Why is cookie consent (per GDPR) not core Shopify functionality?

30 0 67

Shopify, this question is for you...


If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).


Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.


So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.


I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 


Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.


When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 35 (35)
Shopify Partner
29 0 18

@Milan146 wrote:

You can reach out to our support team we could work on that, try our free application 


but we can provide you satisfying solution though 

Like many have pointed out in this thread most of the available apps (including yours) DO NOT make you GDPR compliant. Merely notifying the customer the page uses cookies (implied consent) is meaningless when it comes to being compliant. The customer needs to be able to give CLEAR consent by clicking a button before you start tracking them and that means NO tracking cookies are set and tracking scripts DO NOT run before they have consented. Apart from that, the user should be able to able to change their cookie settings after the initial consent.

7 0 2

Hi everyone,

I am starting a new shopify store in Feb 2021 and was also concerned about GDPR (for EU) and CCPA (for California).

Isn't having a privacy policy (the default one provided by shopify) sufficient to satisfy GDPR and CCPA regulations?  I'm in California myself and when I go to Banana Republic's website (for example), there is no CCPA or cookies banner popping up at the bottom of the page.  They only have a privacy policy link at the bottom of the page like everyone else.  And when I checked out some GDPR banner apps on shopify, it doesn't look like a lot of shopify stores downloaded them.  So I'm wondering if having a privacy policy page is enough.  Aren't customers giving their consent by using the website?  

Also, there are instructions for store owners (GDPR white pages) to contact shopify if a customer requests information about themselves or want to erase their data.  I believe we go to the shopify admin, click customers, and click "request blah blah" which starts a process with shopify.  I believe the instructions also mentioned that shopify sends this request to all the connected apps in our store (not sure about this one). 

Any advice from shopify owners would be helpful.  Thanks and take care.      


6 0 1

I really hope @Shopify is looking into this, if only for their own bottom line. Merchants will be scared off if there is the slightest risk of getting one of these huge business ruining fines if they are not compliant.

It should be possible for Shopify to adjust the way app developers create apps and force them to add new steps where consent can (perhaps optionally) be obtained (or not) and cookies or other scripts can be then used (or not) depending on the user's answer. Of course, this will add work for the developers but there really is no other option if eCommerce on Shopify is to continue.

New Member
1 0 0

Hi everyone,

Same issue here: setting up the shop end of 2021 and cannot get fully GDPR compliant as Shopify is triggering cookies prior to consent (their script is read before mine so Cookiebot is too late to block them) and they send some data to a "not adequate" country (US).

I reached out to customer service but they are not really tackling the issue as they suggested that I install their customer banner app (which only shows a banner without taking any actions on the background to block cookies). Therefore, I insisted until they suggested that I talk to a "Shopify Expert" which costs between $50 to $1k just as a starting fee.

Honestly, I do not get why this is so complicated - I spent hours going on forums, trying different Cookie blockers apps, understanding GDPR regulations, etc. - and this should be a native functionality (at least for all the core functions - not the third party which are usually easy to block).

Please let me know if you have any information or found a solution.

Thank you,

88 5 37

Hi everyone,

I've already tried inumerous apps, November 2, 2021, and no signal of a perfect solution.

Does anyone knows if this this code works for shopify?

It's not full compliant, but at least we can inform and have full control of the css, and we can also add "if" for languages.

Thank you


7 0 2
I used one of the gdpr + ccpa (california) apps on the shopify app store
and it works fine. I asked a shopify customer service rep and he said it
looked fine.