GDPR compliance is not a box you tick once. It is a set of ongoing technical and organisational requirements that affect how your Shopify store collects, processes, stores, and shares personal data. For UK ecommerce stores, the applicable legislation is the UK GDPR (the retained EU regulation) and PECR (Privacy and Electronic Communications Regulations), which specifically governs cookies and electronic marketing.

The technical implementation of GDPR on Shopify involves consent management, cookie control, data subject request handling, analytics configuration, and ongoing auditing of third-party apps and services that process customer data. Getting this wrong exposes your business to regulatory action from the ICO (Information Commissioner’s Office), customer complaints, and reputational damage.

This guide covers the technical implementation of GDPR compliance on Shopify. For related topics, see our guides on Consent Mode v2 on Shopify, Shopify security best practices, and first-party data strategy. We implement GDPR compliance as part of our Shopify development services.

GDPR and Shopify: what you are responsible for

Shopify is a data processor for your store. You are the data controller. This distinction matters: as the controller, you are responsible for determining what personal data is collected, why it is collected, and how it is processed. Shopify processes data on your behalf according to their Data Processing Addendum (DPA), but the compliance obligations fall on you.

Shopify provides the platform and the tools. You are responsible for how you use them, what data you collect, what consent you obtain, and how you respond to data subject requests.

Key obligations

  • Lawful basis for processing. You need a lawful basis for every type of personal data processing. For ecommerce, the most common bases are contract (processing orders), legitimate interest (fraud prevention), and consent (marketing communications and non-essential cookies).
  • Informed consent. Where consent is the lawful basis, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent do not meet the standard.
  • Data minimisation. Collect only the data you need. Do not require a phone number if you do not need to call customers. Do not collect a date of birth unless it is necessary for age verification.
  • Transparency. Your privacy policy must explain what data you collect, why, how long you keep it, who you share it with, and what rights the data subject has.
  • Data subject rights. You must be able to fulfil access requests, erasure requests, and data portability requests within one month.
GDPR data flow diagram showing controller and processor responsibilities for Shopify stores
As the data controller, you are responsible for GDPR compliance. Shopify processes data on your behalf under their Data Processing Addendum.

A consent management platform (CMP) controls which scripts and cookies are loaded based on the visitor’s consent choices. This is the technical backbone of cookie compliance on Shopify.

How it works

The CMP intercepts all non-essential scripts (analytics, marketing pixels, personalisation tools) and prevents them from executing until the visitor has granted consent. When the visitor interacts with the cookie banner and grants consent for specific categories (analytics, marketing, functional), the CMP releases the corresponding scripts. If the visitor declines, the scripts never load and no non-essential cookies are set.

// Consent management flow
1. Visitor lands on site
2. CMP checks for existing consent record (cookie)
3. If no consent record:
   - Display cookie banner
   - Block all non-essential scripts
   - Wait for user interaction
4. User makes consent choice:
   - Accept all → release all scripts, set consent cookie
   - Accept some → release selected category scripts, set consent cookie
   - Decline all → no scripts released, set consent cookie (declined)
5. Subsequent visits:
   - Read consent cookie
   - Load/block scripts according to stored preferences
   - Do not show banner again (unless consent expires)

Cookie banner requirements

  • Clear language. Explain what cookies are used for in plain English, not legal jargon.
  • Granular choice. Allow users to accept or decline by category (necessary, analytics, marketing, functional). “Accept all” is fine as a shortcut, but there must be a genuine choice to decline.
  • Equal prominence. The “Decline” or “Manage preferences” option must be as easy to find and use as “Accept all.” Dark patterns (making accept large and green while hiding decline) are not compliant.
  • No pre-ticked boxes. All non-essential categories must default to off.
  • Withdrawal. Users must be able to change their consent at any time. Provide a persistent link (typically in the footer) to reopen cookie preferences.

Before implementing consent management, you need to know exactly what cookies your Shopify store sets. Run a cookie audit using a scanning tool (Cookiebot, CookieYes, or a manual browser DevTools inspection) to identify every cookie, its source, its purpose, and its expiry.

# Cookie classification for a typical Shopify store
## Necessary (no consent required)
- _shopify_s (session tracking)
- _shopify_y (persistent analytics — Shopify's own)
- cart_* (cart functionality)
- checkout_* (checkout session)
- secure_customer_sig (authentication)

## Analytics (consent required)
- _ga, _ga_* (Google Analytics 4)
- _gid (Google Analytics)
- _hjSessionUser_* (Hotjar)

## Marketing (consent required)
- _fbp (Meta Pixel)
- _gcl_au (Google Ads)
- _pin_unauth (Pinterest)
- _tt_enable_cookie (TikTok Pixel)

## Functional (consent required)
- _klaviyo (Klaviyo tracking)
- _swym_* (wishlists)
Cookie audit showing classification of Shopify store cookies by category
A thorough cookie audit identifies every cookie, its source, and whether consent is required before it can be set.

Google Consent Mode v2 is Google’s framework for adapting Google tag behaviour based on the user’s consent choices. It allows Google Analytics and Google Ads to operate in a “consent-denied” mode that collects no personal data but enables Google to model conversions and fill reporting gaps using aggregate data. For a detailed implementation guide, see our Consent Mode v2 on Shopify guide.

// Consent Mode v2 implementation
// Set default consent state BEFORE any Google tags load
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

// Default: deny all non-essential consent
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'functionality_storage': 'denied',
  'personalization_storage': 'denied',
  'security_storage': 'granted',  // always allowed
  'wait_for_update': 500  // wait 500ms for CMP
});

// When user grants consent via cookie banner:
gtag('consent', 'update', {
  'analytics_storage': 'granted',
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});

The key benefit of Consent Mode v2 is that it preserves your ability to run Google Ads effectively even as consent rates for marketing cookies decline. Google uses the consented data alongside behavioural modelling to estimate the conversions you would have seen at full consent, maintaining campaign optimisation accuracy.

Data subject access requests

Under UK GDPR, individuals have the right to request access to their personal data (Subject Access Request, or SAR), request erasure of their data (right to be forgotten), and request data portability. You must respond within one calendar month.

Handling requests on Shopify

Shopify provides GDPR tools in the admin under Settings > Privacy. Use the “Customer data request” feature to compile all data Shopify holds for a specific customer. But remember that Shopify is not the only place you store customer data. You also need to check:

  • Klaviyo or email marketing platform. Customer profile, email history, segment membership, behavioural data.
  • Review platforms. Any reviews the customer has submitted.
  • Analytics tools. Google Analytics does not typically hold identifiable data, but check any tools that do (Hotjar recordings, for example).
  • Customer support tools. Gorgias, Zendesk, or email records of customer service interactions.
  • Fulfilment and shipping. Order and delivery records held by third-party fulfilment providers.

For erasure requests, use Shopify’s customer data erasure endpoint and then manually delete or anonymise the customer’s data in each third-party platform. Document the process so it can be followed consistently by any team member handling a request.

Privacy-first analytics

As consent rates for analytics cookies decline (typically 40-60% of UK visitors decline analytics tracking), your analytics data becomes increasingly incomplete. A privacy-first analytics strategy addresses this gap.

Server-side tracking

Server-side Google Tag Manager processes analytics data on a server you control rather than in the visitor’s browser. This reduces the impact of ad blockers and provides more control over what data is sent to Google. It does not eliminate the need for consent — you still need consent before sending personal data — but it improves data quality for consented visitors and enables better Consent Mode modelling.

First-party data strategy

Build your analytics around first-party data that you collect directly: Shopify order data, email engagement data from Klaviyo, customer account data, and on-site behaviour tracked through Shopify’s own analytics. This data does not rely on third-party cookies and provides accurate insights regardless of consent rates. For a comprehensive approach, see our first-party data strategy guide.

Privacy-first analytics architecture showing server-side tracking and first-party data
A privacy-first analytics strategy combines server-side tracking, Consent Mode modelling, and first-party data to maintain insight as consent rates decline.

Third-party app data audit

Every Shopify app that processes customer data is a data processor acting on your behalf. Under GDPR, you are responsible for ensuring each processor handles data compliantly. This means auditing every app in your stack for its data practices.

Audit checklist per app

  • What data does it access? Review the app’s permissions in Shopify admin. Does it access customer data, order data, product data?
  • Where is data stored? Is data stored in the EU/UK, or transferred to the US or elsewhere? If transferred outside the UK, is there an adequacy decision or appropriate safeguards (Standard Contractual Clauses)?
  • Does it have a DPA? Every app that processes personal data on your behalf should have a Data Processing Agreement. Most major apps (Klaviyo, Recharge, Yotpo) provide these.
  • Data retention. How long does the app retain customer data? Can you configure retention periods? Can you delete customer data from the app?
  • Sub-processors. Does the app share data with its own sub-processors? These should be documented in the app’s privacy policy or DPA.

Document this audit and review it at least annually, or whenever you add or change apps.

Email marketing consent under UK GDPR and PECR requires explicit opt-in. Pre-ticked email signup boxes, assumed consent from purchases, and bundled consent (“by buying you agree to receive marketing”) are not compliant.

Compliant email collection on Shopify

  • Checkout opt-in. Shopify’s checkout includes an email marketing checkbox. Ensure this is unticked by default (Shopify settings control this).
  • Newsletter signup. Footer and popup signups must clearly state what the subscriber is signing up for: “Sign up for weekly ecommerce insights. We will never share your email.”
  • Record consent. Store the date, time, and method of consent for every subscriber. Klaviyo and Shopify both record this, but verify it is working correctly.
  • Easy unsubscribe. Every marketing email must include a one-click unsubscribe link. Do not require the subscriber to log in or confirm to unsubscribe.

The “soft opt-in” exception under PECR allows you to email existing customers about similar products without explicit consent, provided you offered an opt-out at the point of collection and in every subsequent email. This is a legitimate approach for post-purchase marketing but must be implemented carefully. See our security best practices guide for related security considerations.

Data retention policies

GDPR requires that you do not keep personal data longer than necessary. Define retention periods for each type of data you hold and implement automated deletion where possible.

# Recommended data retention periods for Shopify stores
Customer accounts (active):    Retain while account is active
Customer accounts (inactive):  Delete after 3 years of inactivity
Order data:                    Retain for 7 years (HMRC requirement)
Email marketing data:          Retain while subscribed + 1 year
Analytics data (GA4):           14 months (GA4 default)
Customer service records:      Delete after 2 years
Abandoned checkout data:       Delete after 3 months
Cookie consent records:        Retain for 1 year (consent refresh)

Ongoing compliance monitoring

GDPR compliance is not a one-time project. It requires ongoing monitoring and maintenance.

  • Quarterly cookie audits. Rescan your store for cookies every quarter. New apps, theme changes, and third-party script updates can introduce cookies you are not aware of.
  • Annual privacy policy review. Update your privacy policy when you change your data practices, add new tools, or when legislation changes.
  • App audit on installation. Before installing any new Shopify app, review its data practices, DPA, and privacy policy. Document the audit.
  • Staff training. Anyone who handles customer data should understand GDPR basics, how to recognise a data subject request, and who to escalate to.
  • Breach response plan. Under UK GDPR, you must notify the ICO within 72 hours of becoming aware of a personal data breach. Have a documented response plan that your team can follow.
GDPR compliance monitoring calendar showing quarterly audits and annual reviews

GDPR technical compliance on Shopify requires attention at every layer: consent management, cookie control, data subject rights, analytics configuration, app auditing, and email marketing consent. The technical implementation is straightforward when approached systematically. The challenge is maintaining compliance over time as your store evolves, new apps are added, and regulations are updated. Build compliance into your development process from the start, and it becomes a manageable part of running an ecommerce business rather than a retrospective scramble.

If you need help implementing GDPR compliance on your Shopify store, get in touch. We implement privacy-first tracking and consent management as part of our Shopify development services.