|---|
| EU/EEA | GDPR + ePrivacy Directive | Opt-in | Yes (basic) | Yes - granular categories, proof of consent |
| UK | UK GDPR + PECR | Opt-in | Yes (basic) | Yes - same as EU |
| California | CCPA/CPRA | Opt-out | No | Yes - "Do Not Sell" link required |
| Brazil | LGPD | Opt-in | No | Yes |
| Canada | PIPEDA | Implied or express | No | Recommended |
| South Africa | POPIA | Opt-in for direct marketing | No | Yes |
Shopify's default banner only activates for UK and EEA visitors. Every other region requires either a third-party CMP or a custom implementation using the Customer Privacy API.
Practical Steps for Full Compliance
1. Audit Every Pixel and App
Run a cookie scan on your Shopify store to identify every cookie and tracking script active on your pages. Pay particular attention to cookies set by apps you have installed - many Shopify apps add their own analytics or marketing trackers without making this obvious in their app listing.
2. Configure Consent Categories Correctly
Map each cookie and pixel to the correct consent category: strictly necessary, analytics, marketing, or preferences. Shopify's pixel permission settings must align with your CMP's category definitions. A mismatch - where your CMP blocks a category but the pixel's Shopify permission is set to "not required" - creates a compliance gap.
3. Implement Consent Mode for Google Services
Google's EU User Consent Policy requires stores running Google Ads, GA4, or other Google services in the EEA to send proper consent signals. Without Consent Mode v2 signals, conversion modelling cannot fill the data gaps left by opted-out visitors, and remarketing audiences stop populating.
4. Review Your Privacy Policy
Shopify recommends that stores using their platform include a reference to Shopify by name in the cookie banner and link to the Shopify Consumer Privacy Policy. Your cookie policy should list Shopify's own cookies alongside any third-party cookies your apps and pixels introduce.
5. Test Consent Flows End to End
Verify that rejecting cookies in your banner actually prevents pixels from firing. Use Chrome DevTools to check the Network tab during checkout - if pixels still send data after a visitor declines consent, your implementation has a gap. Shopify's sandbox only blocks pixels that are correctly configured with the right permission settings.
Frequently Asked Questions
Does Shopify's built-in cookie banner meet GDPR requirements?
Shopify's default banner provides a basic opt-in prompt for UK and EEA visitors, but it lacks granular category controls, a proper reject button with equal prominence, and auditable consent records. Most stores need a dedicated CMP to meet GDPR and ePrivacy requirements fully.
How do Shopify web pixels handle cookie consent?
Shopify's pixel manager checks the visitor's consent state before loading a pixel. If the pixel requires marketing or analytics permission and the visitor has not granted it, the pixel does not load. Pixels read consent via the init.customerPrivacy API and listen for changes with the visitorConsentCollected event.
Do I need consent for Shopify Audiences?
Shopify treats Audiences data as aggregated and anonymised, but under the GDPR, data that can be linked back to an individual still qualifies as personal data. Disclosing Shopify Audiences in your privacy policy is required, and obtaining marketing consent before sharing data with ad platforms is the safest approach.
What happens to checkout tracking when visitors reject cookies?
Custom pixels on the checkout page will not fire for visitors who have declined marketing or analytics consent. This means conversion events are not sent to Google Ads or Meta, though Consent Mode v2 allows Google to model some of the missing conversions based on consented traffic patterns.
Can I use Google Tag Manager with Shopify's pixel system?
Yes. Shopify supports GTM as a custom pixel. The GTM container loads inside Shopify's lax sandbox (an iframe), so it can access cookies but cannot directly interact with the parent page. Consent signals must be passed from the Customer Privacy API to GTM's consent settings.
Which Shopify cookies are strictly necessary?
Shopify sets several essential cookies including cart, _shopify_s (session), _shopify_y (persistent identifier), and secure_customer_sig (authentication). These are required for the store to function and do not need consent under Article 5(3) of the ePrivacy Directive.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Shopify store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie across your storefront and checkout - so your visitors get a clear choice, and you stay on the right side of the law.
