GDPR in Shopify Stores: Cookie Banners, Tracking & Legal Compliance
Cookie banners, consent, tracking, and mandatory pages: How to make your Shopify store GDPR-compliant for Germany, Austria, and Switzerland – explained in plain language.

TL;DR
- GDPR-compliant tracking requires a consent banner that loads only after consent.
- Google Consent Mode v2 has been a prerequisite for conversion tracking in the EU since 2024.
- Server-side tracking improves data quality and reduces reliance on cookies.
- Clear legal texts and documented consent protect against warnings.
Cookie banners, consent, tracking, and mandatory pages: This is how you make your Shopify store GDPR-compliant and ready for Germany, Austria, and Switzerland – explained clearly, without legalese.
01Data Protection is a Duty – and a Trust Factor
In the DACH region, data protection is not an optional extra. A properly implemented shop not only protects you from warnings but also signals seriousness to customers. Those who handle data transparently gain trust – and trust sells.
Note: This article is a general guide and does not constitute legal advice.
02The Basic Legal Requirements
- Legally compliant imprint and a complete privacy policy
- Terms and Conditions and Cancellation Policy (mandatory in B2C)
- Correct button solution in the checkout (§ 312j BGB: "order with obligation to pay")
- A cookie consent banner with a genuine, equivalent choice option
Unsure if your shop is legally compliant? Schedule an appointment →
03Cookie Banner: What Really Matters
Crucially, genuine consent must be obtained before non-essential cookies are set. Specifically, this means: no pre-selected checkboxes, an equivalent "reject" option next to the "accept" button, and a decision that the visitor can change at any time. Marketing and analysis tools may only load after consent has been given.
04Setting up tracking in a data-protection compliant way
With Google's Consent Mode and Shopify's Customer Privacy API, tracking can be controlled to respect users' consent. This allows you to remain measurable without violating data protection. Important: control tools via consent – don't hardwire them into the theme. How to simultaneously improve data quality is shown in the article on Server-Side Tracking.
05DACH Differences at a Glance
| Country | Legal Framework | VAT |
|---|---|---|
| Germany | GDPR + TDDDG | 19 % |
| Austria | GDPR + TKG | 20 % |
| Switzerland | Revised DPA (revDPA) | 8.1 % |
If you, as a Swiss shop, also target EU customers, the GDPR also applies. In practice, you are safest with GDPR-level compliance everywhere.
06What is NOT Sufficient
A mere "This site uses cookies - OK" banner without a reject option is not compliant. Nor is it enough to load tracking tools and simply layer the banner over them: Consent must be technically effective before data flows.
Frequently Asked Questions
Do I absolutely need a consent tool?
Is Shopify itself GDPR compliant?
Does this also apply to my Swiss shop?
Where do I integrate the mandatory pages?
What happens in case of violations?
Mehr aus deinem Shopify-Shop holen?
Lass uns in einem kostenlosen Erstgespräch herausfinden, wo bei dir der größte Hebel liegt — technisch, inhaltlich oder bei der Conversion.
Kostenloses Erstgespräch buchen


