17 Jun 2026 · 8 min read
Shopify ships powerful defaults — Shop Pay, Shopify Inbox, Customer Privacy API, native analytics — but the out-of-the-box behaviour fires Meta pixel, Google Analytics 4 and Shopify's own marketing tracking on first page load. Under DPDP Section 6 every one of those is a consent violation. The fix is a four-layer change: Customer Privacy settings, a DPDP-aware consent banner app, checkout copy, and theme cleanup.
**Layer 1 — Customer Privacy settings.** In your Shopify admin, go to Settings → Customer privacy → Cookie banner. Shopify's built-in banner is GDPR-flavoured; switch the regions to 'Customers everywhere' so it shows in India, and set the consent mode to 'Cookie consent required before tracking'. This activates Shopify's Customer Privacy API, which other apps and themes can read to gate trackers.
**Layer 2 — DPDP-aware consent app.** Shopify's native banner does not give you DPDP-specific categories or copy. Install one of: Pandectes GDPR Cookie Consent (most-installed paid option, supports DPDP), CookieYes, or Consentmo (free tier covers DPDP). Configure: default non-essential to OFF, Accept and Reject at equal visual weight, persistent 'Manage cookies' link in the footer. Most of these apps automatically integrate with Shopify's Customer Privacy API so the trackers honour consent without code changes.
**Layer 3 — Checkout PII and post-purchase.** Shopify Checkout collects email, phone, shipping address and (depending on payment gateway) PAN/GST for B2B. Under Section 5 every one of these needs a purpose at the point of collection. Edit your checkout customisation to add a line under the email field: 'We use your email for order updates and (only if you opt-in) marketing.' Use a separate opt-in tick-box for marketing — pre-ticking it is a Section 6 violation. Then go to Settings → Notifications and audit which transactional emails actually send (welcome, abandoned cart, post-purchase upsells) — abandoned-cart is marketing, not transactional, and needs prior consent.
**Layer 4 — Theme cleanup.** Open your theme code editor and search theme.liquid + layout/theme.liquid for: gtag, googletagmanager, fbq, hotjar, snap.shopifycdn, klaviyo, omnisend. Each of those is a third-party tracker. Move each behind a Liquid conditional that checks Shopify.customerPrivacy.userCanBeTracked() — that boolean reflects the user's consent state and is the canonical Shopify-blessed way to gate trackers. The CMP apps in Layer 2 also handle most of this automatically, but a manual pass on your theme catches one-off pixels merchants add by hand.
**Apps to audit specifically.** Klaviyo (set tracking to honour consent via Klaviyo's own consent profile field, not just a custom flag), Judge.me / Loox review apps (review-request emails need the marketing opt-in), PageFly / GemPages page builders (some embed third-party CDN fonts and analytics by default — disable both in builder settings), Recart / PushOwl (push and SMS messages need explicit opt-in capture, not a checkbox at checkout).
**Grievance Officer.** Add to your storefront footer: Grievance Officer name (founder works for SMB D2C), email grievance@yourdomain.in, 30-day SLA. Put the same in your Pages → Privacy policy. Shopify gives you a privacy template — replace it with the DPDP itemised version from the consent-notice template.
After this stack, run the checkDPDP scanner on your storefront. Most Indian Shopify stores move from low-50s to mid-80s on the compliance score. The hardest residual finding is usually 'sensitive data without DPA' if you process customer KYC for B2B — for that, get the DPAs from Razorpay / Cashfree / Shopify Payments on file in writing.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.