Across the ~110 sites we audit in the public TagEasy benchmarks corpus, fewer than 1 in 5 ship a working Consent Mode v2 setup. Shopify in particular is hard because the consent flow has three moving parts that don't talk to each other by default.
The three pieces that have to align
- A cookie / consent banner that gathers user choice (typically a Shopify app — OneTrust, Cookiebot, iubenda, Termly, Klaro, etc.)
- A Google Tag Manager container that respects those choices via `gtag('consent', ...)` calls
- A Shopify Customer Events / Web Pixel layer that does NOT bypass the consent state
When one of these is misconfigured, ad pixels fire before the user consents — voiding GDPR + invalidating Google Ads attribution because Google Ads now requires Consent Mode v2 signals for EU traffic.
The default flow that breaks
By default, Shopify's Customer Events pipeline fires the Meta + Google Ads pixels immediately on page load — before any banner has a chance to surface, let alone collect consent. The pixel arrives at the ad platform tagged as consented when it shouldn't be.
In our audits, this is the single most common failure pattern: a Shopify store has a Cookiebot banner, the merchant assumes it's "handling" consent, but the Customer Events pixel runs regardless.
The 4-step fix that does work
- In your consent app (Cookiebot example): turn on the "Google Consent Mode v2" integration. This makes the banner emit `gtag('consent', 'default', { ad_storage: 'denied', ... })` BEFORE GTM loads.
- In your GTM container: confirm every Meta + Google Ads + TikTok tag has its trigger set to "Wait for consent" (or equivalent — check the tag template).
- In Shopify Admin → Customer Events: turn OFF the auto-firing pixel. Re-add it as a custom Web Pixel that listens for the consent state and only fires when granted.
- Re-test with the TagEasy free auditor — the consent-v2 check + the meta-pixel check should both be green.
You can test this without changing anything by running the free TagEasy audit. The consent-v2 check tells you whether the gtag consent default call is present in the initial HTML; the audit detail will surface which CMP we detected (or none).
What if you don't have a CMP at all?
Consent Mode v2 is required for EU traffic since March 2024. If you ship to the EU + UK at all, you need a CMP. The free options worth looking at: Cookiebot (transparent pricing, full Consent Mode v2 support), Klaro (open source), and iubenda (lots of integrations).
Why most sites still fail this
Because the failure mode is silent. The ad pixels still send data; Google Ads still reports conversions; the merchant doesn't see a broken dashboard. The harm is regulatory + privacy — but the merchant's feedback loop is broken, so it never gets fixed.
That's the design intent behind TagEasy's audit + benchmark publishing — turn the silent failure into a visible one. A 47/100 score on /sites/yourdomain is louder than no signal at all.