BigCommerce is unusual among hosted platforms: its native cookie consent banner actually blocks scripts before consent instead of merely showing a message. That only works if you register each script in Script Manager and give it a consent category. Anything an app injects, or anything hardcoded into a theme file, slips right past the banner. So a BigCommerce store can have the banner live and still leak trackers.
The two native pieces
BigCommerce splits the job across two settings. The cookie consent banner (under Settings, in the consent tracking controls) lets shoppers opt out of categories of cookies and scripts, which is how the store lines up with GDPR and CCPA (BigCommerce consent management). The Script Manager is where each script gets its category. BigCommerce defines four (Using Script Manager):
- Essential keeps the store and its services working. Shoppers can't opt out of these.
- Analytics covers usage statistics and web analytics.
- Functional powers extras like video and live chat.
- Targeting/Advertising builds profiles and personalizes ads.
When a shopper declines a category, the banner holds every Script Manager entry in that category. That's the mechanism doing the real work.
Adding a script the compliant way
In the admin, go to Settings › Script Manager › Create a Script. Give it a name, set Location to Head or Footer, set Pages to All pages, and pick the Script category that matches what the tag does. GA4 is Analytics. A Meta or TikTok pixel is Targeting/Advertising. A chat widget is usually Functional. Save it as a script or a URL.
Get the category right and the banner does the rest: an Analytics tag stays dormant until the shopper accepts analytics, and a rejected shopper never triggers it.
The gap Script Manager can't see
Blocking only reaches scripts that live in Script Manager. Two common sources bypass it:
- App-injected scripts. A reviews app, an upsell app, or a chat app often injects its own tags through the storefront. Unless that app respects the consent signal itself, its cookies fire regardless of the banner.
- Hardcoded theme scripts. Anything pasted into a Stencil theme file, or into a Page Builder HTML widget, runs on render. The banner has no hook into it.
The fix is discipline plus verification: route every non-essential tag through Script Manager (or a single tag manager), and audit the live storefront to catch what slipped in through an app.
The apps that quietly add cookies
Most BigCommerce stores run a stack of apps, and each one is a potential source of untracked cookies. The usual suspects that need gating behind analytics or marketing consent: GA4 and Google Ads, the Meta and TikTok pixels, Klaviyo or Omnisend for email, review apps like Yotpo or Judge.me, and chat or helpdesk widgets like Gorgias. If you installed any of these from the App Marketplace, check whether the app respects the consent signal or injects its tag directly. When in doubt, treat it as untracked and route its tag through Script Manager or a tag manager where you can categorize it. The store's CCPA opt-out obligations run through the same banner: BigCommerce's consent controls let California shoppers decline targeting cookies, which is the practical form a Do Not Sell or Share request takes on a storefront.
Google Consent Mode v2
Since March 2024, Google Ads and GA4 need Consent Mode v2 signals for EEA and UK traffic. BigCommerce's native banner can pass consent, but many stores run their tags through Google Tag Manager instead. Set Consent Mode defaults to denied, then fire an update when the shopper accepts. If tags misbehave, the Consent Mode troubleshooting guide lists the usual breakpoints.
Getting the banner wording right
Category toggles are half of it. The banner also has to inform, and the copy is on you to set. Under GDPR and the ePrivacy Directive a shopper should see the cookie categories, what each one does, how long the cookies last, and which third parties receive the data, with a reject that's as easy to reach as accept. EU regulators have treated a prominent Accept alongside a buried or missing Reject as a dark pattern, and the CNIL fined large platforms over exactly that in 2022. BigCommerce's native banner gives shoppers the category controls, but a first-layer reject and honest category descriptions are settings you configure, not defaults you inherit. See the reject-all requirement and cookie banner dark patterns for what crosses the line.
When a CMP embed makes sense
If you want per-cookie policy sync, a stored consent record, and one gate that covers app scripts and theme scripts as well as Script Manager entries, an embedded consent platform fills the gaps the native tool leaves open. Add the loader through Script Manager itself, set to load in the Head on All pages, categorized Essential so it initializes before every other tag:
<!-- Head: load the consent script FIRST, before any tag -->
<script async src="https://cdn.cookiebeam.com/banner/YOUR_BANNER_ID/default/loader.js"></script>Then mark the tags you place directly. CookieBeam holds a script until consent when you set its type to text/plain and add a data-category:
<script type="text/plain" data-category="marketing" src="https://connect.facebook.net/en_US/fbevents.js"></script>Test and keep the policy current
- From a fresh EU-IP private window, check Application › Cookies before interacting. Only Essential cookies should be present.
- Decline a category and confirm the matching scripts stay silent in the Network tab.
- Accept and confirm they load.
- Re-run an audit after installing any app, because apps are the most common source of untracked cookies on BigCommerce.
A scanner keeps the cookie policy in sync as your app stack changes, which beats hand-editing a table every time marketing adds a tool. For a wider view, compare options in the CMP comparison and the ecommerce consent guide.