GDPR is the most-cited and most-misunderstood law in ecommerce. If you sell to anyone in the EU, UK, EEA, or Switzerland from your Shopify store — even one customer — you're in scope. This guide covers what the regulation actually requires, where Shopify's defaults fall short, and the shortest path from "I think I'm probably non-compliant" to "I'm covered."
What GDPR actually says (in plain English)
The General Data Protection Regulation (Regulation 2016/679) governs how organisations process personal data of individuals in the EU. Two practical things matter for Shopify merchants:
- You need a lawful basis for every piece of personal data you collect. For ecommerce, that's usually contract (the order itself) and legitimate interest (fraud prevention) for transactional data, and consent for marketing and tracking.
- You need real, prior, opt-in consent for non-essential cookies and trackers. This isn't actually GDPR itself — it's the ePrivacy Directive (Article 5(3)), which GDPR-aligned countries enforce together. The practical effect: a "by using this site you agree" banner is non-compliant. So is auto-checking the consent boxes.
The fines are not theoretical. The CNIL (France) fined Amazon €35M, Google €150M, and Voodoo €3M for cookie consent failures alone. Smaller stores get hit through industry watchdog complaints — NOYB has filed thousands of small-business complaints since 2022.
What Shopify gives you out of the box (and what it doesn't)
Shopify provides:
- A Customer Privacy API that lets your storefront read and update consent state.
- A built-in Privacy Policy generator under Settings → Policies.
- GDPR webhooks (
customers/data_request,customers/redact,shop/redact) that apps must implement. - A cookie banner toggle in newer themes (Dawn 12+) that shows a basic banner.
Shopify does not provide:
- A real consent management platform (CMP). The built-in banner doesn't block tracking scripts before consent — Google Analytics, Meta Pixel, and Klaviyo still fire on the first pageview.
- Google Consent Mode v2 integration. (As of March 2024, this is mandatory for any EU/EEA traffic running through Google Ads.)
- A consent log. If a regulator asks "prove this visitor consented on 12 March," Shopify can't show you.
- Granular per-category consent (essential / analytics / marketing). The stock banner is all-or-nothing.
This is the gap third-party CMPs fill. We built Consentico to fill it specifically for Shopify, but the requirements apply regardless of which app you use.
The four things every Shopify store needs
1. A real consent banner (with script blocking)
A banner that just records the choice without actually blocking trackers is theater. The visitor said no, then GA4 fired the pageview anyway because the GTM container had already loaded. That's a leak, and it's exactly what Article 5(3) prohibits.
A compliant banner does three things in this order, before any third-party script loads:
- Default-deny all non-essential storage (Google Consent Mode v2 signals).
- Block known tracking scripts via createElement override and MutationObserver until consent is given.
- Update GCM v2 signals when the visitor decides; unblock the previously blocked scripts.
If your current banner uses Shopify's built-in toggle or a copy-paste snippet that just sets a cookie, scripts are firing before consent. Audit by opening DevTools → Network → filter "google-analytics" or "facebook" — if any request goes out before you click anything, you're leaking.
2. Granular consent categories
GDPR requires consent to be specific (Recital 32). One catch-all "Accept" button doesn't cut it for European regulators. The standard categories:
| Category | Examples | Default |
|---|---|---|
| Strictly necessary | Cart, checkout, language preference | Always on (no consent required) |
| Functional | Live chat, embedded videos | Off until consent |
| Analytics | GA4, Hotjar, Microsoft Clarity | Off until consent |
| Marketing | Meta Pixel, Google Ads, TikTok, Klaviyo web tracking | Off until consent |
The visitor must be able to say "yes to analytics, no to marketing" — and your banner must honour that distinction. Apps like Consentico generate the per-category disclosure automatically from a cookie scan.
3. A Data Processing Agreement (DPA) with every processor
A "processor" is anyone who handles personal data on your behalf. For a typical Shopify store that's:
- Shopify (always)
- Klaviyo / Mailchimp / Omnisend (if you do email)
- Meta / Google / TikTok (if you run ads)
- Hotjar / Microsoft Clarity (if you do session replay)
- Any review app (Yotpo, Judge.me)
- Any chat app (Gorgias, Intercom, Tidio)
You need a signed DPA with each. Most of them auto-execute when you accept their Terms of Service — but you should be able to point at the document if asked. We recommend keeping a one-line index in a Notion doc: app name → URL of the DPA. Takes 30 minutes once, saves you a panic when a customer DSARs you.
4. A way to handle Data Subject Access Requests (DSARs)
EU residents can request a copy of their data, request deletion, or object to processing. You have 30 days to respond.
Shopify handles the heavy lifting via the GDPR webhooks — when a customer fills out the deletion form, Shopify fires customers/redact to every installed app, and each app is contractually required to delete that customer's data within 30 days. So you don't need to manually orchestrate deletion across every tool.
What you do need:
- A clear contact email or form on your privacy policy ("Email privacy@yourstore.com to access or delete your data").
- A documented response process so you don't blow the 30-day deadline.
- Awareness that you're the controller — even if Shopify and your apps are processors, the customer is asking you.
The "lawful basis" question for Shopify merchants
You'll see GDPR articles obsessing over "lawful basis." Here's the merchant-friendly version:
| Activity | Lawful basis | Notes |
|---|---|---|
| Processing the order | Contract (Art. 6(1)(b)) | The customer is buying something. |
| Sending the order confirmation | Contract | Same — part of fulfilling the order. |
| Fraud screening | Legitimate interest (Art. 6(1)(f)) | You have to be able to detect chargebacks. |
| Marketing emails | Consent (Art. 6(1)(a)) | Opt-in, double opt-in is best practice in DE/AT. |
| Behavioural retargeting | Consent | Plus ePrivacy consent for the cookie itself. |
| Reviews requests | Soft opt-in / legitimate interest | Article 13 GDPR + national rules vary; check DE/IT separately. |
You don't need to write any of this on the storefront. You do need to mention each in your privacy policy ("Why we process your data and on what legal basis").
The privacy policy itself
GDPR Article 13 lists the things a privacy policy must say. The short version:
- Who you are (legal name, contact)
- What categories of data you collect
- Why (purposes)
- The lawful basis for each purpose
- Who you share it with (Shopify, payment processor, fulfilment, ads platforms)
- International transfers (mention Standard Contractual Clauses)
- How long you keep it (retention)
- Customer rights (access, deletion, objection, portability)
- How to exercise those rights (contact email or form)
- Right to lodge a complaint with a supervisory authority
Shopify's policy generator gives you a template that's about 70% there. Fill in the contact details, list your apps in Section 5, and you're 90% there. Have a lawyer review it once if your store is doing serious volume — the marginal cost is low and it kills any risk of accidentally promising something you don't do.
Geo-targeting: do you need to show the banner everywhere?
Strict reading of GDPR + ePrivacy: yes, to anyone in scope (EU/UK/EEA/Switzerland).
Practical reading: most merchants geo-target the banner so it only appears for EU/UK visitors, and US visitors see no banner. This is legally fine — you're showing the banner to the people whose laws require it. It's also good for conversion: US customers are roughly 2× less likely to convert when shown a cookie banner (industry studies vary; the effect is real).
If you take this approach:
- Use a server-side geo-IP lookup (don't trust the browser locale).
- Show the banner in EU, UK, EEA member states, Switzerland, plus optionally California for CCPA (but CCPA needs a different banner format — usually a footer link, not a popup).
- For everyone else, set GCM v2 to granted by default if you have a CCPA opt-out link visible. You're still on the hook for CPRA opt-out signals if you sell or share Californian data.
Consentico's geo-targeting does this automatically — pick "EU only" in onboarding and the banner only shows in the right places.
The Google Consent Mode v2 layer
If you run Google Ads or use GA4, GCM v2 is mandatory for EU/EEA traffic as of March 2024. Without it, your remarketing audiences shrink (existing cookies expire and aren't replaced) and your modeled conversions stop arriving.
GCM v2 adds two new signals on top of v1: ad_user_data and ad_personalization. The compliant pattern is:
- Set all GCM signals (except
security_storage) to denied before any tag loads. - Block tracking scripts until consent.
- Call
gtag('consent', 'update', { ... })when the visitor decides.
We covered the full implementation in Google Consent Mode v2 for Shopify. If you're using Consentico this is wired up the moment you enable the app embed.
A pragmatic compliance checklist
If you have 30 minutes and want to ship something defensible today:
- Install a real CMP (Consentico, CookieYes, or Cookiebot — not the Shopify default toggle).
- Run a cookie scan to catalogue every script and cookie your store actually uses.
- Verify the banner blocks tracking scripts before consent (DevTools network tab).
- Verify Google Consent Mode v2 is firing (use the Tag Assistant Chrome extension).
- Update your privacy policy to list every app/processor and the lawful basis for each purpose.
- Add a privacy contact email (
privacy@yourstore.com). - Document your DSAR response process in a one-page Notion doc.
- Make sure your "marketing emails" consent is opt-in (no pre-checked boxes at checkout).
- If running paid ads to the EU, confirm GCM v2 signals are being received in the Google Ads "Diagnostics" tab.
What about Shopify Plus?
Same rules, bigger scope. Plus stores typically have:
- Multiple storefronts in different countries → banner needs to localise per-locale.
- Hydrogen / headless setups → CMP needs an SDK rather than a Liquid drop-in.
- B2B side → consent applies differently (B2B contacts have legitimate-interest cover for some marketing).
Consentico Business covers all three. For Hydrogen specifically the integration is a small JS package rather than the theme app extension.
Summary
GDPR for Shopify merchants is genuinely manageable if you do the four things:
- Real CMP with script blocking and granular consent.
- DPAs with every processor (most auto-execute, just keep an index).
- A clear DSAR response path documented and findable.
- A privacy policy that lists what you actually do (not a generic template).
The combination of Shopify's GDPR webhooks (which auto-redact customer data) and a proper CMP gets you to ~95% compliance for the cost of a $7.99/mo app. The remaining 5% is process — a Notion doc and a 30-minute audit each quarter.
If you'd like Consentico to handle the cookie/banner/CMP side: install on Shopify and run a free scan — it'll flag any unblocked trackers and generate the per-cookie disclosure your privacy policy needs.