Vertaling in voorbereiding

Dit artikel is voorlopig alleen in het Engels beschikbaar. De Nederlandse versie volgt in een latere golf.

Platform Gotchas·5 min read

Shopify Meta Pixel GDPR: why a default install often fires before consent

Shopify's Meta channel injects Meta Pixel through the web pixel manager. The manager respects the Customer Privacy API only if you have enabled it. If the API is off, every visitor is treated as consented and Meta Pixel fires on the first pageview. Here is what to enable and what to verify.

Shopify Meta Pixel GDPR compliance comes down to one toggle. The Shopify Meta channel app, which is the recommended way to install Meta Pixel on a Shopify storefront, injects the pixel script via Shopify's web pixel manager. That manager respects the Customer Privacy API. In theory, the pixel waits for marketing consent before firing.

In practice, most stores never enable the Customer Privacy API in the first place. The toggle lives under Settings, Customer privacy, Cookie banner. If it is off, the entire consent model is off, and the web pixel manager treats every visitor as having consented.

What does a fresh-install Shopify Meta Pixel actually do?

On a new Shopify Plus store with the Meta channel installed and the cookie banner toggle off, here is what happens on the first pageview.

  • Theme loads and renders the page.
  • Shopify's pixel infrastructure initialises with consent = granted (because the API is off).
  • Meta Pixel fires a PageView event to facebook.com/tr immediately.
  • Google Analytics 4 (if installed via Google Sales channel) fires a page_view event immediately.

The visitor has had no opportunity to refuse. There is no banner. The first GDPR Article 6 lawful basis check has already been bypassed.

Stores that do have a banner often still leak

Stores running a third-party CMP (Klaviyo Reviews, Cookiebot, Consentmo) frequently leave the Shopify native cookie banner off and rely on the CMP. The CMP gates the scripts the merchant manually configured but cannot gate the Shopify-managed web pixels unless the merchant explicitly wired the CMP to the Customer Privacy API.

HandhavingShopify's own developer documentation acknowledges this. The relevant guide is titled "Configure your store to comply with the General Data Protection Regulation" and explicitly states that activating the Customer Privacy API is the merchant's responsibility.

What does a correctly gated Shopify install look like?

Two configurations work. Either enable Shopify's native cookie banner (Settings, Customer privacy, Cookie banner), which automatically calls the Customer Privacy API on consent grant. Or run a third-party CMP and explicitly call window.Shopify.customerPrivacy.setTrackingConsent on its accept handler. Both gate the Meta and Google web pixels through the same managed infrastructure.

The wrong configurations are the common ones. A third-party CMP that does not call setTrackingConsent will not gate Shopify-managed pixels. Manually injecting the pixel through theme.liquid bypasses the manager entirely.

Zo testen wij ditComplianceGuardHQ does not assume your Shopify store leaks pre-consent. We load your homepage from an EU residential IP, record the network tab, and report exactly which trackers fired before any consent action, with the request URL and timing as evidence. Run a free scan to find out.

Five minute audit

Open your store in a fresh private window. Open DevTools to the Network tab. Filter by facebook. Reload. If you see a request to facebook.com/tr before you interact with any banner, your Customer Privacy API gating is either off or misconfigured. Fix it before the next CNIL or Garante decision lands on a brand like yours.

Veelgestelde vragen

Does Shopify's Meta channel respect GDPR by default?

Only if the Customer Privacy API is enabled. The Meta channel uses Shopify's web pixel manager, which checks the API for consent state. With the API off (the default on new stores), the manager treats every visitor as consented and Meta Pixel fires on the first pageview.

How do I enable the Shopify Customer Privacy API?

Go to Settings, Customer privacy, Cookie banner, and enable the cookie banner. This activates the API and makes the web pixel manager respect consent state.

Does Cookiebot or Iubenda gate Shopify-managed pixels?

Not automatically. A third-party CMP gates only scripts the merchant manually configured. To gate Shopify-managed pixels (Meta, Google, TikTok via official channels), the CMP must explicitly call window.Shopify.customerPrivacy.setTrackingConsent on accept and on revoke.

How do I test if Meta Pixel fires before consent on my Shopify store?

Open the store in a fresh private window. Open DevTools, Network tab, filter by facebook. Reload and read the request list before interacting with any banner. A request to facebook.com/tr means Meta Pixel fired pre-consent.

Will Shopify fix this for me?

Shopify provides the infrastructure (the Customer Privacy API) but the configuration is the merchant's responsibility. Shopify's own documentation states this explicitly.

Voer de controle uit op uw webshop

ComplianceGuardHQ draait geautomatiseerde controles over 8 EU-kaders tegen uw live webshop in ongeveer 60 seconden. Gratis basisscan, geen installatie.

Start gratis scan

ComplianceGuardHQ voert een geautomatiseerde technische scan uit. De bevindingen verwijzen naar de tekst van de richtlijnen en naar handhavingsprecedent. Zij vormen geen juridisch advies. Voor een bindende uitleg in uw rechtsgebied raadpleegt u een gekwalificeerd advocaat of functionaris voor gegevensbescherming.