You built your Shopify store. You installed a cookie consent banner — the one that came with your theme or a free app. You ticked a privacy policy checkbox somewhere during setup.
You assumed you were covered.
You're probably not.
GDPR — the General Data Protection Regulation — has been in force since 2018. In that time, regulators across Europe have handed out over €4 billion in fines to businesses of every size. Not just the big ones. Small online stores have been fined. Businesses that thought they were compliant have been fined. Businesses that had cookie banners — the wrong kind — have been fined.
The uncomfortable truth is that most Shopify stores selling to European customers are non-compliant in ways their owners don't realize. The cookie banner you installed probably doesn't meet current requirements. Your email marketing opt-in might be invalid. Your privacy policy might be missing legally required information.
This guide is not a legal document and doesn't replace legal advice. But it will show you the most common GDPR problems on Shopify stores, why they matter, and exactly what needs to be fixed.
First — Who Does GDPR Actually Apply To
GDPR applies to any business that:
- Is based in the EU or EEA, OR
- Targets customers in the EU or EEA, regardless of where the business is based
That second point is the one most non-European store owners miss. If you're based in the US, the UK, Australia, or anywhere else — if you are actively selling to EU customers, GDPR applies to you.
"Actively selling" means accepting EU currencies, shipping to EU addresses, having your site in EU languages, or running ads targeting EU users. If any of these describe your store, GDPR is your problem.
The maximum fine for serious violations is €20 million or 4% of global annual turnover — whichever is higher. For smaller violations, it's €10 million or 2% of turnover. Regulators have levied fines at this scale against businesses with global revenues of under €1 million.
This is not something to get wrong and hope nobody notices.
Problem 1 — Your Cookie Banner Is Almost Certainly Wrong
This is the most universal GDPR problem on Shopify stores, and it's the most commonly misunderstood.
Most store owners install a cookie banner and consider the job done. The banner appears, customers click "Accept," and that's compliance. Right?
Wrong.
A compliant cookie consent mechanism under GDPR requires all of the following:
Consent must be freely given. The customer must have a genuine choice. If clicking "Reject" is hidden behind three menus while "Accept All" is a large prominent button — that's not a free choice. Regulators have specifically targeted this dark pattern.
Consent must be specific. The customer must be able to consent to different categories of cookies separately. "Accept All" as the only option doesn't meet this requirement. Customers must be able to accept necessary cookies while rejecting marketing cookies.
Consent must be informed. Before consenting, the customer must understand what they're consenting to. Vague language like "we use cookies to improve your experience" is not sufficient. You need to explain what each category of cookie does and who has access to the data.
Consent must be unambiguous. Pre-ticked checkboxes or banners that say "by continuing to use this site you accept cookies" — these are not valid consent. The customer must take a clear affirmative action.
Consent must be easily withdrawable. Customers must be able to withdraw consent as easily as they gave it. If they clicked "Accept" and there's no way to change that later, you're non-compliant.
What this looks like in practice
A compliant cookie banner has:
- Clear "Accept All" and "Reject All" buttons at the same visual level
- A "Manage Preferences" option that lets customers choose by category
- A persistent way to access cookie settings after the initial choice (usually a small icon in the corner of the site)
How to fix it
The free cookie banners that come with most Shopify themes and apps do not meet these requirements. You need a dedicated, properly configured consent management platform.
Cookiebot and OneTrust are the two most widely used compliant solutions. Both integrate with Shopify and handle the technical requirements of proper consent management. They scan your site for cookies, categorize them, and present a compliant consent interface to EU visitors.
Before cookies load on your site, consent must be obtained for non-essential cookies. This means marketing pixels — Facebook Pixel, Google Analytics, TikTok Pixel — must not fire until the customer has actively consented to marketing cookies.
This last point is where most stores fail and where the largest fines have been issued. Running marketing pixels without proper consent is not a minor oversight — it's been the basis for multi-million euro fines.
Problem 2 — Your Email Marketing Opt-In Is Probably Invalid
GDPR requires that consent to receive marketing emails must be:
- Freely given — not a condition of purchase
- Specific — the customer must know they're signing up for marketing emails
- Documented — you must be able to prove consent was given
The checkout opt-in problem
Many Shopify stores have an email marketing checkbox at checkout that is pre-ticked by default. Under GDPR, this is invalid consent. Pre-ticked checkboxes don't represent an active, affirmative choice.
Shopify's native checkout opt-in is an unticked checkbox by default — which is correct. But if you've customized your checkout or installed an app that added a pre-ticked opt-in, you have a problem.
The "marketing emails" clarity problem
The opt-in text needs to specifically tell the customer what they're consenting to. "Sign up for updates" is vague. "I agree to receive marketing emails including promotions and product updates from [Store Name]" is specific.
Customers must know they're signing up for marketing emails, not just order updates. Order confirmations and shipping notifications are transactional — they don't require marketing consent. Promotional emails do.
The existing list problem
If you have EU customers on your email list who were added before you had proper consent processes in place — or who were added through a process that didn't meet GDPR requirements — those contacts are technically invalid.
This is a painful reality for many stores. The safest approach is to run a re-consent campaign to your EU subscribers, clearly asking them to confirm they want to continue receiving marketing emails. Those who don't respond should be removed from your marketing list.
Yes, your list will shrink. But the subscribers who actively re-consent are more engaged and more valuable — and you're no longer sitting on a compliance risk.
How to fix your opt-in process
Every email signup on your store — checkout, popup, footer form — needs:
- Clear, specific language about what the customer is signing up for
- An unticked checkbox (never pre-ticked)
- A link to your privacy policy
In your email platform (Klaviyo, Omnisend, etc.), document the source and date of consent for every subscriber. This documentation is what you'd need to show regulators if your practices were ever questioned.
Problem 3 — Your Privacy Policy Is Missing Required Information
Every Shopify store is supposed to have a privacy policy. Most do. But the generic privacy policy templates that most store owners use — the ones Shopify generates automatically or the ones copied from other sites — are often missing information that GDPR specifically requires.
What GDPR requires your privacy policy to include
Who you are. Your full legal business name, address, and contact details. A general email address is not sufficient — you must have a specific data protection contact.
What data you collect and why. For each category of data you collect, you must explain: what data it is, why you collect it, and what legal basis you're relying on to collect it. GDPR has six lawful bases for processing data — consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must specify which one applies to each type of data you collect.
Who you share data with. If you share customer data with third parties — your email platform, your analytics tools, your advertising platforms, your fulfillment partner — you must disclose this. And you must ensure those third parties are themselves GDPR compliant.
How long you keep data. You must specify your data retention periods. How long do you keep order data? Customer account data? Email subscriber data? You need answers to these questions and they need to be in your policy.
Customer rights. Under GDPR, EU customers have the right to access their data, correct it, delete it, restrict its processing, and port it to another service. Your privacy policy must explain these rights and tell customers how to exercise them.
International data transfers. If you're based outside the EU and your servers or third-party tools are outside the EU, you're transferring EU customer data internationally. This requires specific legal safeguards and disclosure.
How to fix your privacy policy
The Shopify-generated privacy policy template covers the basics but doesn't address GDPR-specific requirements adequately. You need either:
A GDPR-specific privacy policy template from a legal resource in your jurisdiction, or
A privacy policy generator that's specifically designed for GDPR compliance — iubenda is widely used and handles the complexity well.
Your privacy policy must be kept current. Every time you add a new app that processes customer data, add a new marketing channel, or change how you use customer information — your privacy policy needs to be updated.
Problem 4 — Your Data Processing Is Not Properly Documented
Under GDPR, businesses that process personal data are required to maintain records of their processing activities. This is called a Record of Processing Activities (ROPA).
For most small Shopify stores, this doesn't need to be complex — but it needs to exist. Your ROPA documents:
- What categories of personal data you process
- Why you process it (the purpose)
- Who has access to it
- How long you keep it
- What security measures protect it
If a data protection authority ever audits your store, the first thing they'll ask for is documentation of your data processing. Stores that can produce clear, organized records are treated significantly more favorably than those who can't.
Problem 5 — Your Apps Are Processing EU Data Without Proper Agreements
Every app you install on your Shopify store potentially accesses your customer data. Under GDPR, when you share personal data with a third party (including app developers), you must have a Data Processing Agreement (DPA) in place.
Most major platforms have DPAs available:
- Klaviyo has a DPA
- Google has a DPA
- Meta has a DPA
- Most major Shopify app developers have DPAs
The problem is that most store owners have never accessed or signed these agreements. They install apps, those apps process customer data, and there's no documented legal basis for that data sharing.
What to do
Go through every app you have installed. For each one that handles customer data, locate and sign their Data Processing Agreement. Most do this through their platform settings or by emailing their privacy team.
Remove apps that don't have a DPA available — using those apps means processing customer data without a legal basis, which is a GDPR violation.
The EU Compliance Priority List
If this feels overwhelming, work through it in this order: Week 1 — Cookie Consent ──────────────────────────────────────────── □ Audit your current cookie banner □ Install a proper CMP (Cookiebot or OneTrust) □ Configure consent categories correctly □ Ensure marketing pixels only fire after consent □ Test reject flow — does everything stop properly?
Week 2 — Email Marketing ──────────────────────────────────────────── □ Check all opt-in forms — are they unticked by default? □ Update opt-in language to be specific □ Document consent source in your email platform □ Plan EU subscriber re-consent campaign if needed
Week 3 — Privacy Policy ──────────────────────────────────────────── □ Review current privacy policy against GDPR requirements □ Add missing sections (lawful basis, data retention, international transfers) □ Add customer rights section with contact process □ Update whenever you add new data processing
Week 4 — Documentation & Apps ──────────────────────────────────────────── □ Create basic Record of Processing Activities □ List all apps that handle customer data □ Locate and sign DPA for each app □ Remove apps without available DPAs
text
When This Requires a Developer
Several of the fixes above — particularly proper cookie consent implementation and ensuring marketing pixels only fire after consent — require technical implementation that goes beyond clicking buttons in your Shopify admin.
Correctly blocking Google Analytics, Facebook Pixel, and other tracking scripts until consent is given requires modifications to how your theme loads scripts. Doing this incorrectly either breaks your tracking entirely or allows scripts to fire before consent — neither of which is what you want.
Getting this right the first time, rather than patching it repeatedly, is worth professional help. The cost of proper implementation is a fraction of the potential cost of a GDPR fine — and more importantly, it protects your customers' data the way the regulation intends.
If you're not sure whether your current cookie implementation is actually blocking tracking scripts before consent — or if you want someone to audit your store's compliance setup and tell you exactly what needs fixing — I'm happy to take a look.
