Which cookies does Shopify set on my store?

Shopify sets strictly necessary cookies (_shopify_s, _shopify_y, cart_sig, checkout_token) for site and cart functionality, plus internal analytics cookies (_shopify_sa_t, _shopify_sa_p). Third-party cookies (Google Analytics, Meta Pixel, etc.) depend on the apps and pixels you have installed.

How do I block third-party cookies before consent on Shopify?

Two methods are available: use the Shopify Customer Privacy API to conditionally load scripts, or modify script tags in theme.liquid by replacing type="text/javascript" with type="text/plain" and a data-category attribute. The CMP reactivates scripts after consent.

Do Shopify Pixels require consent?

Yes. Shopify Pixels (Meta Pixel, Google Ads, TikTok) run in an isolated sandbox but still set cookies. Their consent behaviour must be configured via Shopify privacy settings or the Customer Privacy API.

Do I need a different CMP for each Shopify Markets region?

No. A single CMP with geolocation capability is sufficient. It adapts the banner based on jurisdiction: opt-in for the EEA (GDPR), opt-out for California (CCPA), etc. FlowConsent and advanced SaaS CMPs offer this feature natively.

How do I integrate FlowConsent on Shopify?

FlowConsent integrates by adding a JavaScript snippet in your Shopify theme's theme.liquid file, just before the closing tag. This method works independently of Shopify apps and provides automatic scanning, script blocking and Consent Mode v2.

Cookie consent on Shopify: the GDPR compliance guide

Q: Does Shopify handle cookie consent natively?

Shopify offers a basic consent banner through its Customer Privacy feature, but it does not block third-party scripts before consent and does not offer granular per-category choice. For full GDPR compliance, a dedicated CMP must be added.

TL;DR

Shopify does not provide a GDPR-compliant cookie consent solution by default. The platform sets its own technical and analytics cookies, and third-party apps installed on your store add more. To make a Shopify store compliant, you need to integrate a CMP that displays a banner, blocks non-consented scripts and stores proof of consent, either via a dedicated Shopify app or via a JavaScript snippet in the theme.liquid file.

Why Shopify alone is not enough for cookie compliance?

Shopify is a hosted e-commerce platform. It manages technical infrastructure, hosting and checkout, but does not provide a cookie consent mechanism compliant with the European GDPR.

Shopify offers a native consent banner through its "Customer Privacy" feature, but this banner is basic. It does not block third-party scripts before consent and does not offer a per-category customisation panel. For stores targeting visitors in the EEA, this native mechanism is not sufficient to demonstrate compliance.

The sources of cookies on a Shopify store are numerous: native Shopify cookies (session, cart, checkout, Shopify analytics), installed third-party apps (reviews, upsell, email marketing, chat), conversion pixels (Facebook, Google Ads, TikTok) and analytics scripts (Google Analytics, Klaviyo, Hotjar).

Which cookies does Shopify set natively?

Strictly necessary cookies include _shopify_s and _shopify_y (session and visitor identification), cart_sig and cart_ts (cart management), secure_customer_sig (customer authentication), checkout_token (payment process). These are essential and exempt from consent.

Shopify analytics cookies include _shopify_sa_t and _shopify_sa_p. These may require consent if data is used for profiling purposes.

Third-party cookies are most problematic: _ga, _gid (Google Analytics), _fbp, _fbc (Meta Pixel), cookies from Klaviyo, Judge.me, ReCharge. These systematically require prior consent.

How to integrate a CMP on Shopify?

Option 1: a Shopify consent app

The Shopify App Store offers consent apps like Pandectes, Consentmo or CookieYes. Simple to install but some free apps only display a banner without actual script blocking.

Option 2: an external SaaS CMP via theme.liquid

An external CMP like FlowConsent integrates via a JavaScript snippet in theme.liquid. It offers reliable blocking, automatic cookie scanning, Google Consent Mode v2, TCF 2.2 and compliance reports.

How to block scripts before consent on Shopify?

Script blocking can use the Shopify Customer Privacy API or type="text/plain" modification in theme.liquid. For Shopify Pixels, consent is controlled via Shopify privacy settings. A cookie audit verifies scripts are blocked before consent.

Shopify Markets and multi-country compliance

GDPR (opt-in, EEA), CCPA/CPRA (opt-out, California), LGPD (Brazil) have different requirements. A CMP with geolocation that adapts the banner per jurisdiction is necessary for multi-market stores. FlowConsent offers this feature.

Common mistakes on Shopify stores

Relying on Shopify's native banner as the only solution. It does not block third-party scripts and offers no granular choice.

Not auditing cookies set by Shopify apps. Every installed app can set its own undocumented cookies.

Forgetting Shopify Pixels. Pixels (Meta, Google Ads, TikTok) run in a sandbox but still set cookies. Consent must be configured separately.

Not updating the cookie policy after each app installation.

Ignoring Shopify checkout. It sets its own strictly necessary cookies that must be documented.

Shopify and Google Consent Mode v2

If your store uses GA4 or Google Ads, Consent Mode v2 is essential. It can be implemented via GTM in theme.liquid or directly via the CMP. FlowConsent automatically transmits consent signals to Google tags.

Checklist: cookie compliance on Shopify

Run a scan of your store to inventory all cookies.
Install a CMP (Shopify app or SaaS CMP via theme.liquid).
Configure blocking of non-essential scripts before consent.
Verify that the banner offers Accept and Reject with equal visibility.
Configure Shopify Pixels consent management.
Enable Google Consent Mode v2 if GA4 or Google Ads is used.
Write a cookie policy including native Shopify cookies.
Configure banner geolocation if Shopify Markets is active.
Test in private browsing: no third-party cookies before clicking Accept.
Schedule an audit after each Shopify app installation or update.

Conclusion

Shopify simplifies e-commerce, but not cookie compliance. The native banner is not enough, and the app ecosystem adds undocumented cookies constantly. An external CMP like FlowConsent, integrated via theme.liquid, provides reliable blocking, automatic scanning and multi-market management needed for a GDPR-compliant Shopify store.

Run a free scan of your Shopify store to identify all cookies present and assess your compliance level.