Shopify Implementation Technical Details
This page covers technical details about how our CMP communicates with Shopify under the hood. You do not need to read this to set up or use our CMP on your Shopify store.
Our CMP uses Shopify's Customer Privacy API to communicate consent signals to your Shopify storefront. Here's how it works under the hood.
Initialization
When the CMP loads on a Shopify storefront, it checks for the presence of window.Shopify.loadFeatures — the entry point to Shopify's privacy APIs. Once found, the CMP calls:
window.Shopify.loadFeatures([
{ name: 'consent-tracking-api', version: '0.1' }
])
This activates the window.Shopify.customerPrivacy object, which gives the CMP access to the setTrackingConsent() method used to relay consent decisions.
Consent Category Mapping
When a visitor interacts with the consent banner (or on page load if consent has already been saved), the CMP calls window.Shopify.customerPrivacy.setTrackingConsent() with the following consent categories:
| CMP Consent Setting | Shopify Consent Category |
|---|---|
| Analytics | analytics |
| Advertising or Targeted Advertising | marketing |
| Personalization | preferences |
| (derived — see below) | sale_of_data |
For example, if a visitor accepts Analytics and Personalization but declines Advertising, the CMP sends:
window.Shopify.customerPrivacy.setTrackingConsent({
analytics: true,
marketing: false,
preferences: true,
sale_of_data: false
})
Shopify uses these signals to control whether App Pixels and Custom Pixels are allowed to execute, based on how each App developer has classified their pixel's privacy requirements.
Non-Interactive Banners
When the active banner variant is non-interactive (e.g., an informational-only banner or no banner at all, in a region that doesn't require opt-in consent), the CMP defaults analytics, marketing, and preferences to true. This ensures Shopify pixels are not unnecessarily blocked. However, the sale_of_data signal is still conditioned on opt-out status (see below), so consumer privacy rights are respected even without an interactive banner.
Opt-Out Signals and sale_of_data
The sale_of_data field receives special treatment. Its value is determined as follows:
- If the visitor has opted out via US Privacy (USP), Global Privacy Control (GPC), or the Targeted Advertising toggle,
sale_of_datais always set tofalse— regardless of any other consent choices. - If the visitor is using an interactive banner and has not opted out via USP/GPC,
sale_of_datareflects their Advertising consent choice. - If the visitor is viewing a non-interactive banner and has not opted out via USP/GPC,
sale_of_datadefaults totrue.
This ensures that browser-level privacy signals like GPC are always respected for the sale-of-data signal, even in regions where the consent banner is informational-only.
Real-Time Updates
The CMP listens for its internal consentChanged event, which fires whenever a visitor updates their consent preferences. Each time this event fires, the CMP calls setTrackingConsent() with the updated values to keep Shopify in sync.
Validation
To verify that Shopify has received the consent signals from our CMP, you can query Shopify's Customer Privacy API directly in your browser's developer console:
window.Shopify.customerPrivacy.analyticsProcessingAllowed();
window.Shopify.customerPrivacy.marketingAllowed();
window.Shopify.customerPrivacy.preferencesProcessingAllowed();
window.Shopify.customerPrivacy.saleOfDataAllowed();
Interact with the consent banner (accept, decline, or change preferences), then run these methods again to confirm the values have updated.
Shopify documents a visitorConsentCollected event that should fire when consent changes, but we have not found it to fire reliably. We recommend querying the methods above to check consent state. If you need to listen for consent changes in real time, use our consentChanged event instead.