Developer Hub › Shopify

LGPD Compliance for Shopify Stores

theme.liquid placement, ScriptTag API for app developers, and Google Consent Mode v2 for Brazilian customers — with copy-paste Liquid code.

Add to your store free — 2 minutes Google Consent Mode guide

How do you add LGPD consent to a Shopify store?

In theme.liquid, place the consent script tag as the first item inside <head>, before {{ content_for_header }}. The content_for_header tag is where Shopify injects analytics — if your consent script comes after it, GA4 and Google Ads fire before consent is checked. That is a direct LGPD violation.

For headless Shopify stores or app developers who need to inject scripts programmatically, use the ScriptTag resource API with display_scope: "online_store". The script runs on every online store page without requiring theme edits.

theme.liquid placement

Edit Online Store → Themes → Edit code → Layout → theme.liquid. The consent script must come before {{ content_for_header }}.

theme.liquid — inside <head>, before content_for_header

<head>

  <!-- CookieFácil LGPD Consent Manager — MUST be before content_for_header -->
  <script data-cfasync="false"
          src="https://cdn.cookiefacil.com.br/cdn/cf-banner.min.js?site=YOUR_SITE_ID"></script>

  <!-- Shopify injects analytics and app scripts here -->
  {{ content_for_header }}

  <!-- rest of your head content -->
</head>

Replace YOUR_SITE_ID with the Site ID from your CookieFácil dashboard. The data-cfasync="false" attribute prevents Cloudflare Rocket Loader from deferring the script on Shopify stores using Cloudflare.

ScriptTag API for app developers

If you are building a Shopify app and need to inject the consent manager without theme edits, use the ScriptTag resource.

// Create ScriptTag via REST Admin API
POST /admin/api/2024-01/script_tags.json

{
  "script_tag": {
    "event":         "onload",
    "src":           "https://cdn.cookiefacil.com.br/cdn/cf-banner.min.js?site=YOUR_SITE_ID",
    "display_scope": "online_store"
  }
}

ScriptTag scripts are injected by Shopify into content_for_header, which means they load after the theme's custom head content. For full script-blocking compliance, the theme.liquid method above is preferred — the ScriptTag method covers stores where you do not have theme access.

Google Consent Mode v2 on Shopify

Shopify injects its own Google tag via content_for_header. To apply GCM v2 defaults before it fires, the consent script must come first in theme.liquid.

<head>

  <!-- Step 1: GCM v2 default — fires before Shopify injects GA4 -->
  <script>
    window.dataLayer = window.dataLayer || [];
    function gtag() { dataLayer.push(arguments); }
    gtag('consent', 'default', {
      ad_storage:           'denied',
      analytics_storage:    'denied',
      ad_user_data:         'denied',
      ad_personalization:   'denied',
      security_storage:     'granted',
      wait_for_update:      500
    });
  </script>

  <!-- Step 2: CookieFácil fires the update call after banner decision -->
  <script data-cfasync="false"
          src="https://cdn.cookiefacil.com.br/cdn/cf-banner.min.js?site=YOUR_SITE_ID"></script>

  <!-- Shopify injects its own GA4 tag here — now sees correct consent state -->
  {{ content_for_header }}

</head>

Shopify Markets + Brazil

CookieFácil works with any Shopify Markets setup — including stores with separate domains or subfolders per market. The consent banner operates at the browser level and is not affected by market routing, country-specific pricing, or currency settings.

If your store uses Markets to serve Brazilian customers from a non-Brazilian domain (e.g., a US-based store with a Brazil market), LGPD still applies to those customers. The script detects browser language and can be configured to show the LGPD-specific banner to Portuguese-language visitors regardless of which market URL they are on.

  • Works with primary domain + country subfolders (/br/)
  • Works with country-specific domains (example.com.br)
  • One theme.liquid tag covers all Markets — no per-market duplication

Choose the right plan for your business

Start free and scale as your consent volume grows. Billed in BRL — no credit card required to start.

Free

Start collecting consent records

  • 1 site · 1,000 visitors/month

  • Cookie consent banner — LGPD + GDPR ready

  • Basic consent reports

Start Free
Most Popular

Basic

For growing businesses

  • 2 sites · 5,000 visitors/month

  • CSV export of consent records

  • Remove CookieFácil branding

Get Started

Professional

For multiple sites and agencies

  • 5 sites · 50,000 visitors/month

  • CSV + PDF + advanced reports

  • Custom CSS and geo-targeting rules

Get Started
See all plans and features →

Frequently asked questions

  • How do you add LGPD consent to a Shopify store?

    In theme.liquid, place the consent script tag as the first item inside the <head> element, before {{ content_for_header }}. This ensures it loads before Shopify injects analytics. For headless stores, use the ScriptTag resource with display_scope set to online_store.

  • Does LGPD apply to Shopify stores based outside Brazil?

    Yes. LGPD applies based on where the customer is located, not where the store is based. Any Shopify store with Brazilian customers must comply with LGPD — regardless of whether the business is in the US, EU, or elsewhere.

  • Will a cookie consent banner affect my Shopify conversion rate?

    A well-configured banner sees 85%+ acceptance rates. The bigger risk is not having one: without Google Consent Mode v2, Shopify stores lose up to 40% of GA4 and Google Ads conversion data when LGPD blocks tracking scripts.

  • Does CookieFácil work with Shopify Markets for Brazil?

    Yes. CookieFácil operates at the browser level — it works with any Shopify Markets configuration, including country-specific pricing, currency, and domain setups. One script tag in theme.liquid covers all Markets.