Shopify handles checkout, payments, and orders for you, but cookie consent is still your responsibility as the merchant. If you sell to visitors in the EU, the UK, or a US state with an opt-out law, non-essential cookies and pixels have to wait for a valid choice before they fire.
The stakes are no longer theoretical. On 1 September 2025 France's CNIL fined the SHEIN group 150 million euros, in part because advertising cookies were dropped the moment a visitor landed and kept firing even after they clicked "Reject all" (CNIL, Sept 2025). On Shopify, the mechanism that prevents exactly that is the Customer Privacy API.
Two things you're actually configuring
Consent on Shopify has two layers, and confusing them is the source of most broken setups:
- The banner: the UI that asks the visitor and records their choice.
- The tracking gate: the Customer Privacy API, which stores that choice and tells Shopify's own pixels, apps, and Google Consent Mode whether they're allowed to run.
Any banner (Shopify's built-in one, an app from the App Store, or a custom CMP) has to feed its decision into the Customer Privacy API. Skip that step and the banner is cosmetic: it collects clicks but never stops a single cookie.
Shopify's built-in cookie banner
Shopify ships a native consent banner. Enable it under Settings › Customer privacy › Cookie banner, choose the regions it should show in (typically the EEA, UK, and Switzerland), and set the privacy policy link. When enabled, Shopify shows the banner, records the choice through the Customer Privacy API automatically, and gates its own first-party tracking accordingly. See Shopify's customer privacy settings docs for the current options.
For a store that only uses Shopify's native analytics plus the official Google & YouTube and Meta channels, the built-in banner is often enough to be compliant. Where it falls short: it offers coarse categories, limited styling, no per-vendor disclosure, and no exportable consent audit log. If a regulator asks you to prove who consented to what and when, you'll want more than the toggle provides.
The Customer Privacy API in practice
If you build or theme your own banner, you talk to the API directly. Load it, then call setTrackingConsent from your Accept and Reject handlers, only ever in response to a real user action, never automatically on their behalf (Shopify Customer Privacy API):
window.Shopify.loadFeatures(
[{ name: "consent-tracking-api", version: "0.1" }],
(error) => {
if (error) return;
const api = window.Shopify.customerPrivacy;
// Read the current decision: each value is 'yes', 'no', or ''
const current = api.currentVisitorConsent();
// { marketing: 'yes', analytics: 'no', preferences: '', sale_of_data: '' }
// Call this from your banner's Accept / Reject buttons ONLY
document.querySelector("#accept-all").addEventListener("click", () => {
api.setTrackingConsent(
{ analytics: true, marketing: true, preferences: true, sale_of_data: false },
() => console.log("Consent stored"),
);
});
}
);
// React anywhere on the storefront when consent changes
document.addEventListener("visitorConsentCollected", (event) => {
const c = event.detail;
// { analyticsAllowed, marketingAllowed, preferencesAllowed, saleOfDataAllowed }
if (c.analyticsAllowed) loadMyAnalytics();
});The four fields map to Shopify's consent categories: analytics (storefront usage), marketing (attribution and targeted advertising), preferences (language, currency, size), and sale_of_data (sharing with third parties, the field that maps to US opt-out signals). To reopen the preferences UI later (for a "Cookie settings" link in your footer), call showPreferences().
Google Consent Mode v2
Google Consent Mode v2 has been required for EEA and UK traffic that feeds Google Ads and GA4 since March 2024. On Shopify, the official Google & YouTube channel reads consent state from the Customer Privacy API and translates it into Consent Mode signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) for you, provided the API is actually receiving decisions from your banner.
If you manage tags through Google Tag Manager loaded via a Custom Pixel in Settings › Customer events, wire your GTM consent defaults and updates to the same visitorConsentCollected event so the two never disagree. When Consent Mode misbehaves, our Consent Mode v2 troubleshooting guide covers the usual culprits.
When you need a dedicated CMP
Reach for a purpose-built consent platform when you need granular per-category or per-vendor control, prior blocking of App Store apps that inject their own pixels, a styled multi-language banner, or an exportable consent record for audits. A CMP like CookieBeam renders the banner and then calls setTrackingConsent under the hood, so Shopify's native pixels and the Google & YouTube channel stay in sync automatically:
// The CMP maps its own categories to Shopify's fields on every decision
CookieBeam.on("consent", (state) => {
window.Shopify?.customerPrivacy?.setTrackingConsent({
analytics: state.categories.analytics,
marketing: state.categories.marketing,
preferences: state.categories.functional,
sale_of_data: state.categories.marketing, // US sale/share opt-out
});
});Install the loader in your theme's theme.liquid head so it runs before other tags. For the server-side tagging pipeline (sGTM, Meta CAPI) that sits alongside this, see our Shopify server-side tagging guide.
Three mistakes that fail a Shopify audit
- Recording consent automatically. Calling
setTrackingConsentwith everything set totrueon page load is a manufactured consent and is exactly what the SHEIN fine punished. Only record a decision after a click. - An App Store app that ignores the API. Many marketing apps inject pixels directly. Confirm each one respects the Customer Privacy API, or block it until consent with a CMP.
- "Reject all" that still tracks. After a reject, re-check with
currentVisitorConsent()and watch the network tab: no_fbp, no marketing beacons. If they still fire, the gate isn't wired up.
A quick setup checklist
- Decide: native banner, an app, or a CMP, but exactly one records consent.
- Confirm the banner calls
setTrackingConsentonly on user action. - Verify the Google & YouTube channel shows Consent Mode as active.
- Test "Reject all" in an EU-geolocated session and confirm no marketing cookies are set.
- Add a persistent "Cookie settings" link that calls
showPreferences().
Next, tighten the rest of your stack with the GDPR cookie compliance checklist.