Why is cookie consent (per GDPR) not core Shopify functionality?

Main issue: EU GDPR requires explicit, prior consent for non‑essential cookies, but Shopify lacks a robust, built‑in consent mechanism; many third‑party “cookie banner” apps provide a false sense of compliance.

Key developments:

• 2019: Shopify’s privacy team said a fix was a top priority after the CJEU ruling (Planet49) clarified active consent is required (no pre‑checked boxes or implied consent).
• Technical constraints: Apps load after the storefront, making it hard to prevent Shopify/GA/FB tracking before consent; checkout pages don’t allow apps, so tracking there can’t be blocked unless on Shopify Plus with custom checkout.
• Tried solutions: Smart EU Cookie Banner ($3/mo) noted for performance hit; GDPR/CCPA + Cookie Management logs consent and disables scripts but reportedly still lets GA/FB download before consent; Cookiebot flagged non‑compliance in some setups; privacy policy alone is insufficient for GDPR.
• Shopify introduced Customer Privacy API and a native Customer Privacy Banner app; mixed feedback and minor UI limitations; Customer Privacy settings found under Online Store > Preferences.
• Newer app: Pandectes GDPR Compliance claims full compliance via Shopify’s API (blocking services pre‑consent, consent logs), clarifies performance practices; later adopted by a participant with positive feedback.

Status: Ongoing. No definitive, universal native solution; merchants test API‑integrated apps, verify true prior‑to‑consent blocking (including checkout), and maintain consent logs. Unresolved: comprehensive blocking on checkout and assurance of full compliance across all trackers.