Gretelfy
Back to Blog
Industry Guides

Cookie Compliance for E-commerce: The Complete 2026 Checklist

Gretelfy TeamFebruary 3, 202614 min read
e-commercecompliancechecklistShopifyWooCommerceGDPR

E-commerce stores face unique cookie compliance challenges. Between payment processors, marketing pixels, cart abandonment tools, and product recommendations, the average online store sets dozens of cookies—many of which require explicit consent under GDPR.

This comprehensive checklist covers everything e-commerce site owners need to know to achieve and maintain cookie compliance.

Online stores are particularly vulnerable to GDPR enforcement for several reasons:

  1. Heavy reliance on marketing: Facebook Pixel, Google Ads, TikTok—e-commerce lives on paid advertising
  2. Conversion tracking everywhere: Every platform wants to track purchases for optimization
  3. Third-party integrations: Payment, shipping, reviews, recommendations, chat—each adds cookies
  4. Platform complexity: Shopify apps, WooCommerce plugins, and custom code all set cookies
  5. Customer data volumes: High traffic means high exposure if violations occur

Regulators know this, which is why e-commerce sites receive particular scrutiny.

Section 1: Foundation

☐ Install a Consent Management Platform (CMP)

Choose a CMP that works with your e-commerce platform:

  • Shopify: Cookiebot, CookieYes, Termly (all have Shopify apps)
  • WooCommerce: Cookiebot, Complianz, CookieYes
  • Magento: Amasty GDPR, OneTrust
  • BigCommerce: Cookiebot, Termly
  • Custom/Headless: Cookiebot, OneTrust, Didomi (JavaScript integration)

Why it matters: Without a CMP, you have no way to collect or manage consent.

☐ Complete Cookie Inventory

Document every cookie your store sets:

Cookie Source Category Purpose
cart_token Platform Necessary Shopping cart
_ga Google Analytics Analytics Traffic analysis
_fbp Facebook Marketing Ad targeting
_gcl_au Google Ads Marketing Conversion tracking

Include cookies from:

  • Your e-commerce platform
  • Payment processors
  • Analytics tools
  • Marketing platforms
  • Customer support tools
  • Review widgets
  • Social sharing
  • Product recommendations
  • Email marketing tools

☐ Categorize Cookies Correctly

Assign each cookie to the appropriate category:

Necessary (No consent required):

  • Session cookies
  • Shopping cart cookies
  • Authentication tokens
  • CSRF protection
  • Basic fraud prevention

Functional (Consent required):

  • Currency/language preference
  • Recently viewed products
  • Wishlist cookies (if they persist)

Analytics (Consent required):

  • Google Analytics
  • Hotjar/Crazy Egg
  • Platform analytics

Marketing (Consent required):

  • Facebook Pixel
  • Google Ads
  • Retargeting cookies
  • Affiliate tracking
  • Email platform cookies

☐ Run a Pre-Consent Compliance Scan

After CMP setup, scan your store to verify implementation:

Scan your e-commerce site →

Check that:

  • No analytics cookies appear before consent
  • No marketing pixels fire before consent
  • Only necessary cookies are set initially
  • Your Gretel Score is 80+ (Pass)

Section 2: Payment & Checkout

☐ Review Payment Processor Cookies

Common payment providers and their cookies:

Provider Cookie Behavior Consent Needed?
Stripe Sets cookies for fraud prevention No (necessary)
PayPal Marketing cookies if logged in Possibly
Klarna Session + analytics cookies Partially
Shop Pay Shopify session cookies No (necessary)

Action items:

  • Review your payment provider's cookie documentation
  • Configure any non-essential cookies to require consent
  • Test checkout flow with cookies rejected

☐ Ensure Checkout Works Without Marketing Cookies

Users who reject marketing cookies must still be able to complete purchases:

  • Payment processing should work
  • Order confirmation should send
  • Conversion tracking won't work (this is acceptable)

Test by:

  1. Rejecting all non-essential cookies
  2. Adding products to cart
  3. Completing checkout
  4. Verifying order is processed

Section 3: Marketing & Advertising

☐ Configure Facebook Pixel for Consent

Facebook Pixel is one of the most common violations. Proper setup:

In your CMP: Block connect.facebook.net until marketing consent

With Facebook's Consent Mode:

fbq('consent', 'revoke') // Default state
 
// On consent:
fbq('consent', 'grant')
fbq('init', 'YOUR_PIXEL_ID')

Check for duplicate pixels:

  • Facebook app/plugin settings
  • Theme code
  • Google Tag Manager
  • Other marketing apps

One pixel with proper consent handling is better than three firing pre-consent.

☐ Implement Google Consent Mode v2

Required for Google Ads, Analytics, and related services:

// Before any Google tags load:
gtag('consent', 'default', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
})
 
// When user consents:
gtag('consent', 'update', {
  ad_storage: 'granted',
  ad_user_data: 'granted',
  ad_personalization: 'granted',
  analytics_storage: 'granted',
})

☐ Audit All Marketing Apps/Plugins

E-commerce platforms make it easy to add marketing tools. Audit each one:

Shopify Apps to check:

  • Klaviyo
  • Privy
  • Omnisend
  • Loox
  • Judge.me
  • ReConvert
  • Bold apps

WooCommerce Plugins to check:

  • Mailchimp integration
  • Facebook for WooCommerce
  • Google Listings & Ads
  • Abandoned cart plugins
  • Review plugins

For each tool:

  1. Identify what cookies it sets
  2. Verify your CMP blocks them pre-consent
  3. Configure the tool's consent settings if available
  4. Test that it respects consent state

☐ Configure Email Marketing Consent

Email platforms often set tracking cookies:

  • Klaviyo: _kla_id and related cookies
  • Mailchimp: mailchimp_landing_page, etc.
  • Omnisend: omnisendContactID

Best practices:

  • Separate email signup consent from cookie consent
  • Configure email popups to not set cookies until consent
  • Delay email platform JavaScript until consent

Section 4: Analytics & Optimization

☐ Set Up Analytics with Consent

Google Analytics 4 with consent mode:

  1. Install GA4 through GTM (not directly in theme)
  2. Configure consent mode as shown above
  3. Use consent-triggered tags in GTM
  4. Consider GA4's consent-mode modeling for insights

Result: You'll get anonymized, modeled data from users who don't consent, and full data from those who do.

☐ Configure Heatmap/Session Recording Tools

Hotjar, Lucky Orange, Crazy Egg, and similar tools must wait for consent:

  1. Block the tool's script until analytics consent
  2. Use the tool's built-in consent features if available
  3. Consider reducing recording scope to limit privacy exposure

Hotjar example:

// Only start Hotjar after consent
if (analyticsConsentGranted) {
  hj('trigger', 'recording-start')
}

☐ Review Product Recommendation Cookies

Personalization tools set cookies to track browsing history:

  • Recently viewed products
  • Product recommendations
  • "Customers also bought"

Check if these require consent:

  • Session-only, anonymous data: Likely necessary
  • Persistent tracking across sessions: Requires consent
  • Shared with third parties: Definitely requires consent

Section 5: Customer Experience Tools

☐ Configure Live Chat Properly

Intercom, Zendesk Chat, Drift, etc.:

Option A: Block until consent

  • Treat as functional/analytics cookie
  • Show "Chat unavailable until you accept cookies" message

Option B: Use anonymous mode

  • Many chat tools offer GDPR-compliant anonymous mode
  • Chat works but doesn't persist across sessions

☐ Handle Review Widgets

Judge.me, Yotpo, Loox, Stamped:

  1. Check what cookies the widget sets
  2. Configure to load only after consent if cookies are non-essential
  3. Use lazy loading with consent triggers
  4. Consider native platform reviews if third-party is too complex

☐ Social Sharing & Login

Social buttons often load tracking scripts:

Social sharing buttons:

  • Use privacy-friendly sharers (copy-link, email)
  • Load social buttons only after consent
  • Use static share links instead of JavaScript widgets

Social login (Login with Facebook/Google):

  • Requires user action, so may be treated differently
  • Document in cookie policy
  • Consider impact on conversion vs. compliance

Section 6: Platform-Specific Considerations

For Shopify Stores

  1. Use the privacy app ecosystem: Shopify's app store has privacy-focused apps
  2. Check theme code: Many themes include hardcoded analytics
  3. Audit installed apps: Each app potentially adds cookies
  4. Configure Shopify analytics: Built-in analytics are first-party but still need disclosure
  5. Review checkout.liquid: If you have checkout customizations

Shopify-specific scan: Include /checkout page in compliance scans—it often has different cookie behavior.

For WooCommerce Stores

  1. Audit all plugins: WordPress plugins are notorious for adding tracking
  2. Check theme functions.php: Custom tracking often lives here
  3. Review child theme: Inherited cookies from parent themes
  4. wp_head and wp_footer hooks: Common places for tracking code
  5. Database cleanup: Old plugins may leave tracking code behind

WooCommerce tip: Use a staging site to test plugin removals—some plugins break consent management when removed.

Section 7: Compliance Verification

☐ Test All Consent Scenarios

Scenario Expected Behavior Test Status
Accept all All cookies set, full tracking
Reject all Only necessary cookies, no tracking
Accept analytics only Analytics work, no marketing
Withdraw consent Cookies deleted, tracking stops
Complete purchase (cookies rejected) Order succeeds

☐ Scan Key Pages

Don't just scan your homepage. E-commerce requires scanning:

  • Homepage
  • Category pages
  • Product pages
  • Cart page
  • Checkout pages
  • Thank you/confirmation page
  • Account pages
  • Blog (if present)

Each page type may load different scripts.

☐ Set Up Ongoing Monitoring

Cookie compliance isn't one-and-done. Set up:

  1. Weekly automated scans: Catch changes quickly
  2. Post-deployment scans: After every site update
  3. App/plugin addition alerts: Scan after adding new tools
  4. Score tracking: Monitor your Gretel Score over time

Section 8: Documentation & Policy

☐ Update Privacy Policy

Your privacy policy must describe:

  • What cookies you use
  • Purpose of each cookie category
  • Third parties who receive data
  • How users can manage preferences
  • Data retention periods

☐ Create/Update Cookie Policy

Dedicated cookie policy should include:

  • Complete cookie inventory table
  • Explanation of each category
  • Instructions for managing cookies
  • Link to preference center

☐ Document Consent Records

Maintain records showing:

  • When consent was collected
  • What was consented to
  • User identifiers (hashed)
  • Consent version

Most CMPs handle this automatically—verify yours does.

E-commerce Compliance Checklist Summary

Foundation

  • CMP installed and configured
  • Cookie inventory completed
  • Cookies correctly categorized
  • Initial compliance scan passed

Payment & Checkout

  • Payment processor cookies reviewed
  • Checkout works without marketing cookies

Marketing

  • Facebook Pixel consent-gated
  • Google Consent Mode v2 implemented
  • All marketing apps audited
  • Email marketing consent configured

Analytics

  • GA4 with consent mode
  • Heatmaps consent-gated
  • Personalization reviewed

Customer Tools

  • Live chat configured
  • Review widgets checked
  • Social features reviewed

Verification

  • All consent scenarios tested
  • All page types scanned
  • Ongoing monitoring set up

Documentation

  • Privacy policy updated
  • Cookie policy created
  • Consent records maintained

Get Your E-commerce Compliance Score

Ready to see where your store stands?

Scan your e-commerce site →

Get your Gretel Score in 30 seconds. See exactly which cookies and scripts need attention—before regulators find them.

The Crumb Trail is Gretelfy's blog about cookie compliance, privacy regulations, and building trust with your website visitors. Subscribe for weekly insights.

See how your website measures up

Run a free compliance scan and get your Gretel Score in seconds.