Why is cookie consent (per GDPR) not core Shopify functionality?

31 0 65

Shopify, this question is for you...


If we have a website with European users, 'unambiguous, affirmative consent' to cookies is not optional. It's the law as per EU GDPR, with huge fines for non-compliance (or at best lots of time-wasting admin work if challenged on it).


Just like we can't run an online store without payment processing functionality, we can't run an online store selling to Europeans without a GDPR-compliant cookie consent mechanism.


So why does Shopify fob-off GDPR-compliant cookie consent to 3rd party developers?? This is core, non-optional functionality.


I've spent a lot of time looking at the 3rd party 'cookie bar/banner' offerings on the Shopify App Store: 

  • Most just give a false sense of 'GDPR compliance' but don't log consent (the EU can ask to prove you got it), or block all cookies until consent is granted. The positive App reviews make it clear that many shop owners consider GDPR a box-ticking exercise, and think they're covered when really they've only added a useless decoration to their site.
  • Some 3rd party GDPR Shopify Apps seem to open new vectors for privacy breaches. Sure it would be great if Data Subject Access Requests, etc. were self-serve instead of a manual chore for the shop owner. But the current Apps don't seem to properly challenge that the requestor is indeed the person in question. Especially those that claim to be 'Compatible with both registered and guest accounts' - how do you even verify a 'guest' is the same person from the original transaction(s), as 'guests' are by nature rather anonymous? You're actually creating a privacy nightmare if you start making your customers' data and order history available to strangers (who may only need to know your customers' email addresses). 
  • I've asked the above App developers for their views on the above. I have a collection of auto-responses and Zen Desk tickets, but zero replies from real humans. Which suggests there's no proper support for these Apps either. 


Robust cookie consent should not be functionality that shop owners need to waste time searching Apps for. Or worse installing Apps that might be dangerously complacent, and indeed making their GDPR problems worse.


When is Shopify going to offer GDPR-compliant cookie consent as part of its core functionality?

Replies 40 (40)
26 0 14

I had to laugh so hard as i read "users will feel that they are respected" 


Wow. Just wow. There are laws, and App-Developers talk about that at leas someone "feels respected"

When the court asks us if we set those cookies, I will say "Yes, but we told them so they felt resprected"


Made my day! 

It can only be solved by shopify and is indeed a core functionality, which has to be there for EU-Users (even for US Stores!) 


Pflege für Haut & Haar - Natürlich und wirkungsvoll.
New Member
6 0 0

@ui-gab wrote:

Unfortunately there is not a simple answer for you.

You can check on Shopify's white paper here: https://help.shopify.com/pdf/gdpr-whitepaper.pdf


Background Info:

Who tracks data:


Google Analytics (if installed)

Others (facebook pixel, ...etc)


In technical terms.

All apps load asynchronously or after the shop has loaded. So you cannot stop Shopify from tracking your information with an app alone. And that includes your google analytics tag that you've attached.

That also presents a separate issue with tracking on the checkout pages as those pages do not allow you run apps. If you can't run apps, there is no way to stop the tracking codes from firing on those pages.


Theoretically, if an app can modify the theme template then it could insert javascript that blocks the tracking code from firing. But that still makes it impossible to users from being tracked on the checkout page. 

On Shopify plus I believe you can create a custom checkout page, where you can then ask for consent for the tracking code.



A possible solution would be to modify your theme and custom checkout page (on Shopify plus) to verify if user has consented to your data collection.

Whether anyone has actually done that yet. I'm guessing probably not on a large scale.


Let me know if I can help in any other way.

@aj007  @ui-gab So there is no way that I can set at least prior to consent google analytics code that I manually entered?

How do people in Europe handle cookies? Are they all set to necessary?

31 0 65

RE: "How do people in Europe handle cookies? Are they all set to necessary?"


Not sure I've seen any Shopify cookie consent Apps that offer 'levels' or 'categories' of tracking - e.g. like OneTrust/etc. offer 'Necessary, Functional, Marketing, Social Media, etc.' There may well be some such Apps, and if they're honest then they'd have a rather broad 'Necessary' category, that actually translates into 'Unavoidable because only Shopify has the power to not fire these tracking codes.'


I fear most Shopify merchants 'handle cookies' by installing Apps that claim to be GDPR compliant, and even get good reviews... but actually are just useless decorations offering a false sense of security.

New Member
6 0 0

Yes I understand. 

But professional firms that are working with Softwares for dropping cookies in every possible website claim that you can at last set prior to consent 3rd party scripts like Google analytics and Facebook pixel that you manually insert.

You basically need to edit a code in Shopify "edit code" section.

Any information about that?

Shopify Partner
210 13 55

Not necessarily, after a bit more research, I believe alot more app developers embed code onto the website than intended. Meaning that they have installed the code via a blocking javascript. So there could be potentially some cookie GDPR compliant apps, if they are done properly.


If you want to to determine if app built by one of these app developers is actually GDPR compliant, you will A. have to believe them, or B. do some investigative digging on a technical level to see which one actually does everything that is compliant with GDPR. You will probably need some sort of web developer to dig into the small details of the app to see if it actually does what it is advertising.


Technical digging will probably involve: installing the app(s, until you find one that does as advertised).

Check that it:

  • during load, it blocks and prevents other cookie tracking from firing until the user has accepted the right cookie selection
  • tracks each user that has explicitly accepted the cookie vs those that have rejected it
  • and a bunch of other GDPR and now CCPA related requirements



We specialize in data analytics. If I've helped you today, please give our give our app a try (15-day free trial) https://apps.shopify.com/ui-ave-analytics and maybe write a good review.
Send me a message if you want a free data analysis consultation.
6 1 2

You can create one for free using google optimize.

3 0 1

Thank you for posting the link to the app you are using. I hope Shopify will have a solution. it must be part of the out of the box store setup. i wish you much success with your Store.


18 0 9

I'm chiming in here to keep the attention of the Shopify staff on this point. It definitely needs to be a core feature!

Shopify Partner
29 0 18

Has anyone found an app that truly integrates with the Shopify Consent Tracking API? (https://shopify.dev/docs/themes/consent-tracking-api)

I’ve not been able to find any.

EDIT: Shopify seems to have their own app https://apps.shopify.com/customer-privacy-banner and from the description it seems they do integrate with the Consent Tracking API. Gonna give this a try

The Customer Privacy Banner works with Shopify’s Customer Privacy settings, allowing you to prevent customer tracking if a customer in the EU does not agree to it.


18 0 9

I took the time to compare several third-party apps. I only found one that tracks consent and offers the ability to disable scripts. They claim to be Customer Privacy API compliant.

GDPR/CCPA + Cookie Management 

But according to Cookiebot, we are still not compliant.

What I can gather from Shopify's own app, based on the reviews, is that it still has some issues to work out. But I am very glad they are working on a native solution.

I also just discovered the Customer Privacy options under Online Store > Preferences.