Cookie Banners for Online Shops in Switzerland: Setting Up Shopify, WooCommerce & Co. Correctly
Online shops track more than any brochure website: ad conversions, retargeting, payment providers, review widgets. Why almost every Swiss shop also has to comply with the GDPR, which cookies are typical — and how to set up the cookie banner in Shopify, WooCommerce and other shop systems.

A company website with a contact form often gets by with a handful of cookies. An online shop does not: advertising pixels measure conversions, retargeting services follow cart abandoners across the web, payment providers set security cookies, review widgets load scripts from third-party servers. And anyone selling into the EU almost always has to comply with the European General Data Protection Regulation on top of the Swiss data protection act. This article shows why stricter standards apply to online shops, which cookies and services are typical — and how to set up the cookie banner in Shopify, WooCommerce and other shop systems in concrete terms.
Why online shops have more obligations than brochure websites
The difference is not in the law — the same rules apply as for any other website. The difference lies in what a shop technically does. Three points account for the gap:
First: shops track considerably more. An average Swiss online shop sets a good 40 cookies — a business-card website ends up with 8 to 10. The reason is the marketing stack: conversion tracking for Google Ads and Meta, retargeting pixels for cart abandoners, e-mail marketing tools with their own visitor tracking, review widgets, live chat. Each of these services brings its own cookies — and most of them require consent, meaning they may only load after a click on «Accept».
Second: almost every shop is GDPR-relevant. This is where the so-called marketplace principle comes in: the General Data Protection Regulation applies to every company that recognisably targets customers in the EU — regardless of where it is based. Anyone delivering to Germany or Austria, showing prices in euros or running a .de domain will as a rule meet this criterion. For Swiss shops that means: not only the milder Swiss law applies, but additionally the stricter European regulation — with an active consent requirement before marketing scripts even load. Our GDPR guide explains what that means in detail.
Third: the privacy policy needs e-commerce disclosures. A shop passes personal data on to far more recipients than a brochure website: to the payment provider (Stripe, PostFinance, Twint), to shipping partners such as Swiss Post or DHL, often to a credit-check provider for purchases on invoice, plus the newsletter service and shop hosting. All of these data flows belong in the privacy policy — including the country the data flows to. Our step-by-step guide shows how to build a complete privacy policy.
Typical cookies and services in Swiss online shops
The following overview shows what turns up most often in shop scans — and how to classify the services:
| Service | Typical cookies | Purpose | Category |
|---|---|---|---|
| Meta Pixel | _fbp, _fbc | Retargeting, conversion measurement | Marketing |
| Google Ads | _gcl_au, _gcl_aw | Conversion tracking | Marketing |
| TikTok Pixel | _ttp, ttwid | Retargeting, conversion measurement | Marketing |
| Google Analytics | _ga, ga* | Shop statistics | Statistics |
| Klaviyo | __kla_id | E-mail marketing, cart abandoners | Marketing |
| Mailchimp | mailchimp_landing_page | Newsletter attribution | Marketing |
| Stripe | __stripe_mid, __stripe_sid | Fraud prevention during payment | Necessary |
| PostFinance / Twint | Session cookies | Payment processing | Necessary |
| Trusted Shops | Widget cookies | Reviews, buyer-protection badge | Functional |
| Shop system itself | Cart and session cookies | Cart, login, checkout | Necessary |
The most important distinction sits in the right-hand column. Payment cookies are technically necessary: without the security and session cookies of Stripe, PostFinance or Twint, no payment can be completed — which is why they may be set without consent. The same goes for the shop system's cart and login cookies. Advertising pixels are the opposite: Meta Pixel, Google Ads and TikTok Pixel serve marketing exclusively and may only load once the visitor has actively agreed. A banner that fires these scripts before consent is not a formality issue — it is the single most common compliance mistake in online shops.
Review widgets such as Trusted Shops sit in between: the badge itself is functional, but depending on the configuration, data flows to the provider — here it is worth checking the scan report to see which cookies the widget actually sets.
A special case are e-mail marketing tools such as Klaviyo or Mailchimp, because they need two separate consents that are frequently mixed up in practice: the newsletter sign-up with confirmation e-mail only covers the sending of e-mails. The same tools' visitor tracking on the shop website — such as recognising cart abandoners for automated reminder e-mails — is not covered by it and requires consent via the cookie banner. Anyone loading Klaviyo's tracking script without asking because «the customers subscribed to the newsletter anyway» is confusing the two levels.
Setup by platform
Shopify
For Shopify, Aiara offers an integration without an app installation: a Liquid snippet that you store as a separate snippet in the theme code editor, fill in with your domain ID and include before the closing </head> in theme.liquid. The banner then appears automatically on every page of the shop — from the product catalogue to the order confirmation. You will find the instructions and download on the Shopify page.
There are two Shopify specifics worth knowing. First, Shopify ships its own interface for consent signals, the Customer Privacy API, which Shopify's own features and some of the apps from the App Store listen to — it is worth checking which of your installed apps respect these signals and which load their scripts regardless. Second, the App Store itself is the biggest source of tracking: every review, upsell or e-mail app can bring its own cookies and pixels. That is why a fresh cookie scan belongs on the checklist after every app installation.
WooCommerce (WordPress)
For WooCommerce shops, setup runs through the Aiara plugin from the official WordPress directory: install the plugin, enter your domain ID, done. The plugin automatically blocks consent-based scripts until consent is given — WooCommerce's technically necessary cart and session cookies keep running undisturbed, so the checkout works even when the banner is declined. Details and download are on the WordPress page.
The typical WooCommerce trap is the plugin zoo: an average WooCommerce shop has 20 to 30 plugins installed, and many of them — page builders, form plugins, social media feeds, analytics extensions — set their own cookies that the shop owner knows nothing about. An automatic scan after every major plugin update reveals what has crept in.
Other shop systems
For all other systems — Magento, PrestaShop, Shopware or a custom agency build — the universal snippet does the job: a single script line before the closing </head> in the template, and the banner runs. Since the snippet is plain JavaScript without dependencies, the underlying system does not matter. The only thing that matters is that the line is delivered on every page — including the checkout, where many templates use a separate, stripped-down layout.
Without Google Consent Mode V2 you lose conversion data
For shops running ads, one point is business-critical: since March 2024, Google requires consent signals following the Google Consent Mode V2 standard for users from the European Economic Area. If these signals are missing, Google no longer processes conversion data — your Google Ads campaigns then run blind: conversion tracking collapses, automated bidding loses its data basis, and remarketing lists stop filling up.
A correctly configured banner solves this: it transmits the appropriate signals to Google with every consent decision. If the visitor agrees, tracking runs normally; if she declines, Google statistically compensates part of the missing data through modelled conversions — so you keep a reliable data basis even with declines. How Google Consent Mode V2 works in detail and what to watch out for during setup is covered in our article on Google Consent Mode V2.
Checklist: cookie banner for the shop launch
Before going live — or as an audit for a running shop — these points should be ticked off:
- Complete cookie scan across all page types: home page, product pages, cart and checkout — the payment cookies show up in the checkout in particular
- Categorisation checked: payment and cart cookies as necessary, all advertising pixels as marketing
- Blocking before consent: marketing scripts demonstrably load only after the click on «Accept» — verify in an incognito window with the browser developer tools
- Google Consent Mode V2 active if Google Ads or Google Analytics are in use
- Privacy policy with e-commerce disclosures: payment provider, shipping partners, any credit checks, newsletter service
- Banner in all shop languages — if you sell in French, you need the banner in French
- Declining is as easy as accepting — no hidden links, no pre-ticked boxes
- Process for changes: after every new app, every new plugin and every new advertising channel, scan again
What happens if the banner is missing?
The Swiss data protection act provides for fines of up to CHF 250,000 for intentional violations — directed not at the company but at the person responsible, typically the managing director. Under the General Data Protection Regulation, the range goes up to 20 million euros or 4 percent of worldwide annual turnover, and the EU supervisory authorities can also act against Swiss shops that serve EU customers.
For most shops, however, a different scenario is more realistic than the maximum fine: cease-and-desist letters from Germany. Anyone delivering there can be served costly warning letters by competitors or consumer protection associations if tracking runs without consent — an established business model that regularly hits Swiss merchants. Add to that the reputational damage: customers who entrust a shop with their payment details react more sensitively to data protection headlines than anywhere else.
The good news: the effort for a clean setup is manageable. Include the snippet or plugin, run the scan, check the categories, activate Google Consent Mode V2 — and a Swiss online shop is typically compliant within an afternoon.
Frequently Asked Questions
Does my Shopify shop in Switzerland need a cookie banner?
Yes, practically always. As soon as consent-based services are running — advertising pixels, statistics tools, e-mail marketing — a banner is required. For online shops that is the norm: even the standard combination of Google Ads, Meta Pixel and a newsletter tool is not permitted without consent once EU customers are involved. The Swiss data protection act additionally requires transparency about all services in use.
Do payment cookies from Stripe, PostFinance or Twint require consent?
No. Cookies that are required for secure payment processing and fraud prevention count as technically necessary and may be set without consent — the purchase could not be completed otherwise. They still belong in the banner's cookie list and in the privacy policy, including the name of the payment provider.
Does the GDPR apply to my Swiss online shop?
Almost always. As soon as you recognisably target customers in the EU — for instance by delivering to Germany or Austria, showing prices in euros or running a .de domain — the marketplace principle of the General Data Protection Regulation applies, even without an establishment in the EU. That means: active consent before marketing scripts load, and no pre-ticked boxes.
How do I set up a cookie banner in WooCommerce?
The easiest way is a plugin from the official WordPress directory: install the plugin, enter your domain ID, done. The Aiara plugin blocks marketing scripts automatically until consent is given — WooCommerce's own cart and session cookies keep running as technically necessary cookies.
Does my Google Ads conversion tracking still work with a cookie banner?
Yes — with Google Consent Mode V2. The banner reports the consent status to Google; since March 2024, Google no longer processes conversion data from users in the European Economic Area without these signals. If someone declines, Google compensates part of the missing data through modelled conversions.
Ready for clean cookie consent?
Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.
Discover AiaraMore articles

July 5, 2026 · 8 min read
Consent Logs: How Long Do I Need to Keep Cookie Consent Records?

July 3, 2026 · 8 min read
Data Processing Agreements (DPA) in Switzerland: When You Need One — With a Checklist

June 23, 2026 · 9 min read