Skip to content
GDPRJuly 15, 202611 min

Server-Side Tracking for Shopify: The GDPR Guide

How to set up server-side tracking in your Shopify store in a privacy-compliant way — from consent and the cookie banner to data minimization. A practical setup guide.

Setting Up Server-Side Tracking in a Privacy-Compliant Way: The Basics

Server-side tracking solves the data-loss problems of traditional browser tracking — but the setup raises its own data privacy questions. This guide shows step by step how to set up server-side tracking in your Shopify store so that data protection is considered from the very start (privacy by design). While our fundamentals article explains what privacy-compliant tracking means in the first place, this one focuses on the concrete order of the setup.

An important note on roles upfront: You, as the store owner, remain the controller within the meaning of the GDPR (Art. 4(7) GDPR) — you determine the purposes and means of processing and obtain your end customers' consent. A tracking solution like ShopiPixel acts as a processor under Art. 28 GDPR on your instructions. This distribution of roles determines who is responsible for each step.

Step 1: Clarify the Legal Basis

Before a single event flows, the legal basis comes first. Conversion tracking generally requires consent under Art. 6(1)(a) GDPR. This is confirmed by Sec. 25 TDDDG (the German ePrivacy transposition): Setting and reading information on the user's device that is not strictly necessary requires informed consent.

Alongside this, the duty to inform applies: Users must be clearly and comprehensibly informed about what data is collected and for what purpose (Art. 13 GDPR). This duty to inform your end customers rests with you as the controller, not with the processor.

Server-Side Does Not Change the Legal Basis

A common misconception is that server-side tracking means you can track without consent. That is not the case. Since personal data is still processed and transmitted to advertising platforms, the consent requirement remains. Server-side improves the technical implementation and the control over data flows — but it does not replace the legal basis.

Step 2: Set Up Consent and the Cookie Banner

A compliant cookie consent banner is the foundation for privacy-compliant tracking. The key requirements are clear:

  • Consent must be actively given (no pre-checked checkboxes)
  • Declining must be as easy as consenting
  • Consent must be revocable
  • No non-essential cookies may be set before consent
  • Consents must be documented and verifiable

The Shopify Customer Privacy API as a Consent Bridge

In Shopify, consent status runs through the Customer Privacy API. The advantage of the server-side approach: ShopiPixel automatically respects these signals — events are only sent when the customer has consented. You manage your store visitors' consent as usual through your consent tool, and tracking follows that status.

So that you know for certain the consent signals actually arrive in your store, the onboarding guides you through setting up your cookie banner and verifies via a live test whether a consent signal is registered in your store. This way you immediately see whether, without a banner in the EU, no data would be captured.

Step 3: Positioning Browser Tracking and Server-Side Legally

Both methods process personal data — the difference lies in control. With browser pixels, data is often sent to the platform server without oversight. With the server-side approach, all data first flows through your own server, allowing every single data element to be filtered before it reaches the platform.

Why Server-Side Makes the Consent Check More Reliable

Server-side tracking can enforce the user's consent status more reliably than browser tracking. If a user hasn't consented to tracking, no events are sent to advertising platforms. This can be implemented more robustly server-side than in the browser, where ad blockers or script errors can bypass the consent check.

Step 4: Data Minimization and Hashing

The principle of data minimization (Art. 5(1)(c) GDPR) requires that only data actually necessary for the purpose is collected. For conversion tracking, this means: only send the information genuinely needed for conversion attribution.

PII Hashing Before Transmission

Personal data such as email addresses or phone numbers can be hashed with SHA-256 before being shared with advertising platforms. The platforms use the hashed data for matching without ever receiving the plain-text data. This aligns with the principle of data minimization and, in the server-side approach, is a built-in part of the data flow.

Consent Mode for Google

For Google, ShopiPixel supports Google Consent Mode v2 with the signals "Ad User Data" and "Ad Personalization", which are transmitted automatically to Google Analytics 4 and Google Ads. For visitors without marketing consent, you can optionally enable an anonymous signal — with no personal data and no IP address. Google uses it solely to estimate aggregated conversions (Consent Mode Modeling). This feature is disabled by default and only takes effect after explicit activation.

Step 5: EU Hosting and Data Processing

Tracking data should be processed on servers within the EU to avoid third-country transfer issues. ShopiPixel uses German servers for this, so that data processing takes place within the EU.

Sign a Data Processing Agreement (DPA)

When a tracking provider processes personal data on your behalf, a Data Processing Agreement (DPA) under Art. 28 GDPR is required. It should cover:

  • Nature and purpose of data processing
  • Categories of data subjects and personal data
  • Technical and organizational measures (TOMs)
  • Sub-processor regulations
  • Deletion policies and retention periods
  • Support for data subject rights

Step 6: Documentation and Accountability

Finally, there is verifiability. All processing activities should be documented in the records of processing under Art. 30 GDPR. Consents themselves are logged to meet the accountability requirement under Art. 7(1) GDPR and Sec. 25 TDDDG. In addition, an internal audit log fulfills the accountability obligation under Art. 5(2) GDPR. Also define retention periods so that event data is only stored for as long as necessary.

Checklist: Setting Up Server-Side Tracking the Privacy-Compliant Way

  1. Clarify the legal basis (consent under Art. 6(1)(a) GDPR, Sec. 25 TDDDG) and define roles (controller vs. processor).
  2. Set up the cookie banner (active consent, easy decline, revocation) and verify via a live test that the consent signal arrives.
  3. Run tracking consent-first: send no events before consent is given.
  4. Implement data minimization and hash personal data before transmission (SHA-256).
  5. For Google, use Consent Mode v2; enable the anonymous modeling signal only deliberately.
  6. Have tracking data processed on EU servers and avoid third-country transfers.
  7. Sign a Data Processing Agreement (Art. 28 GDPR) and keep it up to date.
  8. Document processing activities (Art. 30 GDPR), log consents, and define retention periods.

Conclusion

Server-side tracking and the GDPR can coexist — with the right order during setup. The key is control: Those who control their data flows can ensure both privacy compliance and tracking quality at the same time. ShopiPixel is designed for privacy-compliant use — with German servers, a DPA included, and PII hashing before every transmission. You manage your store visitors' consent as usual through your consent tool, and ShopiPixel respects the consent signals.

Further Resources

Sources and disclaimer: This article references the General Data Protection Regulation (GDPR), the German Telecommunications-Telemedia Data Protection Act (TDDDG), as well as the documentation of the Shopify Customer Privacy API and Google Consent Mode v2. The information provided here is for general guidance only and does not constitute legal advice. For legally compliant implementation, particularly regarding the requirements of the GDPR and the TDDDG, we recommend consulting a specialized attorney.