Cookie Consent for Shopify Stores: What You Actually Need
Shopify added a built-in "Cookie Usage" notification years ago. We've seen a lot of store owners assume that covers them. It doesn't — and the gap matters if you're selling to EU, UK, or Indian customers.
Here's what Shopify gives you, what it misses, and how to close the gap without slowing your store down.
What Shopify's Default Banner Actually Does
Shopify's built-in cookie notification is exactly that — a notification. It tells visitors you use cookies. It does not:
- Block any scripts before consent - Give users a way to reject non-essential cookies - Create granular consent categories (analytics vs marketing vs preferences) - Log consent records for audit purposes - Implement Google Consent Mode v2
For GDPR compliance (EU/UK) and India's DPDPA 2023, notification is not enough. You need active opt-in before loading non-essential scripts.
What Scripts Shopify Stores Typically Load
A typical Shopify store with a few apps fires between 8 and 20 third-party scripts on a page load. Common ones that require consent under GDPR:
- Google Analytics 4 (analytics) - Meta Pixel / Facebook Pixel (marketing) - TikTok Pixel (marketing) - Klaviyo (marketing/analytics) - Hotjar (analytics) - Google Ads conversion tracking (marketing) - Pinterest Tag (marketing) - Shopify's own marketing cookies if you use their email marketing
If any of these load before consent, you're non-compliant.
Who Is Actually at Risk?
You're at legal risk if you have EU, UK, or Indian visitors. The practical risk is higher if:
- Your store does meaningful EU/UK volume (GDPR fines scale with revenue) - You run Facebook/Google ads targeting European audiences - A competitor files a complaint with a local DPA (this happens more than you'd think) - You process any sensitive data (health, financial products, children's products)
Small stores with minimal EU traffic face low enforcement risk right now, but non-compliance is still a liability, and DPDPA enforcement in India is ramping up.
The Right Way to Handle Consent on Shopify
**Option 1: Shopify Markets + Consent Mode** Shopify has been rolling out improved consent management via the Privacy API for themes using Online Store 2.0. If you're on Dawn or a recent third-party theme, check if your theme has consent mode support built in. If it does, configure it properly — don't just leave defaults.
**Option 2: Third-party consent platform (recommended for serious stores)** For full control, use a dedicated consent management platform that integrates with Shopify via script tag injection. The flow is:
1. Add the consent platform script in your theme's `<head>`, before any other scripts 2. Configure it to block all non-essential scripts by default 3. Map your analytics and marketing tags to the right consent categories 4. Link your Privacy Policy and Cookie Policy in the banner
CookieSeal works this way. Add one script snippet in your Shopify theme code, configure your tags in the dashboard, and the banner handles the rest. It doesn't require a Shopify app — no monthly app fee, no App Store approval needed.
One Thing to Check Before You Go Live
After setup, use a separate browser (not your admin browser) and verify:
1. Does the banner appear immediately on first visit? 2. Do your Meta/Google Pixel scripts appear in the Network tab before consent? They shouldn't. 3. After clicking "Reject All," do those same scripts fire? They shouldn't. 4. Does the banner not appear on the second visit (consent remembered)?
If all four pass, you're in good shape. If any fail, there's a script loading sequence issue to debug.
DPDPA Note for Indian D2C Stores
If you sell to Indian customers and collect their data — which any store using email marketing or retargeting does — DPDPA 2023 applies. The consent requirements are stricter than most people realize: you must state the specific purpose before collection, and withdrawal must be as easy as granting consent. The Shopify default banner doesn't meet this bar.