GDPR Compliance for E-Commerce Websites
From cart cookies to Facebook Pixel — what every online store must get right.
E-commerce websites face some of the most complex GDPR challenges of any industry. Between advertising pixels, analytics stacks, abandoned cart tracking, and payment processors, the average online store sets 15–30 cookies — the majority of which require consent. Fines in the e-commerce sector have been among the largest issued under GDPR.
Common Cookies & Tools Used in E-Commerce
Common Cookies
_fbp (Facebook Pixel)_gcl_au (Google Ads)_ga (Google Analytics)_gcl_aw (Google Ads conversion)IDE (Google DoubleClick)_ttp (TikTok Pixel)
Common Tools
- Google Analytics
- Facebook Pixel
- Google Ads
- Klaviyo
- Hotjar
- Stripe
- TikTok Pixel
- Pinterest Tag
Key GDPR Challenges for E-Commerce Websites
Advertising pixels fire before consent
Facebook Pixel, Google Ads, and TikTok Pixel are often added via Google Tag Manager and configured to fire on all pages — including the first page load before any consent is given. This is a direct GDPR violation.
Abandoned cart and retargeting
Retargeting campaigns depend on cookies that track which products a user viewed. These are marketing cookies that require explicit opt-in. If a user hasn't consented, you cannot retarget them.
Multi-platform attribution
E-commerce stores typically run ads on multiple platforms simultaneously. Each ad platform sets its own tracking cookies. Each one requires separate disclosure in your cookie policy.
Email marketing integration
CRM tools like Klaviyo and Mailchimp set cookies for email tracking and attribution. These require marketing consent and must be listed in your cookie policy.
Payment processors
Stripe sets the _stripe_mid cookie, which is strictly necessary and doesn't require consent. However, PayPal and other processors may set marketing cookies — check each one.
Compliance Checklist for E-Commerce Websites
- All advertising pixels (Meta, Google Ads, TikTok, Pinterest) blocked until marketing consent given
- Google Analytics and any session recording tools blocked until analytics consent given
- Stripe/payment processor cookies allowed (they're necessary)
- Consent banner has clear 'Accept All' and 'Reject All' options on first layer
- Cookie policy lists every pixel, analytics tool, and CRM cookie with name, purpose, and duration
- Google Consent Mode v2 implemented for Google tag ecosystem
- Facebook Pixel deferred until consent via CMP or manual script blocking
- Product review and live chat cookies categorized and gated appropriately
- Regular scans after plugin updates — WooCommerce, Shopify apps, and theme updates can silently add new cookies
Frequently Asked Questions
Do I need a cookie consent banner for my online store?
Yes, if you use any non-essential cookies — analytics, advertising, or personalisation. Most e-commerce stores use at least Google Analytics and Facebook Pixel, both of which require consent.
Can I still run Facebook Ads if someone rejects cookies?
Yes. When a user rejects marketing cookies, Facebook's Conversions API (CAPI) can be used server-side without cookies, though its accuracy is lower. You can run ads, but you won't be able to track that specific user's conversions.
Does Shopify have built-in GDPR compliance?
Shopify provides a basic cookie consent banner, but it doesn't automatically block all third-party cookies. Apps installed from the Shopify App Store may add their own cookies that aren't covered by the default banner. Always scan your store to verify.
Check your e-commerce website for free
Scan your website to get a full GDPR compliance report — every cookie, whether consent is working, and a step-by-step fix list.
Scan your website free →