Shopify GDPR cookie consent 2026: complete guide to Consent Mode v2, TCF v2.3, and the best CMP apps

April 30, 2026
App Guides, Shopify Tips
25 min read
premium editorial illustration of a Shopify storefront browser window with a prominent cookie consent banner overlay showing two equal Accept and Reject buttons, a privacy shield with a checkmark integrating with the banner, EU stars and a small certificate badge symbolizing IAB TCF v2.3 and Google Consent Mode v2 compliance, dark chocolate brown and amber tones, clean compliance theme

If you sell to a single customer in the EU, the UK, California, Switzerland, Brazil, or about a dozen other regions, your Shopify store needs proper cookie consent. Not the half-baked banner Shopify ships by default, not a hacked-together div pasted into theme.liquid, but a real Consent Management Platform (CMP) that handles GDPR, CCPA, LGPD, IAB TCF v2.3, Google Consent Mode v2, and Microsoft UET. This guide covers every working part: what the law actually requires in 2026, what Shopify’s native tools do and don’t cover, real fines that landed on real ecommerce companies, and the two CMP apps we’d actually install on a fresh store.

TL;DR

  • Shopify ships a Customer Privacy API and a basic native cookie banner under Settings → Customer privacy. The API auto-applies consent to Shopify-managed pixels, checkout, and audiences. It does not block arbitrary third-party scripts pasted into your theme.
  • The native banner is not on the IAB TCF vendor list. If you run Google Ads to EU users (which requires a Google-certified CMP under Google’s EU User Consent Policy), the native banner alone won’t cut it.
  • Google Consent Mode v2 has been mandatory for advertisers using personalization or remarketing in the EEA, UK, and Switzerland since March 6, 2024. Without it, you lose remarketing audiences and personalized ad measurement for European users.
  • IAB TCF v2.3 released April 2025, mandatory adoption by February 28, 2026. CMPs and vendors that haven’t migrated lose certification.
  • Two Shopify CMP apps actually deliver full compliance: Pandectes GDPR Compliance (5.0 / 2,818+ reviews, Built for Shopify, Google + Microsoft + IAB certified) and Consentmo GDPR Compliance (5.0 / 1,799+ reviews, Built for Shopify). Both have free tiers and 7-day trials on paid plans.
  • The CNIL has fined ecommerce companies tens of millions of euros for cookie consent violations. Criteo: €40M (June 2023). Yahoo: €10M (December 2023). The “no equivalent reject button” ruling against Google and Facebook (€150M + €60M, January 2022) is the foundational case every cookie banner is now designed against.

In this post

Why Shopify GDPR is in scope in 2026

Three things changed between 2022 and early 2026 that pulled GDPR cookie consent from “nice to have” into “install before you launch”:

  • March 6, 2024. Google’s enforcement deadline for Consent Mode v2 in the EEA, UK, and Switzerland. Advertisers without v2 signals lose access to remarketing audiences and personalized ad measurement for European users. Source: Google Ads Help, About Consent Mode.
  • April 2025 → February 28, 2026. IAB Europe released TCF v2.3 in April 2025 with a hard adoption deadline of February 28, 2026. CMPs and vendors that haven’t migrated lose IAB certification. Source: IAB Europe TCF documentation.
  • 2023 fining cycle. The CNIL alone issued more than €100M in cookie-specific fines across 2022 and 2023, with the focus shifting from Big Tech to ad-tech and large publishers. The pattern is clear: cookie consent UX, not just data processing, is now an enforcement priority.

If your Shopify store currently shows a cookie banner that has only an “Accept” button (no equally prominent “Reject”), or if it loads Meta Pixel and Google Analytics before the customer makes a choice, you are not GDPR compliant. That is the most common failure mode we see when auditing partner stores, and the one regulators are most consistent about flagging.

Real GDPR cookie fines (CNIL, Italian Garante, Austrian DPA)

Cookie consent fines are not theoretical. Every case below is a published regulator decision against an ecommerce or advertising company. Pick the one closest to your situation and read the full deliberation.

YearRegulatorCompanyFineSpecific violation
2022 JanCNIL (France)Google€150MNo equivalent “reject all” button. The foundational cookie banner UX ruling.
2022 JanCNIL (France)Facebook (Meta)€60MSame violation. Set the design standard for every CMP since.
2022 JunItalian GaranteCaffeina MediaWarning + cease orderStandard Google Analytics use violated GDPR (US data transfer issue).
2023 JunCNIL (France)Criteo€40MTracking without valid consent across publisher network.
2023 DecCNIL (France)Yahoo€10MCookies deposited on yahoo.com without consent. Reject harder than accept.
2021 DecAustrian DPANetDoktorOrder to stopFirst decision finding standard Google Analytics illegal under GDPR.

For Shopify merchants the most relevant pattern is the Italian Garante and Austrian DPA decisions: those weren’t Big Tech, they were regular publishers using Google Analytics in the standard way every Shopify store does. The fix in both cases came down to consent UX and proper script gating, not abandoning analytics. Get the consent layer right and you avoid the entire category of risk.

The frameworks: GDPR, CCPA, LGPD, TCF v2.3, Consent Mode v2, Microsoft UET

Six things to understand before picking a CMP. They are nested, not separate. A real CMP handles all six in one banner.

GDPR (EU and UK)

The General Data Protection Regulation. Article 7 sets the consent bar: freely given, specific, informed, unambiguous, and withdrawable. The practical translation in 2026: equally prominent Accept and Reject buttons, no pre-ticked checkboxes, granular per-category control, and the ability to withdraw consent at any time without burying the option three menus deep. The UK’s UK-GDPR is functionally identical post-Brexit. Switzerland’s FADP follows the same pattern.

CCPA / CPRA (California) and the rest of the US patchwork

The California Consumer Privacy Act (now amended by CPRA) is opt-out, not opt-in: the customer is presumed to allow data processing unless they explicitly say no. The practical artifact is a “Do Not Sell or Share My Personal Information” link in the footer plus a CCPA banner in California-detected sessions. Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), Utah (UCPA), and a growing list of states have passed similar opt-out laws. Shopify exposes Shopify.customerPrivacy.saleOfDataRegion() and a server-side dataSaleOptOut mutation specifically for this flow.

LGPD (Brazil)

Lei Geral de Proteção de Dados. Functionally similar to GDPR but with a Brazilian regulator (ANPD) and Portuguese-language consent text requirements. Both Pandectes and Consentmo handle LGPD as a separate region with localized banner copy.

IAB TCF v2.3 (Transparency and Consent Framework)

The IAB Europe Transparency and Consent Framework is the standardized signal layer that lets ad-tech vendors pass consent state down the programmatic ad chain via a “TC String”. Not optional if you serve programmatic ads to EU users. Google’s EU User Consent Policy requires a Google-certified CMP that supports TCF for Authorized Buyers programs.

Version history matters here. v2.2 was the active version through most of 2024 (mandatory after November 2023). v2.3 was published April 2025, with a mandatory adoption deadline of February 28, 2026. Both Pandectes and Consentmo are TCF v2.3 certified, though Consentmo gates v2.3 to its Enterprise tier ($49/mo) while Pandectes gates it to Enterprise too ($49/mo).

Google Consent Mode v2

Google’s mechanism for receiving consent state from your CMP and adjusting tag behavior accordingly. Two new signals were added in v2 vs v1:

  • ad_user_data: whether user data can be sent to Google for advertising purposes.
  • ad_personalization: whether the data can be used for personalized advertising and remarketing.

v1 already had ad_storage and analytics_storage. With consent denied under v2, Google tags still fire cookieless pings, which Google then uses for conversion modeling and behavioral modeling so reporting in Google Ads and GA4 is not entirely empty. Without v2 implemented, you lose this modeled measurement entirely for EEA users.

There are two implementation modes:

  • Basic mode: Google tags are blocked entirely until consent is granted. No pings on denial. Stricter privacy posture, weaker reporting because Google has nothing to model from.
  • Advanced mode: Google tags load on every page and send cookieless pings even when consent is denied. Google can then model conversions from the ping volume. More accurate reporting, slightly less privacy-strict.

Both Pandectes and Consentmo expose Consent Mode v2 from their $9/month tier. Source: Google Tag Platform, Consent Mode.

Microsoft Consent Mode (UET)

Microsoft launched its equivalent in 2024 for the Microsoft Advertising / Bing ecosystem. The Universal Event Tracking (UET) tag accepts an ad_storage consent parameter and adjusts behavior similarly to Google’s setup: cookieless pings on denial, full tracking on grant. Both Pandectes and Consentmo support Microsoft UET Consent Mode at the same tier as Google’s.

What Shopify ships natively (Customer Privacy API, native banner)

Shopify expanded its native privacy tooling significantly in 2024. The full surface lives at Settings → Customer privacy and includes a privacy policy generator, a cookie banner, a sale-of-data opt-out page for US states, and customer data request handling. The browser-side primitive is the Customer Privacy API, exposed as window.Shopify.customerPrivacy.

The methods you actually call as a developer:

  • Shopify.customerPrivacy.userCanBeTracked(): legacy boolean check.
  • Shopify.customerPrivacy.analyticsProcessingAllowed(): granular, replaces the legacy method for new code.
  • Shopify.customerPrivacy.marketingAllowed(): granular.
  • Shopify.customerPrivacy.preferencesProcessingAllowed(): granular.
  • Shopify.customerPrivacy.saleOfDataAllowed(): for CCPA-style opt-out flows.
  • Shopify.customerPrivacy.setTrackingConsent({ analytics, marketing, preferences }, callback): the write method your CMP calls.
  • Shopify.customerPrivacy.currentVisitorConsent(): returns the full state object with values '', 'yes', 'no' per purpose.
  • Shopify.customerPrivacy.shouldShowBanner(): region-aware, replaces legacy shouldShowGDPRBanner().
  • Shopify.customerPrivacy.getRegion(): returns ISO 3166-2 string ("USCA", "GBENG", "IEL").
  • Shopify.customerPrivacy.consentId(): the per-visitor consent record ID for audit logs.

The single document event you can listen to is visitorConsentCollected. The payload is { marketingAllowed, saleOfDataAllowed, analyticsAllowed, preferencesAllowed } and it fires only on change, not on listener attach.

For Hydrogen and headless storefronts, Shopify ships a useCustomerPrivacy hook that wires the same Customer Privacy API into a React component tree.

What the native banner does well

  • Auto-applies consent decisions to Shopify-managed surfaces: web pixels (custom + app pixels), Shopify Audiences, the checkout, and Shopify-built analytics.
  • Auto-detects regions when “Use automated settings” is enabled, applying GDPR rules to EEA + UK and CCPA rules to applicable US states.
  • Captures GPC (Global Privacy Control) signals automatically.
  • Generates a privacy policy from a template (in admin) and a sale-of-data opt-out page.
  • Supports the four consent purposes: preferences, analytics, marketing, sale_of_data.

What the native banner does NOT do

  • Block arbitrary third-party scripts. Klaviyo onsite snippets pasted into theme.liquid, Meta Pixel hand-coded, Hotjar, Microsoft Clarity, TikTok Pixel installed via copy-paste , none of these are gated by the native banner. They fire on page load regardless of consent. This is the single biggest gap.
  • Carry IAB TCF certification. Shopify’s docs do not mention TCF, vendor lists, or IAB Europe. The native banner is not on the IAB TCF vendor list. If you need a Google-certified CMP for Authorized Buyers programs, the native banner does not satisfy that requirement.
  • Provide a downloadable consent log. Only per-visitor consentId() retrieval via JS. No admin-facing audit trail you can hand to a regulator.
  • Scan your store’s actual cookies. The banner asks for consent in abstract categories. It does not enumerate which cookies your installed apps actually drop, which is itself a GDPR Article 13 transparency requirement.
  • Map Consent Mode v2 signals automatically for Google tags loaded outside the official Google & YouTube Shopify channel app. If you put gtag.js directly in theme.liquid, native banner consent state will not flow to it.

The gap: why a third-party CMP is still needed

A typical Shopify store with 8-15 apps installed sets 30 to 80 cookies, most of them third-party. The native banner gates the few cookies set by Shopify-managed surfaces. Everything else is on you.

The third-party CMPs solve four problems the native banner can’t:

  • Script blocking. They wrap <script> tags pasted into your theme so they don’t fire until consent is granted, including inline scripts (a feature Pandectes calls Inline Script Blocking). This is the load-bearing capability.
  • Cookie scanning. They actually crawl your storefront, enumerate every cookie set, categorize each one, and surface a list to your privacy policy. Pandectes uses an AI scanner that adds recommendations on top of basic detection. Consentmo offers an on-demand AI cookie scanner from its Standard tier.
  • IAB TCF v2.3 + Google & Microsoft certification. They sit on the certified vendor lists, so Google Ads and Microsoft Advertising actually accept the consent signals from your store and continue serving ads/measurement under restricted consent.
  • Audit trail and DSAR handling. Downloadable consent logs, customer data request workflows with email notifications, accessibility widgets (ADA, WCAG, EAA, AODA).

The good third-party CMPs integrate with the Customer Privacy API rather than replacing it. They call setTrackingConsent when their banner is interacted with, listen to visitorConsentCollected for state changes, and let Shopify’s checkout, audiences, and pixels keep working through the same plumbing. You get the best of both: full Shopify integration plus the script-gating, cookie-scanning, and certification layer the platform alone can’t provide.

Below are the two we’d actually install. Both are partners on our Craftshift partners list.

Pandectes GDPR Compliance

Pandectes GDPR Compliance app icon
Pandectes GDPR Compliance screenshot showing cookie consent banner

Developer: Pandectes (Estonia) | On Shopify since: September 2018 | Rating: 5.0 / 5 (2,818+ reviews) | Built for Shopify: Yes | Shopify Plus Partner: Yes

Pandectes is the deepest CMP on the Shopify App Store. Google Certified, Microsoft Certified, and IAB Certified at the same time, which is rare. The differentiator is the script-blocking depth: it does inline script blocking (most CMPs only block external scripts), bots and crawlers blocking, behind-the-password scanning for development stores, and exposes a full JS API (props, methods, constants, events) on the Enterprise tier for headless and Hydrogen storefronts.

The integration with Shopify’s Customer Privacy API is explicit (the listing names it as a “Works with” integration). Pandectes also covers three banner surfaces that most CMPs don’t: Checkout Extension banner, Customer Account Extension, and Page Blocks. If you need consent collection inside Shopify’s hosted checkout (Plus stores) or in the new Customer Account UI, Pandectes does both.

Pricing (USD, 7-day free trial on paid plans)

  • Basic , Free. Unlimited impressions, customizable GDPR cookie banner, geolocation, customer data requests, Customer Account Extension, all EU languages, consent tracking report, auto cookie scanning.
  • Plus , $9/month or $90/year. Everything in Basic plus: AI cookie scanner, Google Consent Mode v2, Web Pixel support, Meta/TikTok Pixel + GPC + UET Consent Mode, automated cookie policy, multi-language translations, three banner styles (popup, bar, banner).
  • Premium , $29/month or $290/year. Everything in Plus plus: Web Accessibility (ADA/WCAG/EAA), auto-blocker for popular services, advanced blocking rules, Checkout Extension block, custom CSS design support, reset consent, live in-store and admin preview.
  • Enterprise , $49/month or $490/year. Everything in Premium plus: IAB TCF v2.3 banner, scan scheduler, behind-the-password scanning, bots/crawlers blocking, inline script blocking, cookie scan AI recommendations, headless / Hydrogen storefront support, full JS API.

Compliance frameworks supported: GDPR, CCPA, CPRA, LGPD, ePrivacy, APPI, APA-NZPA, CTDPA, FADP, PDPA, PIPEDA, POPIA, UCPA, VCDPA, plus Google Consent Mode v2, Microsoft Consent Mode (UET), IAB TCF v2.3, GPC, ADA, AODA, EAA, WCAG.

Integrations: Shopify Customer Privacy API, Checkout, Customer Accounts, Shopify Admin, GA4, Google Ads, Tag Manager, Google Consent Mode v2, Microsoft Consent Mode (UET), TikTok & Meta Pixels (with Limited Data Use signal). 9 languages.

“Had a great experience. Konstantinos helped us resolve and troubleshoot technical issues so we could launch a new, fully compliant cookie banner. For a smaller business like us, Pandectes has been great. It’s an easy way to build a compliant banner without requiring something extremely custom and heavy duty.”

You Know Who’s, United Kingdom (over 5 years using the app), on the Pandectes GDPR Compliance Shopify App Store reviews

“Big thanks to Marios for helping us resolve our GDPR issues. He is very detailed-oriented and patient. He taught me how to set it up step-by-step and ensured everything was compliant. Five-star service!”

SwitchBot EU, Hong Kong SAR (over 3 years using the app), on the Pandectes GDPR Compliance Shopify App Store reviews

Install Pandectes GDPR Compliance on the Shopify App Store.

Consentmo GDPR Compliance

Consentmo GDPR Compliance app icon
Consentmo GDPR Compliance screenshot showing cookie banner with preference center

Developer: Consentmo (Sofia, Bulgaria) | On Shopify since: May 2019 | Rating: 5.0 / 5 (1,799+ reviews) | Built for Shopify: Yes

Consentmo is the cleaner-onboarding option. The free tier is unusually generous: unlimited banner impressions, three banner styles, full geolocation support, customer data requests with logs, free cookie scan, all EU languages, and basic script blocking. For a small Shopify store launching into the EU, that free tier alone covers the GDPR baseline. Paid tiers layer on Consent Mode v2, AI cookie scanner, accessibility, and IAB TCF v2.3.

The differentiators against Pandectes: SOC 2 and ISO 27001 certifications listed on the page (a procurement signal for larger merchants), broader privacy regulation coverage (the listing names APA-NZPA, APPI, CCPA, CPRA, CTDPA, ePrivacy, FADP, GDPR, LGPD, PDPA, PIPEDA, POPIA, UCPA, VCDPA), and a dedicated Cookie Widget plus implied consent support on the Plus tier. The page also names a native mobile banner for iOS and Android on Plus and up.

Pricing (USD, 7-day free trial on paid plans)

  • Free. Unlimited banner impressions, 3 banner styles + preferences, global geolocation, customer data requests (DSAR) and logs, compliance center and reports, free cookie scan, all EU languages, basic script blocking, admin preview.
  • Standard , $9/month or $90/year. Everything in Free plus: integrations scanner with alerts, Google Consent Mode v2, Meta/TikTok Pixel, UET Consent Mode, GPC, on-demand AI cookie scanner, full import/export and Google Backups, cookie management table, multilingual banner translations.
  • Plus , $29/month or $290/year. Everything in Standard plus: Web Accessibility (ADA/WCAG/EAA), smart region-specific banner, Cookie Widget and implied consent support, native mobile banner for iOS and Android, control banner timing and pages shown, advanced consent analytics, AI auto-categorizes cookies.
  • Enterprise , $49/month or $494/year. Everything in Plus plus: Web Accessibility Alt Text Manager, IAB TCF v2.3 certified compliance, share consent across domains, headless and Hydrogen support, Checkout banner for Shopify Plus, stop bots/crawlers from fake consent.

Compliance frameworks supported: APA-NZPA, APPI, CCPA, CPRA, CTDPA, ePrivacy, FADP, GDPR, LGPD, PDPA, PIPEDA, POPIA, UCPA, VCDPA, plus Google Consent Mode v2, Microsoft Consent Mode (UET), IAB TCF v2.3, GPC. Accessibility: ADA, EAA, WCAG. Security: SOC 2, ISO 27001.

Integrations: Checkout, Customer Accounts, Shopify Admin, Google Analytics GA3 / GA4, Google Ads, Google Consent Mode V2, Google Tag Manager, Klaviyo Email Marketing & SMS, Microsoft Consent Mode, TikTok & Meta Pixels. 9 languages.

“the support team is very helpful with particular issues without standard AI answers. It helped me fix default consent state issues caused by some weird code in theme.liquid which interfered with Consentmo. Thank you for all the help, Zeus.”

puremetics, Germany (about 5 years using the app), on the Consentmo GDPR Compliance Shopify App Store reviews

“Highly recommend – John was very fast and very helpful with a technical issue that he helped us solve where another developer had given the wrong info. Overall smooth experience with this app.”

Naked Nutrition, United States (about 3 years using the app), on the Consentmo GDPR Compliance Shopify App Store reviews

Install Consentmo GDPR Compliance on the Shopify App Store.

Pandectes vs Consentmo: side by side

FeaturePandectesConsentmo
Rating / reviews5.0 / 2,818+5.0 / 1,799+
Built for ShopifyYesYes
On App Store sinceSeptember 2018May 2019
HQEstoniaSofia, Bulgaria
Free tierYes (Basic)Yes (more generous)
Google Consent Mode v2 from$9 (Plus)$9 (Standard)
Microsoft UET Consent Mode from$9 (Plus)$9 (Standard)
IAB TCF v2.3 from$49 (Enterprise)$49 (Enterprise)
Accessibility (ADA/WCAG/EAA) from$29 (Premium)$29 (Plus)
Inline script blockingYes (Enterprise)Listed at Free as “basic script blocking”
AI cookie scannerYes (Plus and up)Yes (Standard and up)
Headless / Hydrogen supportEnterpriseEnterprise
Checkout Extension bannerPremium and upEnterprise (Shopify Plus stores)
Customer Account ExtensionYes (all tiers)Not advertised
SOC 2 / ISO 27001 attestationNot listedListed on page
Privacy regulation count listed14 frameworks14 frameworks
Languages99
Free trial on paid plans7 days7 days

How to pick. If your store is a small or mid-sized business launching into the EU and you want the lowest-friction free tier, start with Consentmo. The free plan is more capable out of the box. If your store is on Shopify Plus, runs headless, has a developer team that wants a deep JS API, or needs the inline script blocking and bots/crawlers blocking depth, Pandectes wins. Both apps are genuinely 5-star with thousands of reviews; this is not a “one is real and one is fake” comparison.

Implementation: 5 steps to a compliant Shopify store

  1. Audit your current cookies. Open your storefront in an incognito window with DevTools open. Go to Application → Cookies. Count how many are set before any user interaction. Most stores have 30+ already firing on page load. Anything that’s not strictly necessary should be gated by consent.
  2. Install a CMP. Pick Pandectes or Consentmo, install from the App Store, and let the auto-detect set the regions. Both apps register themselves with Shopify’s Customer Privacy API automatically.
  3. Run the cookie scan. Both apps include a scanner that crawls your storefront and categorizes cookies. Review the output: anything categorized as Performance or Targeting needs explicit consent. Anything mis-categorized gets recategorized in the dashboard.
  4. Wire up Consent Mode v2. If you run Google Ads or use GA4, enable Google Consent Mode v2 in your CMP’s settings (Plus tier on Pandectes, Standard on Consentmo). Decide between Basic and Advanced mode based on your privacy posture vs reporting accuracy preference.
  5. Test the deny path. Open an incognito session, click Reject All on the banner. Reload the page. Open DevTools → Network and confirm Meta Pixel, Google Tag Manager, Klaviyo onsite, and any other third-party tracker is NOT firing. If anything fires, your CMP isn’t gating it; check the script-blocking rules in the dashboard.

That’s the floor. Above it, layer on the IAB TCF v2.3 banner if you serve programmatic ads, the accessibility widget if you sell into the EU under the EAA, and the consent log export if you want a paper trail for regulators.

Common mistakes that turn a CMP into a fine magnet

  • Accept-only banner. No Reject button, or Reject hidden behind “Manage Preferences”. This is the violation Google and Facebook were fined €210M for combined in January 2022. Both Pandectes and Consentmo ship with equally prominent buttons by default; do not customize this away.
  • Pre-ticked categories. GDPR requires unambiguous opt-in. A pre-ticked Marketing checkbox is not consent. Both apps default to unchecked; verify your config didn’t override.
  • Tracker fires before consent. The bug is almost always a hard-coded script in theme.liquid that the CMP’s auto-blocker didn’t catch. Add it manually to the script block list.
  • No region detection. Showing GDPR copy to a US customer is not illegal but it’s bad UX and it weakens the CCPA opt-out signal. Use the geolocation feature both CMPs ship.
  • Privacy policy says one thing, cookies do another. Article 13 of GDPR requires accurate disclosure of data processing. If your privacy policy lists 4 cookies and your store actually drops 60, you’re already non-compliant before the consent banner question even applies.
  • Treating CCPA as “GDPR for Americans”. CCPA is opt-out, not opt-in. The user can browse and you can track until they hit “Do Not Sell or Share”. Forcing a GDPR-style consent banner on California users is more strict than required and creates UX friction.

Try them yourself

Try Pandectes free
Try Consentmo free

Both apps appear in our broader must-have Shopify apps for 2026 guide alongside our own Rubik tools (Rubik Variant Images and Rubik Combined Listings). Browse the full Craftshift partners list for the rest of our trusted Shopify partners.

Frequently asked questions

How do I make my Shopify store GDPR compliant in 2026?

Five steps: audit your current cookies, install a Google-certified CMP (Pandectes or Consentmo), run a cookie scan and categorize the results, wire up Google Consent Mode v2 if you advertise to EU customers, and test the deny path in incognito to confirm trackers actually stop firing on Reject. The native Shopify Customer Privacy API handles consent for Shopify-managed pixels and checkout but does not block arbitrary third-party scripts in your theme.

Is Shopify’s native cookie banner enough for GDPR?

For most stores, no. Shopify’s Settings → Customer privacy banner auto-applies consent to Shopify-managed surfaces (web pixels, audiences, checkout, Shopify-built analytics) but does not block third-party scripts pasted into theme files (Klaviyo onsite, hand-coded Meta Pixel, Hotjar, hard-coded gtag.js). It’s also not on the IAB TCF v2.3 vendor list and does not provide a downloadable consent log. A third-party CMP closes those gaps.

What is Google Consent Mode v2 and do I need it?

Google Consent Mode v2 is the mechanism Google tags use to receive consent state from your CMP and adjust behavior accordingly. It became mandatory March 6, 2024 for advertisers running personalization or remarketing campaigns to EEA, UK, or Switzerland users. Without it, you lose access to remarketing audiences and personalized measurement for European users. Both Pandectes and Consentmo support Consent Mode v2 from their $9 tier.

Difference between Consent Mode v2 Basic and Advanced mode?

Basic mode blocks Google tags entirely until consent is granted. No cookieless pings on denial. Stricter privacy, weaker reporting. Advanced mode lets Google tags load on every page and send cookieless pings even on denial, which Google then uses for conversion modeling and behavioral modeling. Better reporting accuracy, slightly less strict privacy posture. Pick Advanced unless you have a specific reason not to.

Is IAB TCF v2.3 mandatory and when?

TCF v2.3 was published by IAB Europe in April 2025 with a mandatory adoption deadline of February 28, 2026. CMPs and ad-tech vendors that have not migrated lose IAB certification. If your store runs programmatic ads to EU users, you need a CMP on the IAB TCF v2.3 vendor list. Both Pandectes and Consentmo offer TCF v2.3 banners on their Enterprise tiers ($49/month).

Pandectes vs Consentmo: which Shopify GDPR app should I pick?

For small-to-mid Shopify stores starting in the EU, Consentmo’s free tier is more generous and onboarding is cleaner. For Shopify Plus stores, headless storefronts, or merchants who need inline script blocking, bots/crawlers blocking, full JS API, and three banner surfaces (theme + Checkout Extension + Customer Account Extension), Pandectes goes deeper. Both are Built for Shopify with 5.0 ratings and thousands of reviews.

Are Shopify cookies illegal in the EU?

No, but cookies that aren’t strictly necessary require explicit opt-in consent before they’re set. The category typically includes everything except cart, session, and CSRF cookies. Analytics cookies (GA4, Hotjar, Microsoft Clarity), advertising cookies (Meta Pixel, Google Ads, TikTok), and personalization cookies all need consent.

What’s the GDPR fine for missing cookie consent on Shopify?

GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher. Real cookie-specific fines have ranged from a few thousand euros for small publishers to €150 million (CNIL vs Google, January 2022) and €40 million (CNIL vs Criteo, June 2023). For a typical small-to-mid Shopify store, the practical risk is closer to a regulator order to stop processing plus reputational damage than a record-setting fine, but the order itself can shut down your ad accounts.

Does Shopify automatically block trackers if a customer denies consent?

Partially. Shopify-managed pixels (custom and app pixels registered through the official Web Pixels API) and Shopify Audiences respect consent state automatically. Scripts pasted directly into theme.liquid (Klaviyo onsite, hand-coded Meta Pixel, hardcoded gtag.js) do NOT respect consent state by default. Apps that registered pixels through the Web Pixels framework do; apps that injected via ScriptTag or theme app extensions without consent checks do not. A third-party CMP closes this gap.

Do I need a separate CMP for Microsoft Advertising?

No, the same CMP handles both. Microsoft launched its Universal Event Tracking (UET) Consent Mode in 2024, mirroring Google’s approach: the UET tag accepts consent signals and adjusts cookie behavior on denial. Both Pandectes and Consentmo support Microsoft UET Consent Mode from their $9 tier alongside Google Consent Mode v2.

Co-Founder at Craftshift

You may also like