How can OneTrust ensure GDPR compliance for Shopify cookies?

Shopify Discussion
, ,

Topic summary

A Shopify store owner reports that OneTrust’s auto-blocking feature cannot prevent certain Shopify cookies (_shopify_y, _shopify_s, _y, _s, _shopify_evids) from loading before user consent. OneTrust confirmed they cannot block cookies set by external domains, while Shopify Plus Support stated blocking these cookies could affect analytics, storefront loading, and admin functionality.

Key concerns raised:

  • How should these cookies be categorized under GDPR?
  • Can cookies serving both functional and analytics purposes qualify as “strictly necessary”?
  • What compliance options exist if leading services cannot block them?

Responses provided:

  • Shopify staff directed the user to their Cookie Policy for detailed cookie definitions and categorizations, noting that legal compliance questions require consultation with legal professionals.
  • A third-party compliance service suggested that while Shopify may claim some cookies are strictly necessary, GDPR requires cookies used for tracking to be blocked until consent is obtained. They recommend adjusting Shopify script settings or contacting Shopify for clearer compliance options.

The discussion remains unresolved regarding definitive GDPR compliance solutions for these automatically-injected cookies.

Summarized with AI on November 1. AI used: claude-sonnet-4-5-20250929.
1

We’re using a third party cookie compliance management service called OneTrust on some of our Shopify stores - they’re supplying us with a Cookie Banner & Preference Centre, as well as a cookie categorisation facility. Most importantly they offer an ‘auto-blocking’ feature intended to block the source of all NOT strictly-necessary cookies until user permission is provided.

However…

We’ve found that this technology is not successfully blocking a range of Shopify cookies - _shopify_y, _shopify_s, _y, _s, _shopify_evids etc - which are, to quote ThomasBorowski on this thread https://community.shopify.com/c/shopify-discussions/eu-high-court-decision-regarding-cookies-and-shopify-s-non/td-p/579238 : “set by Shopify’s analytics scripts [and] injected into the store automatically”.

Tech support at OneTrust had this to say:

“Unfortunately overall, it seems we are unable to block Shopify Cookies. We have no control over cookies that might be set by an external resource on a different domain. These (third party) cookies are set on the “external domain”, not the domain of your site.”

Concerned about what this might mean for the compliance status of our sites, I went to Shopify Plus Support to asked if it was possible and/or desirable to block these cookies on page load, and was told:

“It could be possible however it is not something that we would support as it could greatly effect the merchants analytics, it could effect store front loading, it could also effect the admin as well.”

Since I was fully into web detective mode now, I went and inspected a number of prominent Shopify sites and saw the same cookies appearing in the browser, regardless of what kind Compliance Banner was implemented and before any interaction with a banner.

The questions all this raises are:

What is the correct categorisation for the cookies listed above?

If a cookie is integral to “store front loading” and the functioning of the store admin, in addition to store analytics, can it be correctly categorised as strictly necessary?

If these cookies cannot be designated strictly necessary, and leading compliance services can’t block them, what recourse do store owners have to ensure that they’re GDPR compliant?

Would really appreciate the thoughts of both other store owners and Shopify staff.

Andy.

2

Hi Andy,

Thank you for sharing your question here. Cookies and data compliance are a very important topic for merchants and partners and having a clear understanding of that is definitely important.

Our legal and policy page has a detailed document on this topic I would like to share with you. Our Cookie Policy and the definition for all our cookies, including the ones you shared below, can be found here: Shopify Cookie Policy. Our policy page details the cookies that are needed and what areas of the storefront or admin they would affect if not available any longer.

Alongside cookies required for the storefront to load and work properly, there are a range of services that Shopify utilizes that can also create cookies. These are all detailed in our Cookie Policy link shared above. Each of these entities have their own policies and may allow you to opt your business out of their tracking services, which would also minimize the cookies they create for tracking.

Hopefully this resource answers most of your questions. I am not a technical expert myself, but I want to make sure you get answers to all your questions regarding this. Please review the cookie policy and let me know if you have additional questions remaining and I will do my best to get you an answer. If your question is directly related to legal requirements for your business, you will need to consult with a legal professional for additional help as our support is not able to speak to that.

3

Hi Andy,

Your concerns about Shopify’s cookies and GDPR compliance are valid, especially since automatic tracking before user consent can be a violation of EU privacy laws. Here’s a breakdown of your key questions:

Regarding the correct categorization of Shopify cookies, cookies like _shopify_y, _shopify_s, _y, _s, and _shopify_evids are primarily analytics and tracking cookies set by Shopify’s own scripts. If they contribute to storefront functionality or admin operations, Shopify may argue that some are strictly necessary, but this classification can be disputed under GDPR.

On whether these cookies are strictly necessary, GDPR defines “strictly necessary” cookies as those essential for the core functionality of a website, such as session cookies that enable a shopping cart to work. If a cookie is used for both analytics and storefront functionality, Shopify would need to demonstrate that blocking it would break the store’s ability to function properly. However, if a cookie is only used for tracking, it must be blocked until consent is given.

As for what recourse store owners have, if OneTrust and other compliance services cannot block these cookies, Shopify needs to provide an alternative solution—either by allowing merchants to disable non-essential tracking or updating its handling of these cookies. One possible approach is adjusting your Shopify script settings to disable analytics until consent is given. Store owners may also consider contacting Shopify directly to push for clearer compliance options.

If you need further compliance guidance, EaseCert (https://easecert.com/) provides GDPR and EU regulatory support. It’s crucial to ensure your store meets the requirements, especially with increasing enforcement of data privacy laws.

Hope this helps!

Best,

Chris