PrivacyProof · Shopify

GDPR privacy & cookie consent for Shopify sellers: do the rules apply to you?

GDPR + the cookie rules require a clear privacy policy, lawful opt-in for non-essential cookies, and a way for people to exercise their data rights. Check yours in 60 seconds.

In force EU rules Shopify

How GDPR privacy & cookie consent works on Shopify

Shopify gives you the storefront and checkout, but legal compliance is on you, the merchant — Shopify's own terms make that explicit. The platform ships some tools (a cookie-banner and customer-privacy API, a hosted PCI-compliant checkout), but switching them on and configuring them correctly is your job, not Shopify's.

📦 On Shopify: Selling into the EU from a Shopify store triggers EU rules no matter where you're based — the test is your customer's location, not yours. What Shopify handles: Shopify offers a cookie-banner and customer-privacy API, but you have to enable and configure them — out of the box a store is not consent-compliant.

Does this apply to you?

This rule applies to Shopify sellers who collect personal data from visitors in the EU or UK. Collect data from EU/UK visitors? Check your privacy policy, cookie consent, and data-rights handling. Not sure? The free checker tells you in about a minute — no signup.

The Shopify checklist

Whatever the platform handles, you still need to be able to answer "yes" to each of these — these are the points Shopify sellers most often get caught on:

Do you have a published privacy policy?
Non-essential cookies (analytics/ads) load…
Can visitors reject cookies as easily as accept?
Is there a route to access/delete/correct data?
Do you state a lawful basis for processing?
Do you disclose third parties / processors?
Is there a privacy contact (and EU/UK rep if needed)?

What's at stake

⚠️ Exposure: up to €20M or 4% of global turnover (Art. 83) · Status: In force. On Shopify, that's on top of any account suspension for breaking platform policy.

Compare the penalty for every rule →

Common questions

Do I have to handle gDPR privacy & cookie consent myself on Shopify, or does Shopify cover it?

Shopify offers a cookie-banner and customer-privacy API, but you have to enable and configure them — out of the box a store is not consent-compliant.

Do I need a cookie consent banner?

If you serve EU/UK visitors and use any non-essential cookies (analytics, advertising), yes — they must load only after the visitor opts in, with a Reject option as easy as Accept.

What must a GDPR privacy policy include?

What data you collect, why, the lawful basis, who you share it with, how long you keep it, international transfers, and how to exercise data rights — in plain language, available at collection.

What are the GDPR fines?

Up to €20 million or 4% of global annual turnover, whichever is higher — plus regulator orders and reputational damage.

The source

RuleGoose checks this against the EU GDPR (Reg. (EU) 2016/679), UK GDPR + ePrivacy/cookie rules. Read it yourself: EUR-Lex — Regulation (EU) 2016/679 →

Check your Shopify store against GDPR privacy & cookie consent — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the PrivacyProof checker →

or get one RuleGoose Score across every rule your Shopify store has to meet.

The full Shopify picture

GDPR privacy & cookie consent is one of several rules a Shopify store has to meet. See the full Shopify compliance checklist →, or read the platform-neutral GDPR privacy & cookie consent guide.

Same rule, other platforms

GDPR privacy & cookie consent on Etsy → GDPR privacy & cookie consent on Amazon → GDPR privacy & cookie consent on WooCommerce → GDPR privacy & cookie consent on eBay → GDPR privacy & cookie consent on TikTok Shop →

Informational only, not legal advice, and not affiliated with the EU or Shopify. Last reviewed 2026-06-30.