Because the consent states in the sandbox are not automatically updated with the consent-choice from the website.
I am using DataLayer Checker Plus extension for Chrome and I clearly see that the status of ad_storage and analytics_storage are always “denied”.
So basically the tracking stops working when a user triggers the begin_checkout. I can also see this in GA4 realtime tracking because there is not a single begin_checkout, add_payment_info, add_shipping_info or purchase event.
Is there any solution for that (that is in accordance with GDPR as well)? Because I did try some things using the help of AI but none really worked.
Regarding Stape: latest app version, setup in webGTM and sGTM via Setup Assistant. So basically everything done by the book.
To resolve this issue, I would advise you to initialise the CookieBot via native tag in GTM rather than via theme.liquid, as suggested in the article you’ve linked to.
If you are using our app, which loads GTM script in the sandbox(checkout), the consent status will be available at checkout.
So no cookie-consent.liquid and no cookiebot script in theme.liquid (basically ignoring their whole description), but instead using the Cookiebot CMP tag template in GTM.
I guess we’ll have to live with the disadvantages (die consent bannner loads much later than when it’s directly implemented via theme.liquid) then.
The reason checkout shows denied usually isn’t just where the Cookiebot script loads. It’s about whether your CMP consent is being synced into Shopify’s Customer Privacy API.
Here’s the pattern I’ve seen: the CMP sets consent state on the storefront, but the checkout sandbox doesn’t automatically read your CMP cookie or GTM dataLayer state. Shopify-managed checkout/pixels rely on Shopify’s own customer privacy state. So if nothing bridges your CMP decision into Shopify’s Customer Privacy API, checkout can still behave as if analytics/marketing consent is denied, even after the user clicked Accept.
The Cookiebot Shopify app should handle this sync. A manual theme.liquid install from the generic Cookiebot docs may not. That’s probably where the setup breaks.
Loading Cookiebot via GTM, as Dmytro suggested, can work if the Stape app is loading GTM inside the checkout sandbox and the CMP logic runs there too. But I get your concern: it can delay the banner. On slower connections/mobile, that delay between page load and banner render is not ideal.
There is a third option worth testing: Stape released a Shopify Customer Privacy API tag for GTM web. You could keep Cookiebot in theme.liquid for fast banner load, then use that tag to sync the accepted/rejected state into Shopify’s Customer Privacy API when Cookiebot fires its consent callbacks.
That gives you the best of both setups: fast banner load on the storefront, and correct Shopify consent state for checkout.
The thing I would verify first: accept consent on the storefront, go to checkout, open DevTools, and inspect Shopify’s consent state / _tracking_consent behavior. If analytics and marketing still appear denied after acceptance, the CMP → Shopify sync is not working.
Thanks a lot for your answer and your hints, very much appreciated.
I tried setting up the Shopify Customer Privacy API tag for GTM web to properly sync Cookiebot consent with Shopify’s Customer Privacy API, and moved Cookiebot back to theme.liquid. Because that sounded quite promising. The setup of the tag looks as following:
When I test window.Shopify.customerPrivacy.currentVisitorConsent() in the browser console on the checkout page, I get:
Uncaught TypeError: Cannot read properties of undefined
(reading 'currentVisitorConsent') at <anonymous>:1:32
So window.Shopify.customerPrivacy is completely undefined in the checkout context.
On top of that, document.cookie throws a SecurityError in the Custom Pixel sandbox:
Uncaught SecurityError: Failed to read the 'cookie' property
from 'Document': The document is sandboxed and lacks the
'allow-same-origin' flag.
So both approaches to read the consent state inside the Custom Pixel are blocked. The only setup that actually worked (purchase events with gcs=G111 reaching the sGTM) was Cookiebot via GTM with the cookie-consent.liquid snippet disabled.
