Shopify does not make your store GDPR compliant on its own. You are the data controller. You must add a consent banner that blocks trackers until visitors opt in, publish compliant policies, and handle data requests yourself.
This guide covers eight steps: confirming GDPR applies, auditing your data, signing DPAs, and blocking trackers. It also covers wiring Consent Mode, publishing policies, handling data requests, and keeping records.
Is Your Shopify Store GDPR Compliant by Default?
No. Shopify provides tools and a Data Processing Addendum, but it does not guarantee compliance on its own. Shopify states this directly:
Using services offered by Shopify alone doesn't guarantee that you comply with GDPR.
You are generally the controller of your customers' data, so you choose how it is handled. You configure consent, policies, and data-rights handling yourself.
Shopify ships a native cookie banner through Settings > Customer Privacy, plus a Customer Privacy API that apps can use to check consent before firing. But that native banner "governs Shopify-specific tools, including cookies and Shopify Pixels". Any third-party app, script, or pixel you install yourself falls outside its scope. Shopify says so directly: if you manually installed third-party cookies or pixels, you may need a third-party banner. Custom logic may also be needed to make sure they honor consent.
That gap, everything Shopify does not cover automatically, is what the rest of this guide closes. For the full breakdown of what Shopify's native tools do and do not cover, see is Shopify GDPR compliant on its own.
What You Need Before You Start
Most merchants skip the one step that matters most: listing every app and marketing pixel installed on the store. Each one can drop its own cookies outside Shopify's native coverage.
Roles: The store owner or admin, working from the Shopify admin dashboard. No developer is required for the script-based route.
Time: About 1 to 2 hours for initial setup, assuming you know your company details and can access your admin. Most of that time goes to the audit step, not configuration.
Inputs:
- Shopify admin access with permission to edit theme code or install apps
- A list of every app, marketing pixel, and analytics tool currently installed
- Your company's legal name, contact details, and business address for policy generation
Tools: A consent management app or cookie-consent tool that blocks trackers before consent, plus your tag manager if you run one.
Step 1: Confirm GDPR Applies to Your Store
GDPR applies if you offer goods or services to visitors in the EU, EEA, or UK. It also applies if you monitor their behavior, regardless of where your business is registered. GDPR's extraterritorial reach means U.S. and other non-EU businesses are not exempt. If your company processes EU residents' personal data, your organization is subject to GDPR.
Three triggers mean GDPR applies to you.
- You ship products or sell to customers located in the EU, EEA, or UK
- Your marketing or analytics tools track visitors from those regions
- You have any EU or UK-based customers in your database, even a handful
GDPR itself rests on seven principles. These are lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every step below satisfies one or more of these.
Step 2: Map the Customer Data and Trackers Your Store Collects
You cannot get valid consent for trackers you have not found. This step starts with a full inventory of every app, script, and cookie on your store. Shopify's checkout collects name, address, email, and payment data by default, and every marketing app or embedded widget you add collects more on top.
To map your store:
- List every app installed from the Shopify App Store, including ones added by a past developer or agency
- List every marketing pixel and tag: Meta Pixel, Google Analytics, Google Ads, TikTok Pixel, and any others
- Identify every cookie, script, and iframe running on your storefront and checkout pages
- Flag which cookies are strictly necessary (checkout, cart, session) versus everything else
App and pixel overload is the most common hidden compliance gap. Merchants who skip this step end up with trackers firing that no one remembered installing.
A scan tool that automatically detects cookies, trackers, scripts, and iframes replaces this manual spreadsheet audit. Consently runs a full-site scan on setup, then re-scans weekly. It also lets you manually add funnel or landing-page URLs that are not linked from your sitemap, so nothing sits outside the audit.
For the complete audit method, including how to categorize what you find, see how to run a cookie audit.
Step 3: Sign and Verify Data Processing Agreements
A Data Processing Agreement documents that your processor follows your instructions and protects data under GDPR terms. A processor is a company handling personal data on your behalf. Start with Shopify's own DPA. It covers how Shopify processes your customer data as your processor, or, for certain Enhanced Services, as an independent controller under Appendix E.
Then get a DPA from every other vendor that touches personal data on your store.
- Analytics tools (Google Analytics, Hotjar, and similar)
- Email marketing platforms
- Advertising pixels and retargeting tools
- Any app with access to customer records
If you add a consent management tool, it should provide its own DPA. That DPA should cover its hosting region and subprocessor list. Consently's DPA is available on request from support and documents its EU (Frankfurt) hosting and subprocessors. No compliance tool signs your other vendors' DPAs for you. You still need to request and file one from each app you install.
Step 4: Add a Consent Banner That Blocks Trackers Before They Fire
Valid GDPR consent must be opt-in, with no pre-ticked boxes. Non-essential cookies, scripts, and pixels must not load until the visitor actively accepts. A banner that only displays a notice, without blocking anything, does not meet this bar.
Shopify's native cookie banner is a real starting point. By default it activates for EU and UK visitors and stays off for US and other unregulated regions. GDPR needs opt-in consent, while most US state laws work on opt-out instead. But its scope stops at Shopify-owned tools and Shopify Pixels. Any third-party script you installed yourself needs its own blocking mechanism. That is why most Shopify stores add a dedicated consent banner on top of the native one.
To set up a blocking banner:
- Choose a GDPR opt-in template with automatic geotargeting, so EU and UK visitors see an accept-or-reject choice
- Install the banner script at the very top of
theme.liquid, inside the<head>tag, above every other tracking tag - Categorize checkout, cart, and session cookies as Essential so orders keep working while everything else waits for consent
- Confirm non-essential cookies, scripts, and iframes are blocked until the visitor clicks accept
- Add a way for visitors to reopen their choice and change it later
Consently installs through that same single script in theme.liquid. It applies the GDPR opt-in template with automatic geotargeting, and blocks non-essential cookies, scripts, and iframes before consent by default. It also ships a floating revisit button so visitors can withdraw consent at any point. That closes a real gap: Shopify's native banner has no easy way to reopen a visitor's earlier choice.
If you have never added a cookie banner to your store before, this walkthrough covers the general setup first. For the mechanics of blocking specifically, see how to block cookies before consent. Consently's Shopify solution walks through the theme.liquid steps end to end (linked in the closing section below).
Done: Your banner shows an opt-in choice to EU and UK visitors and blocks non-essential cookies until accepted. Checkout cookies keep working, and visitors can change their choice later.
Step 5: Connect Consent to Google Consent Mode, Your Pixels, and GTM
Pixels declared through Shopify's Customer Events are gated by the Customer Privacy API automatically. Pixels fired through Google Tag Manager are not gated unless you wire consent signals into GTM yourself. This is the mechanic most merchants get wrong: installing a banner without connecting it to how their tags actually fire.
If your analytics numbers dropped sharply right after adding a banner, that is expected, not broken. Tracking correctly waits for consent now, so visitors who reject non-essential cookies stop generating analytics events. Google Consent Mode v2 recovers a meaningful share of that gap through modeled conversions, using aggregated signals instead of individual identifiers.
To wire consent into your tracking stack:
- Confirm whether each pixel fires through Shopify's Customer Events or through GTM
- For Customer Events pixels, confirm they check
analyticsProcessingAllowed()ormarketingAllowed()before firing - For GTM-fired tags, sequence your consent tool to fire and register
setTrackingConsent()before any tracking tags load - Enable Google Consent Mode v2 so it updates the four consent signals:
ad_storage,analytics_storage,ad_user_data, andad_personalization
Consently sets Google Consent Mode v2 by default, updating all four signals without manual gtag('consent') code. Its script loads before your trackers in theme.liquid. Where you use GTM, you sequence Consently to fire first so every downstream tag inherits the correct consent state.
To set up consent specifically for Google Analytics, see how to get consent for Google Analytics.
Done: Every pixel and tag, whether fired through Customer Events or GTM, respects the visitor's consent choice. Consent Mode v2 passes signals for both accepted and rejected visitors.
Step 6: Publish a Privacy Policy and a Cookie Policy
Your privacy policy must state what data you collect, why, its legal basis, retention period, and visitor rights. Your cookie policy must list every cookie category and the third parties behind them. Shopify's built-in policy generator produces a starting template, but it is not a finished GDPR policy. It does not know which third-party apps or pixels you have added.
To publish compliant policies:
- Generate a privacy policy covering data collected, purpose, legal basis, retention period, and visitor rights (access, correction, deletion, portability)
- Disclose that Shopify hosts your data and shares it with certain third parties for services like fraud prevention and analytics
- Generate a cookie policy listing every cookie category your banner uses and the third-party vendors behind each one
- Link both policies from your footer and from inside the consent banner itself
Consently generates cookie, privacy, and terms and conditions policies from guided questions. It embeds them directly on your store and outputs them in 10 or more languages. You can also link existing policy URLs you already have inside the banner settings, instead of replacing them.
For the e-commerce-specific detail this policy needs, see an ecommerce privacy policy. For the general method, see how to create a privacy policy.
Done: Your privacy policy and cookie policy are published, linked from the footer and the banner. They cover every app and pixel you found in Step 2.
Step 7: Handle Data Subject Requests With Shopify's Native Tools
Shopify's own admin tools, not a cookie-consent app, are how you fulfill a data subject's request to access, export, or delete their data. From Settings > Customer Privacy, you can access, export, and erase a customer's stored data directly.
Any app you install must also honor three mandatory Shopify compliance webhooks.
customers/data_request: a request to view stored customer data. You must respond within 30 days.customers/redact: a request to delete customer data. Complete it within 30 days, unless the customer ordered in the past six months. In that case, hold the deletion and send it 10 days after that window closes.shop/redact: a request to delete shop data, sent automatically 48 hours after a store owner uninstalls your app.
Every app must respond to these webhooks with a 200-series status code to confirm receipt.
To respond to a request in practice:
- Verify the requester's identity through their Shopify customer account or order history
- Use Settings > Customer Privacy to pull, export, or erase their record
- Confirm any connected apps have redacted their copies of that customer's data
- Reply to the requester within the one-month GDPR deadline
A cookie-consent tool has no role here. Consently, and every CMP like it, stops at consent collection and blocking. It does not fulfill data subject access or erasure requests, because that data lives in Shopify's own customer records, not in a consent log.
For the full request-handling procedure, see how to respond to a data subject request.
Done: You can locate, export, and erase any customer's data from Shopify's admin within the deadline. Every installed app confirms it honors the redact webhooks.
Step 8: Keep Consent Records and Re-Scan on a Schedule
GDPR compliance is not a one-time setup. It is a habit, because every new app or theme change can quietly add cookies that were never covered under your original consent banner. Keep a record of who consented, when, and to what, as your audit proof.
To stay compliant over time:
- Keep a timestamped consent log recording each visitor's choice, their approximate region, and their consent status
- Export that log periodically so you have an offline audit trail
- Re-scan your store any time you add a new app, pixel, or theme change
- Review your policies at least annually, or whenever your data practices change
Consently keeps consent logs with timestamp, country, and status for every visitor, with CSV export for audit purposes. It also runs a scheduled scan every week, so a newly installed app's cookies get caught automatically instead of sitting undetected for months.
This ongoing maintenance is part of the wider job of complying with cookie laws across every tool in your stack, not just Shopify.
Done: You have a running consent log with export capability, and a recurring scan catches new trackers before they become a gap.
Common Shopify GDPR Mistakes to Avoid
The single most damaging mistake is letting pixels fire before a visitor consents. That is a GDPR breach even if your banner looks compliant on the surface.
- Relying on the native banner alone. Shopify's built-in banner only governs Shopify-owned tools and Shopify Pixels, so third-party pixels and scripts still fire unblocked. The remedy: verify what your banner actually blocks, and add a consent tool that covers every script.
- Leaving GTM-fired pixels ungated. Pixels declared through Customer Events get gated automatically, but pixels fired through Google Tag Manager do not. The remedy: sequence your consent tool to fire before any GTM tag, or move the pixel into Customer Events.
- Skipping the app and pixel audit. Every unaudited app can add a new tracker with no consent gate on it. The remedy: inventory every installed app and pixel before you configure a single banner setting.
- Panicking at the analytics drop and disabling consent. A visible drop in sessions after adding a banner is expected, not a bug. Non-consenting visitors stop generating tracking events. The remedy: keep consent gating in place and use Consent Mode v2's modeled conversions to recover reporting accuracy.
- Treating compliance as one-time. New apps and theme edits add cookies no one remembers to re-check. The remedy: schedule recurring scans and keep a running consent log as ongoing proof.
FAQs
Is Shopify GDPR compliant out of the box?
No. Shopify states plainly that using its services alone does not guarantee GDPR compliance. You are the data controller, so you configure consent, policies, and data-request handling yourself, using Shopify's tools plus your own additions.
Does GDPR apply to my Shopify store if I am based in the US?
Yes, if you offer goods or services to, or track the behavior of, visitors in the EU, EEA, or UK. GDPR's extraterritorial reach applies regardless of where your business is registered.
Is Shopify's built-in cookie banner enough for GDPR?
It covers Shopify-owned tools and Shopify Pixels only. Any third-party app, script, or pixel you installed yourself falls outside its scope, so most stores add a dedicated consent tool to cover the rest.
Do I need a cookie consent app for my Shopify store?
Not strictly, if every tracker on your store runs through Shopify's own Customer Events. In practice, most stores run at least one third-party pixel. A tool that blocks and logs consent for everything is more reliable than the native banner alone.
Who is the data controller, Shopify or me?
You are. Shopify is generally your data processor, following your instructions on how customer data is handled. The exception is certain Enhanced Services, where Shopify acts as an independent controller under Appendix E of its DPA.
Why did my analytics drop after I added a cookie banner?
Consent gates tracking, so visitors who reject non-essential cookies stop generating analytics events. This is expected behavior, not a malfunction. Google Consent Mode v2 recovers a meaningful share of that reporting gap through modeled conversions.
Do my Shopify apps and pixels need consent too?
Yes. Any app or pixel must respect the visitor's consent choice through Shopify's Customer Privacy API. This applies whether it fires through Customer Events or through Google Tag Manager.
How much does it cost to make a Shopify store GDPR compliant?
Shopify's native tools are free. A dedicated consent app ranges from free to a paid plan, depending on features and domain count. The real cost for most stores is setup time: expect 1 to 2 hours for the initial audit and configuration.
Getting a Shopify store GDPR compliant comes down to one script that does the job every step above requires. It blocks trackers before consent, scans for new cookies, signals Google Consent Mode v2, and generates your policies. Consently installs in one script inside theme.liquid and covers Steps 2 through 6 of this guide out of the box. See how it works on Shopify, or start your 14-day free trial, no credit card required.

