This is correct. We await the revised permissions from Shopify to see where things will fall, and in the meantime make clients aware of the risks and ensure they accept them before starting a Shopify build. It’s an entirely unsatisfactory state of affairs, I’m afraid, but this is the world we inhabit.
Topic summary
Shopify stores face ongoing GDPR/PECR compliance issues regarding cookie consent, particularly for UK and EU merchants. The core problem: analytics cookies (Google Analytics, Facebook Pixel) are deployed through Shopify’s admin settings outside theme control, making proper opt-in consent impossible—especially at checkout, which remains inaccessible on non-Plus plans.
Key compliance gaps identified:
- Shopify’s own analytics cookies (_shopify_y, _s, etc.) load before user consent, even with “Limit tracking to EU” enabled
- The Facebook/Instagram app sets the _fbp marketing cookie regardless of consent status
- Shopify’s Consent Tracking API and native consent banner don’t actually block these cookies on initial page load
- Third-party GDPR apps claim compliance but often only delete cookies after they’ve already fired, not prevent them from loading
Regulatory context:
The UK ICO has flagged cookie compliance as an enforcement priority. EU regulations require explicit opt-in for non-essential cookies before they’re set. Fines are being issued to non-compliant sites.
Proposed solutions discussed:
- Google Consent Mode integration (mandatory by March 2024 per Google)
- Custom script blocking using Shopify’s Customer Privacy API
- Third-party tools like OneTrust or specialized Shopify apps
- Manual deletion of problematic cookies via JavaScript
Current status (as of August 2025):
No out-of-the-box solution exists. Merchants remain liable for fines despite platform limitations. The discussion reflects frustration that this critical issue, first raised in 2019-2020, remains unresolved by Shopify.
1 Like