Cookie Consent for Shopify: Complete Setup Guide

Shopify has grown into the dominant ecommerce platform in Europe, which means hundreds of thousands of stores are operating under GDPR jurisdiction. Most of them are using Shopify's built-in cookie consent banner — which, unfortunately, does not meet the standard regulators expect. This guide explains why, and what to do about it.

What Shopify's built-in banner actually does

Shopify includes a basic cookie consent notification through its privacy settings. When enabled, it shows a banner informing visitors that the store uses cookies. In some regions, it will delay certain cookies until consent is given.

• No granular category controls: Shopify's native banner does not offer separate opt-in for analytics versus marketing cookies. GDPR requires granular consent.
• Third-party app scripts: Most Shopify stores use apps — reviews, loyalty programmes, live chat, exit-intent popups — each of which installs its own tracking scripts. Shopify's built-in banner does not block these.
• Marketing pixels: Meta Pixel and Google Ads tags are typically added via Shopify's Marketing section or through the Google & YouTube channel app. These fire regardless of your banner settings.
• No consent records: Shopify does not store consent audit trails in a form suitable for regulatory requests.
• No re-consent on policy updates: If you update your cookie policy, Shopify does not trigger re-consent from existing visitors.

The regulatory reality for Shopify stores

If you sell to EU customers, GDPR applies to you regardless of where your business is incorporated. Shopify itself is not responsible for your compliance — it provides a platform, not a compliance guarantee. The responsibility sits with you, the merchant.

CNIL, the French data protection authority, has fined companies for exactly the type of banner Shopify provides by default. The ICO in the UK and the AEPD in Spain have both issued guidance that effectively rules out single-category "accept cookies" banners without granular control.

The safe assumption: if you are generating meaningful revenue from EU customers, you need a third-party consent management solution.

Step 1: Inventory your Shopify tracking scripts

Before configuring anything, identify every tracking script on your store. Open your Shopify admin, then: 1. Go to Online Store > Themes and click Edit code. 2. Open theme.liquid and look for any scripts in the <head> section. 3. Go to Settings > Custom data and check for any custom pixel or script injections. 4. Go to Settings > Apps and sales channels and note every installed app — each may add its own tracking. 5. Go to Online Store > Preferences and check your Google Analytics and Facebook Pixel fields.

List every script and categorise it: essential (cart, checkout), functional (live chat if user-initiated), analytics (GA4, Hotjar), or marketing (Meta Pixel, Google Ads, TikTok Pixel).

Step 2: Sign up for ShieldPage

ShieldPage works with Shopify via a script tag — no app installation required, which means it loads before Shopify's own app scripts and can block them correctly. Create your account at shieldpage.io.

In the ShieldPage dashboard: 1. Click Add Website and enter your Shopify store's domain (e.g., yourstore.myshopify.com or your custom domain). 2. Navigate to Consent Widget and select the GDPR preset. 3. Add your cookie categories: Essential, Analytics, Marketing. Add clear descriptions — "We use Google Analytics to understand which products are most popular" is better than "Analytics cookies." 4. Under Blocked Scripts, add each tracking script by URL pattern and assign it to its category.

Step 3: Install the ShieldPage script in Shopify

Go to your Shopify admin, then Online Store > Themes > Edit code. Open theme.liquid. Find the opening <head> tag and paste the ShieldPage embed snippet immediately after it — this must be the very first script in your <head>:

``html <script src="https://cdn.shieldpage.io/consent/v2/loader.js" data-site-id="YOUR_SITE_ID" async ></script> ``

Critical: If you have any other scripts before this — including Shopify's own analytics snippet — move the ShieldPage script above them. Any script that loads before the consent manager can fire without consent.

Step 4: Handle Shopify's Google Analytics and Facebook Pixel fields

Shopify has dedicated fields in Online Store > Preferences for Google Analytics and Facebook Pixel. These inject scripts directly into your theme, and you cannot easily intercept them through the standard script blocking mechanism.

• Remove the Google Analytics ID from Shopify's preferences field.
• Add Google Analytics through ShieldPage's script blocking configuration instead, using ShieldPage's consent-aware GA4 loader.
• Remove the Facebook Pixel ID from Shopify's preferences field.
• Add the Meta Pixel snippet to your theme.liquid under a data-consent-category="marketing" attribute, which ShieldPage will block automatically.

This approach gives ShieldPage full control over when these scripts fire.

Step 5: Handle Shopify app scripts

Each Shopify app that you install can inject its own scripts. Some apps use Shopify's ScriptTag API (which injects scripts site-wide), while others add code directly to your theme.

For apps using ScriptTag, you will need to check each app's settings for a consent or GDPR mode. Many major apps (Klaviyo, Gorgias, Yotpo) have built-in consent modes that respect a CMP signal. Configure each app to wait for consent before activating.

For apps that hard-code scripts into your theme, add those script URLs to ShieldPage's blocked script list with the appropriate category assignment.

Step 6: Add the cookie preferences link to your footer

Shopify themes have a footer section where you can add links. Add a "Cookie Settings" link using ShieldPage's re-open attribute:

``html <a href="#" data-shieldpage="open-preferences">Cookie Settings</a> ``

Most Shopify themes allow adding custom HTML in the footer navigation. Alternatively, add this link to your footer.liquid file directly.

Step 7: Test the full purchase flow

Cookie consent on ecommerce stores requires extra care because the checkout process must work correctly. Test: 1. Without any consent given: Add a product to cart and proceed to checkout. The checkout must work. Essential cookies (cart, session) must not be blocked. 2. With analytics accepted: Verify GA4 events fire correctly for product views and add-to-cart. 3. With marketing accepted: Verify Meta Pixel fires for PageView and AddToCart events. 4. With everything rejected: Complete a test purchase. Conversion must succeed without any analytics or marketing cookies. 5. Consent withdrawal: Accept marketing, then reopen preferences and withdraw consent. Verify the marketing cookie is deleted.

A note on Shopify Markets and multi-region stores

If you use Shopify Markets to sell in multiple regions, you may want to show the consent banner only to visitors from jurisdictions that require it (EU, UK, Switzerland, etc.) while skipping the banner for visitors from regions without consent requirements (US, most of Asia-Pacific). ShieldPage supports geo-targeting rules that display the banner based on visitor location.

Ongoing maintenance

• Review your cookie inventory every time you install or update a Shopify app.
• Re-scan your store quarterly to catch any new scripts introduced by app updates.
• Update your cookie policy and trigger re-consent if you add new tracking technologies.
• Keep an eye on CNIL, ICO, and AEPD guidance — enforcement patterns shift as regulators develop new priorities.

Getting this right protects your store from regulatory action, but it also builds genuine trust with EU customers who increasingly notice and appreciate transparent data practices.