Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Shopify Consent Management is the native consent layer built into every Shopify storefront. It exposes the customerPrivacy API and the Shopify Pixels API so that marketing tags (Meta Pixel, TikTok pixel, Google Analytics 4) only fire after the visitor has opted in. From August 2024 every Shopify store selling to EU buyers is required to integrate a CMP that calls this API to remain compliant with the ePrivacy Directive and the Digital Markets Act.
Shopify Consent Management is the native consent layer that ships with every Shopify storefront. It exposes the window.Shopify.customerPrivacy JavaScript API and the Shopify Pixels API so that marketing, analytics and personalisation tags only fire after the visitor has expressed an explicit opt in. Since August 2024 every Shopify store that sells to EU buyers is required to integrate a CMP that calls this API: a non compliant configuration is now blocked at platform level for the EU traffic flow.
The merchant installs a CMP from the Shopify App Store (Pandectes, iubenda, Consentmo, CookieFirst, Cookiebot, Klaro for Shopify, etc.) or builds one with the customerPrivacy API. The CMP collects the visitor decision, calls Shopify.customerPrivacy.setTrackingConsent and Shopify automatically gates every tag registered in the Shopify Pixels surface. Strictly necessary checkout cookies remain unaffected.
Three first party cookies are used to persist the visitor decision: _tracking_consent (the JSON object with the consent state per region and per category, 12 months), _consent (the merchant facing version, 12 months) and _consent_v2 (the new GA4 compatible version with TCF style values, 12 months). Strictly necessary cookies (_shopify_y, _shopify_s, secure_customer_sig) remain active without consent because they are necessary for the contract.
Shopify Consent Management satisfies Art. 5(3) ePrivacy by default: marketing pixels are blocked until the visitor opts in. The merchant remains the data controller for the storefront tracking and Shopify is a processor for the consent API. The consent state is propagated to Google Consent Mode v2, Meta Conversions API consent fields, TikTok Events Consent and any third party pixel registered through the Shopify Pixels surface.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Install a CMP from the Shopify App Store and select GDPR + ePrivacy as the regulatory profile. Configure the banner with Accept all, Reject all and Customise on the same level on the first layer (per CNIL deliberation 2020-091 and EDPB cookie banner taskforce report). Enable the Customer Privacy API integration in the CMP settings so every tag registered in Shopify Pixels respects the consent state.
Shopify infrastructure runs on Google Cloud Platform with primary regions in the United States, Ireland and Singapore. Consent records inherit the merchant store region. Shopify is certified under the EU US Data Privacy Framework since 2024, and the Data Processing Addendum includes Standard Contractual Clauses as a fallback. Document the transfer in your Article 30 register.
Pick a CMP from the Shopify App Store that explicitly integrates with the Customer Privacy API. Sign the Shopify DPA from the admin and add Shopify Inc to your processor register (Art. 30 GDPR). Migrate every legacy tracking script to the Shopify Pixels surface so it inherits the consent state. Display a permanent Cookie preferences link in the footer. Document the consent record retention (12 months) in your privacy policy.
Websites using Shopify Consent Management must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the Shopify consent layer itself. A DPIA may be triggered by the marketing pixels gated through it (Meta Pixel, TikTok pixel) when these involve large scale profiling under Art. 35 GDPR. Document the joint controllership with Shopify and the data residency of consent records in your processor register.
Sample consent text
We use cookies and similar technologies. Cookies that are strictly necessary to operate this store are always active. Marketing, analytics and personalisation cookies require your consent. You can accept all, reject all or choose by category. You can change your choice at any time via the cookie preferences link in the footer.
Third-party domains contacted
shopify.comcdn.shopify.commonorail-edge.shopifysvc.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _tracking_consent | first_party | 12 months | JSON object storing the visitor consent state per region and per category. Read by the Customer Privacy API. |
| _consent | first_party | 12 months | Merchant facing version of the consent record. Used for backwards compatibility with older Shopify themes. |
| _consent_v2 | first_party | 12 months | New GA4 compatible consent record with TCF style values, used by Shopify Pixels and Google Consent Mode v2. |
Shopify Consent Management is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Three first party cookies on the merchant domain: _tracking_consent (JSON consent state per region and category, 12 months), _consent (legacy merchant facing version, 12 months) and _consent_v2 (new GA4 compatible TCF style version, 12 months). The Customer Privacy API reads them to gate every tag registered in Shopify Pixels.
The consent cookies themselves are strictly necessary under the Art. 5(3) ePrivacy exemption because they store the consent record. Marketing, analytics and personalisation pixels gated through the API always require prior consent. Strictly necessary checkout cookies (_shopify_y, _shopify_s) do not.
Performance of contract (Art. 6(1)(b) GDPR) for strictly necessary checkout cookies. Legitimate interest (Art. 6(1)(f)) for the consent record. Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for marketing, analytics and personalisation pixels.
Yes. Shopify infrastructure runs on Google Cloud Platform with primary regions in the US, Ireland and Singapore. Shopify is certified under the EU US Data Privacy Framework since 2024 and the DPA includes Standard Contractual Clauses as a fallback. Document the transfer in your Article 30 register.
A DPIA is generally not required for the consent layer itself. A DPIA may be triggered by the marketing pixels gated through it (Meta Pixel, TikTok pixel) when these involve large scale profiling under Art. 35 GDPR.
Install a CMP from the Shopify App Store that integrates with the Customer Privacy API (Pandectes, iubenda, Consentmo, CookieFirst, Cookiebot, Klaro for Shopify). Migrate every legacy tracking script into the Shopify Pixels surface. Configure the banner with Accept all, Reject all and Customise on the same level on the first layer. Sign the Shopify DPA from the admin.
You cannot replace it on Shopify: since August 2024 Shopify enforces consent gating through the Customer Privacy API for EU traffic. You can however choose any compatible CMP: Pandectes, iubenda, Consentmo, CookieFirst, Cookiebot by Usercentrics, Klaro for Shopify or a custom integration with the API.
Use a CMP that auto generates the cookie policy from the Shopify Pixels inventory. Re scan the storefront after every theme change or new pixel installation. Update the policy when Shopify adds a new sub processor or when a checkout extension introduces a new strictly necessary cookie.