All docs

Configuration

Geo-targeting your cookie banner

Show the banner only where the law requires it — EU/UK/EEA for GDPR, California for CCPA — and skip it elsewhere. Improves conversion in non-regulated regions.

Geo-targeting lets you show the banner only to visitors from regions where consent law applies, and skip it for everyone else. This is legally fine — you're meeting the obligations of each jurisdiction — and consistently improves conversion in non-regulated regions where banners just add friction.

Geo-targeting is available on the Pro and Business plans.

Where to find it

Consentico admin → SettingsGeo.

Available regions

The granularity is country-level for most regions, with US state-level for California:

  • EU/EEA — all 27 EU member states + Iceland, Liechtenstein, Norway. Banner shows; default-deny.
  • UK — separate post-Brexit, but identical compliance regime. Banner shows; default-deny.
  • Switzerland — has its own FADP law (similar to GDPR). Banner shows; default-deny.
  • California — CCPA/CPRA. Footer "Do Not Sell or Share" link shows; default-allow with opt-out.
  • Other US states — currently no specific regulation requires a banner. None shown by default; you can opt to show one.
  • Brazil — LGPD applies. Banner shows; default-deny.
  • Rest of world — no specific obligations. None shown by default.

How geo-detection works

We use a server-side IP-to-country lookup at the Shopify app proxy edge. The geo decision is made before the banner even loads, so there's no flicker — visitors in non-regulated regions never see the banner reserved-space rendering.

Fallback chain:

  1. IP geolocation (most accurate, near-zero latency at the edge).
  2. Browser locale (`navigator.language`) — only if IP lookup fails.
  3. Default region setting — only if both above fail. Set this in Settings → Geo to whatever you want unmatched visitors to be treated as.

Common configurations

"EU only"

Most common for stores doing business primarily in the US. Shows the GDPR banner only to EU/EEA/UK/Switzerland visitors; everyone else sees no banner.

Show banner: EU + EEA + UK + Switzerland
Default elsewhere: no banner

"EU + California"

For stores selling internationally. EU sees the GDPR banner; California sees a CCPA-style footer link with GPC honouring; everyone else sees nothing.

Show banner (full): EU + EEA + UK + Switzerland + Brazil
Show banner (footer): California
Default elsewhere: no banner

"Worldwide opt-in"

For brands that want to apply the strictest standard everywhere. The GDPR banner shows to everyone; every visitor opts in regardless of region. More conservative; reduces conversion in the US slightly but eliminates any geo-detection edge case.

Show banner (full): all regions

VPN / proxy considerations

IP geolocation isn't perfect. A US visitor on a UK VPN will see the GDPR banner; an EU visitor on a US VPN won't. This is fine — the legal exposure is whether you can demonstrate good-faith effort, and IP geolocation is the industry standard.

If a customer specifically tells you they're in the EU but didn't see the banner, you can manually trigger it via the customer's account: Customers → [name] → Privacy → Show banner. (Requires Pro+; only available for logged-in customers.)

Behaviour for opted-in customers travelling

Once a visitor consents, the choice is stored against their browser (localStorage) — not against geography. So if an EU visitor consents and then travels to the US, they don't re-see the banner. This matches GDPR's expectation that consent is durable.

If you want to re-prompt on geography change (e.g., for B2B legal compliance), that's a custom workflow — email support.

Conversion impact

Internal data from across our merchant base:

  • US visitors shown a GDPR-style banner: ~12% bounce rate increase, ~6% conversion drop.
  • EU visitors shown a GDPR banner with default-deny: zero conversion impact (regulatory baseline).
  • US visitors shown a CCPA footer link only: zero conversion impact.

Geo-targeting is the right answer for almost every Shopify store with a meaningful US customer base.

Compliance check

If you geo-target, your privacy policy should still mention what would happen to data of visitors from non-displayed regions. The standard language:

"We may collect cookie-based analytics data from visitors outside the EU/EEA/UK/Switzerland by default. Visitors from those regions are presented with our consent banner and tracking is disabled until consent is given."

This protects you against the edge case where someone from an unconfigured region complains. It's not a get-out-of-jail-free card for ignoring law in a covered region — but it acknowledges your geo-targeting approach explicitly.