Every few months a merchant forwards me a scary email from a cookie-consent app: "Your store is not GDPR compliant. Install now to avoid fines." Then they ask if they need to pay €19 a month to be safe.
Usually the honest answer is "no, not for that reason." Sometimes it's "actually yes, but not for the reason the email said." So let's untangle it, because cookie consent is one of the most oversold corners of the Shopify ecosystem.
Quick disclaimer up front: I build Shopify tools, I'm not a lawyer, and this isn't legal advice. If you're a large store or in a sensitive category, talk to someone who is. For everyone else, here's the practical version.
What the law actually says
The relevant rules are the GDPR plus the older ePrivacy Directive (the "cookie law"). Boiled down to the part that affects your storefront:
You need a visitor's consent before you set non-essential cookies. Essential cookies don't need consent.
That's really the whole thing. The nuance is in two words: "before" and "non-essential."
Essential cookies are the ones your store literally can't function without — the cart, the session, checkout, fraud protection. You don't need to ask permission for those.
Non-essential is everything else, and for a typical store that means analytics (GA4) and marketing pixels (Meta, TikTok, Google Ads). Those are the ones that legally shouldn't fire until the shopper has said yes.
The "before" matters more than people realize. A banner that shows up but lets Meta's pixel fire the moment the page loads isn't doing its job — it's decoration. Consent has to actually gate the scripts.
What Shopify gives you natively
This is the part the scary emails leave out: Shopify has built a lot of this in, and for many stores it's enough.
Go to Settings → Customer privacy. You'll find:
- A cookie banner you can switch on, style a bit, and scope to specific regions (show it to EU/UK/California visitors, skip it elsewhere).
- The Customer Privacy API / consent tracking, which is what actually records the shopper's choice.
- Integration with Google consent mode and Meta, so when a visitor declines, the connected tools are supposed to respect it.
For a straightforward store running GA4 and the Meta pixel through Shopify's native channels, turning this on, scoping it to the right regions, and confirming your pixels are wired through Shopify's consent system covers the core requirement. No third-party app required.
Where paid apps earn their keep (and where they don't)
I'm not anti-app here — some stores genuinely need one. The real reasons to pay:
- Google-certified CMP for Consent Mode v2. If you run Google Ads and lean on that data, Google now wants consent signals from a certified consent management platform. The native banner isn't one. This is the single most legitimate reason I see to buy an app.
- Granular, per-category consent. "Accept all / reject all" is fine for most, but if you want separate toggles for analytics vs marketing vs preferences, a dedicated CMP does that better.
- Automatic script blocking. Good CMPs actually block third-party scripts until consent, rather than trusting each tool to behave. If you've got a pile of apps injecting their own trackers, this is worth something.
Where they don't help: making a purely cosmetic banner. Plenty of installs I've audited put a nice-looking bar on the page while the pixels fire underneath regardless. That's arguably worse than nothing, because now you look like you're asking for consent you're not honoring.
The mistakes I see most
- The decorative banner. Looks compliant, changes nothing. Test it — open your store in an incognito window, decline, and watch the network tab. If the Meta pixel still fires, it's theater.
- Pixels hardcoded in the theme. If someone pasted the Meta or GA snippet directly into
theme.liquid, it bypasses Shopify's consent system entirely. Move it into the native customer-events / pixel setup so consent applies. - Region set to "everywhere" or "nowhere." Showing an aggressive banner to US shoppers who don't need it hurts conversion; showing nothing to EU shoppers who do is the actual risk. Scope it.
A sane checklist
- Turn on the native banner in Settings → Customer privacy and scope it to EU/UK (and California, under CPRA).
- Make sure GA4 and your ad pixels run through Shopify's customer events, not pasted into the theme.
- Test in incognito: decline consent, confirm the non-essential tags don't fire.
- Only then ask whether you need a certified CMP — and the honest trigger for that is usually Google Ads / Consent Mode v2, not a fine-threat email.
Cookie consent isn't the compliance boogeyman it gets sold as, but it also isn't nothing. Do the native setup properly, actually test that it gates the trackers, and buy an app when you have a specific reason — not because a popup told you to.