TL;DR — Shopify generates functional cookies (cart, session, currency preferences) that are exempt from GDPR consent. But as soon as marketing pixels (Meta, Google, TikTok) or third-party analytics apps are activated, advertising and analytical cookies are set and require explicit consent. Shopify introduced its own cookie banner tool in 2023 for certain markets, but it does not cover all European requirements. An external CMP remains necessary for full compliance.
Shopify is the e-commerce platform used by over 4 million merchants worldwide. Its flexibility through apps and integrated marketing pixels creates cookie compliance risks that are often underestimated. The ICO has clarified that online stores are subject to the same rules as other websites: any non-essential cookie requires prior consent. This guide explains which cookies Shopify sets, how to audit them and how to achieve lasting GDPR compliance.
Which cookies does Shopify install by default?
Shopify installs several functional first-party cookies. The main ones: _session_id (shopping session, essential), cart (cart contents, essential), secure_customer_sig (customer authentication), localization (language/currency preferences). These cookies are strictly necessary for the store to function and are exempt from consent requirements.
Pixels and apps that create risk
The real risk comes from pixels and apps. Shopify Pixel (also known as Web Pixels) allows native integration of Meta Pixel, Google Analytics / GA4, TikTok Pixel and other marketing tools. Each sets its own advertising or analytical cookies. Third-party apps from the Shopify App Store often add additional tracking scripts. Chat tools (Tidio, Gorgias), product recommendation engines and retargeting tools are frequent sources of unconsented cookies.
How to audit cookies on a Shopify store
Method 1 — Scan all pages
Use the FlowConsent scanner (/en/scan) or Chrome DevTools. Shopify stores have several page types to audit: homepage, collection pages, product pages, cart page and checkout page. Shopify's checkout is hosted on a shopify.com subdomain, which sometimes limits cookie visibility.
Method 2 — Inspect active Web Pixels
In the Shopify admin, go to Settings > Customer pixels to see all active pixels. Each pixel sets its own cookies. Also check Settings > Apps and sales channels for apps that might inject scripts.
Shopify Customer Privacy API vs external CMP
Since 2023, Shopify offers the Customer Privacy API, which allows native cookie consent management for merchants in specific markets (including Europe). This tool automatically displays a cookie banner for European visitors.
Limitations of Shopify's native solution: it only covers native Shopify pixels (Web Pixels), not third-party apps that inject scripts outside the pixel system. It does not provide advanced per-category granularity in all configurations. It does not generate exportable consent logs (required during an audit). For full compliance, an external CMP connected to the Shopify API remains the recommended approach.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
How to integrate a CMP on Shopify
Step 1 — Add the CMP script to the theme
In the Shopify theme editor (Content > Themes > Edit code), add the CMP's JavaScript snippet to the theme.liquid file, ideally in the <head> before any other third-party scripts. FlowConsent provides a dedicated Shopify snippet that loads asynchronously without impacting performance.
Step 2 — Configure Web Pixels to wait for consent
In Settings > Customer pixels, each Web Pixel can be configured with a privacy mode. Enable 'Restricted' mode so that pixels only send data if the visitor has consented to the corresponding category. For pixels outside Web Pixels (third-party apps), blocking must be handled by the CMP via its script-blocking mechanism.
Common mistakes on Shopify stores
Mistake 1: Meta Pixel and GA4 active without a cookie banner. Both pixels set advertising and analytical cookies on page load. Without a banner and script blocking, every visitor is tracked without consent.
Mistake 2: Relying solely on Shopify's native solution. The Customer Privacy API covers native pixels but not third-party apps. A full audit often reveals unmanaged cookies.
Mistake 3: Shopify checkout escapes control. The checkout runs on a Shopify domain. Verify that pixels configured in the checkout (Order Status page scripts) also respect consent.
Mistake 4: No consent logs stored. During an ICO audit, you must prove that consent was collected. Enable logging in the CMP.
Shopify cookie compliance checklist
- Scan all store pages (homepage, collection, product, cart, checkout).
- List all active Web Pixels in Settings > Customer pixels.
- List all third-party apps that may inject tracking scripts.
- Install a Shopify-compatible CMP (snippet in theme.liquid).
- Configure Web Pixels in Restricted mode in the Shopify admin.
- Verify script blocking for apps outside Web Pixels.
- Integrate Google Consent Mode v2 if Google Ads or GA4 are used.
- Update the cookie policy with all active cookies.
- Enable consent logging (timestamped logs).
- Add a 'Manage cookies' link in the theme footer.
Shopify simplifies e-commerce but does not simplify GDPR compliance. Marketing pixels and third-party apps create real risks that require regular auditing and a correctly configured CMP. Scan your store at /en/scan to identify in seconds which cookies are active on your Shopify.