From "Good Enough" to Fully Compliant: How ShipAid Solved CCPA and Script Management on Shopify
Case study
Shopify
8 mins
Elena Tsatcheva
April 16, 2026
TLDR
Who: ShipAid a branded shipping guarantee and protection platform serving thousands of Shopify merchants and managing $5B+ in shipping spend
Problem: After rebuilding their Shopify site, ShipAid's basic cookie banner lacked granular control over when third-party scripts like RB2B fired particularly for California visitors protected under CCPA/CPRA
Solution: Consentmo's regional consent management platform, configured with California-specific opt-out behavior, global banner defaults, and full script-level consent gating
Result: Analytics and attribution continued without disruption, visitor-facing experience stayed clean, and vague compliance anxiety was replaced by a structured, transparent, auditable system
Table of contents
About ShipAid
The compliance challenge after rebuilding on Shopify
How RB2B reshaped ShipAid's approach to consent management
Why ShipAid chose Consentmo for Shopify CCPA compliance
The setup: regional consent rules and script-level control on Shopify
Results: what changed after implementing Consentmo
Key takeaways for Shopify merchants managing privacy compliance
Who should consider this approach
Frequently asked questions about CCPA compliance on Shopify
About ShipAid
ShipAid is a shipping guarantee and protection platform built exclusively for Shopify merchants. Rather than routing claims through third-party insurers, ShipAid lets merchants offer their own branded delivery guarantee, fund resolutions from a small customer-paid fee, and handle refunds or reships in just a few clicks.
The platform manages $5B+ in shipping spend across thousands of brands and consistently reports over 80% customer opt-in rates on shipping guarantees.
Their product and their growth depends on one thing above all else: trust. Merchants trust ShipAid to protect their margins. Customers trust ShipAid-powered stores to make things right when packages go missing, arrive damaged, or are delivered late.
So when the team rebuilt their own Shopify site from the ground up, it made sense that the same standard of trust extended to how they handle visitor data, cookie consent, and privacy compliance.
The compliance challenge after rebuilding on Shopify
When ShipAid rebuilt their website on Shopify, the project opened a window to review everything not just design and performance, but also privacy infrastructure and data practices. What they found was a setup that existed on paper but didn't hold up under scrutiny.
"Before Consentmo, we were relying mostly on Shopify's default privacy setup and a basic banner. It technically existed, but it wasn't very granular and didn't give us much confidence that we were fully compliant especially around regional requirements." Stefan Alexiev, ShipAid
Consentmo's Elena Tsatcheva and ShipAid's Stefan Alexiev discussing privacy compliance during a podcast session.
The most immediate concern was California. With some of the strictest privacy laws in the United States, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give consumers clear opt-out rights over the sale and sharing of personal data.
For a B2B SaaS company running multiple marketing, analytics, and visitor identification tools on its own website, getting that wrong wasn't an abstract risk it was a concrete liability.
"California has some of the strictest privacy laws in the U.S., so it felt like the place where things could go wrong if consent wasn't handled correctly. We wanted to make sure we were respecting opt-out rights and being transparent about how visitor data was used."Stefan Alexiev, ShipAid
Shopify includes built-in privacy features a Customer Privacy API, a basic consent mechanism, and support for data sale opt-out signals. For many small stores running minimal third-party integrations, this is a reasonable starting point.
ShipAid's situation was considerably more complex. Their tech stack included analytics platforms, marketing attribution tools, and visitor identification software. Each of those tools raises its own set of consent questions:
When does the script load on page load, or after consent is established?
What data does it access cookies, IP addresses, device fingerprints, behavioral signals?
Does it run before or after the visitor has made a choice about data collection?
"The biggest issue was visibility. We weren't completely sure when scripts were firing or whether we had the right controls in place for users who wanted to opt out of data collection."Stefan Alexiev, ShipAid
Shopify's default tools aren't designed to answer those questions at the individual script level. They don't offer the kind of regional rule configuration that lets you apply different consent behavior for a California visitor versus someone browsing from Germany, Canada, or Australia.
For a company thinking carefully about CCPA compliance on Shopify, that gap mattered.
"Shopify's default tools are helpful, but they're pretty limited when it comes to regional privacy laws and advanced control over scripts. Consentmo offered a more complete compliance solution and better flexibility."Stefan Alexiev, ShipAid
How RB2B reshaped ShipAid's approach to consent management
One specific tool reshaped ShipAid's thinking about consent in a meaningful way: RB2B.
RB2B is a visitor identification platform that matches anonymous website traffic to company and individual profiles. It's a powerful tool for B2B go-to-market teams and one that comes with real data privacy implications, because it processes personal data to function.
"RB2B is powerful because it helps identify website visitors and connect behavior to companies, but that also means you have to be more thoughtful about privacy. It made us realize we needed a clearer consent framework, especially for regions like California." Stefan Alexiev, ShipAid
What surprised the ShipAid team most wasn't the complexity of the regulations themselves. It was how much the implementation details mattered.
"What surprised us most was how important it is to control when scripts load. It's not just about having a banner it's about making sure tools like RB2B only run when the proper consent conditions are met."Stefan Alexiev, ShipAid
This is one of the most common compliance misunderstandings among Shopify merchants: a cookie banner is visible consent communication, but it does nothing on its own if the scripts it's supposed to govern load before the visitor has responded.
Script-level consent management closes that gap. Without it, even the most polished banner is cosmetic.
Why ShipAid chose Consentmo for Shopify CCPA compliance
ShipAid reached out to Consentmo for a specific reason: regional control.
Having California-specific behavior different opt-out defaults, a "Do Not Sell or Share My Personal Information" link, CCPA-compliant data subject request handling while maintaining a clean, unobtrusive experience for visitors from other regions was a hard requirement, not a nice-to-have.
"It was very important. Privacy expectations and regulations vary a lot by region, so having the ability to configure specific behavior for California while keeping a simpler experience for other visitors was a big advantage."Stefan Alexiev, ShipAid
The risk ShipAid was most concerned about during the evaluation wasn't legal exposure. It was operational: would implementing consent management break their analytics and attribution?
"The biggest concern was breaking our analytics or attribution. We rely on accurate tracking to understand performance, so we wanted to implement compliance without accidentally disrupting data collection or slowing down the site." Stefan Alexiev, ShipAid
The setup: regional consent rules and script-level control on Shopify
Working with Consentmo's support team, ShipAid configured a three-layer consent architecture:
1. A global cookie banner
Unobtrusive, clean, and matching the site's visual experience for visitors outside of regulated regions. The banner communicates consent choices without disrupting browsing.
2. California-specific consent behavior
Opt-out by default for data sharing and sale, with a visible "Do Not Sell or Share My Personal Information" link as required under CCPA/CPRA. This configuration ensures California visitors receive the specific protections the law requires automatically, based on geolocation.
3. Script-level consent gating
The most critical layer. Tools like RB2B, Google Analytics 4, and other third-party scripts are configured to fire only after the visitor's consent state is established not on page load by default. This is what turns a banner into a functioning consent system.
The support experience was a key part of making the setup work correctly:
"The support team was really helpful. They walked through how scripts should be handled and helped make sure everything was configured properly without disrupting the rest of the site."Stefan Alexiev, ShipAid
Results: what changed after implementing Consentmo
The headline result is the one that matters most to any Shopify merchant evaluating a consent management platform: nothing broke.
"So far everything has continued working smoothly. Tracking and analytics are still functioning, and the consent system hasn't disrupted the user experience."Stefan Alexiev, ShipAid
Beyond operational continuity, the more significant shift was psychological and organizational. Compliance moved from a vague worry to a structured, auditable system the team could point to and trust.
"Much more confident. Before, it felt like we had something in place but weren't sure if it was truly compliant. Now the process feels structured and transparent."Stefan Alexiev, ShipAid
For visitors especially those browsing from outside California the change was subtle but meaningful:
"It mostly made things clearer. Visitors see a proper consent interface, and the experience still feels clean and unobtrusive."Stefan Alexiev, ShipAid
And the clearest summary of the value came from Stefan directly:
"Consentmo helped us turn privacy compliance from a vague concern into a clear, structured system that works with our tech stack."Stefan Alexiev, ShipAid
Key takeaways for Shopify merchants managing privacy compliance
ShipAid's experience highlights three lessons that come up repeatedly when Shopify merchants move from basic to proper compliance:
1. A cookie banner is not a consent management system
The visual layer (the popup or bar) and the technical layer (when scripts actually fire) are two separate things. Both need to be addressed. A banner without script-level enforcement is cosmetic it communicates a choice but doesn't enforce it.
2. Regional consent rules are not optional for US-based merchants
California's CCPA/CPRA requirements apply to any business collecting data from California residents above certain revenue or data-volume thresholds, regardless of where the business is headquartered. The opt-out right is real, enforceable, and increasingly audited. Similar laws are emerging in Colorado, Connecticut, Virginia, Texas, and other states.
3. Compliance and analytics performance can coexist
The most common objection to implementing proper consent management is that it will hurt tracking, break attribution, or slow down the site. Done correctly with script-level gating configured by a dedicated CMP it doesn't. ShipAid's implementation proved this in production.
Stefan's advice to other merchants is direct:
"Make sure you understand when and how those scripts run. Compliance isn't just about adding a banner it's about managing how data collection tools interact with consent."Stefan Alexiev, ShipAid
And on what he wishes he'd known earlier:
"I wish we had realized earlier how much control you actually need over scripts and regional privacy rules. It's much easier to build compliance in from the start."Stefan Alexiev, ShipAid
Who should consider this approach
Stefan's answer is clear:
"Any Shopify merchant using analytics tools, marketing scripts, or visitor identification platforms should look at it, because proper consent management protects both your customers and your business."Stefan Alexiev, ShipAid
That includes Shopify merchants running any combination of:
Google Analytics 4 (GA4)
Google Tag Manager (GTM)
Meta Pixel / Facebook Pixel
TikTok Pixel
Klaviyo
HotJar
Microsoft Clarity
RB2B
Segment, Amplitude, Mixpanel
Any visitor identification, attribution, or behavioral analytics tool
If your store collects behavioral data from site visitors and virtually every Shopify store does consent management isn't optional. It's infrastructure.
Frequently asked questions about CCPA compliance on Shopify
What is Consentmo?
Consentmo is a Google-certified CMP for Shopify that automates consent, generates compliance documentation (GDPR, CCPA, LGPD, etc.), and controls which scripts run based on user consent and location.
What is CCPA and who does it apply to?
CCPA (amended by CPRA) gives California residents rights over their personal data, including access, deletion, and opt-out of sale/sharing. It applies to businesses meeting revenue or data thresholds, regardless of location.
Does Shopify's built-in privacy setup fully cover CCPA compliance?
No. Shopify provides basic tools, but lacks script-level control and regional rule configuration. Most stores using third-party scripts need a CMP like Consentmo for full compliance.
What is RB2B, and why does it raise privacy concerns?
RB2B identifies anonymous visitors using behavioral and identity data. Because it processes personal data, it must only load after valid consent under laws like CCPA and GDPR.
Can I implement consent management without breaking analytics?
Yes. With proper script-level gating, tools like GA4, Meta Pixel, and RB2B only fire after consent, preserving tracking while staying compliant.
Cookie banner vs CMP — what's the difference?
A banner is just the UI. A CMP enforces consent behind the scenes—blocking scripts, storing records, applying regional rules, and ensuring real compliance.
How does regional consent management work?
Consentmo applies different rules by location—CCPA opt-out for California, GDPR consent for EU, and tailored setups for other regions, all configurable from one dashboard.
What other US privacy laws should merchants know?
Beyond California, laws are active or emerging in states like Virginia, Colorado, Texas, and more. A regional CMP setup helps you stay compliant as regulations expand.
Build compliance into your Shopify store from day one
ShipAid's core product is about turning shipping problems into moments of customer trust. Their experience with Consentmo is a reminder that the same principle applies to data privacy: getting it right builds confidence, and getting it wrong even accidentally erodes it.
If your Shopify store runs third-party scripts, visitor identification tools, marketing pixels, or regional campaigns, scan your store for free with Consentmo to see where your compliance gaps are before they become problems.
About the Author
Elena Tsatcheva
Elena is a seasoned Product Manager who has been an integral part of our company for several years. In her role she oversees the development and promotion of Consentmo, ensuring that they meet customer needs and drive business growth. In her spare time, Elena enjoys traveling to new and exciting destinations, experiencing different cultures, and expanding her horizons.
Consentmo's new Compliance Review scores your Shopify store against 13 cookie consent checks, flags issues by region, and gives you a direct fix for each one — know exactly where you stand.
Consentmo's Preview As lets you instantly see how your cookie banner looks and behaves for visitors in any country or US state — no VPN, no test accounts, straight from your dashboard.
_converted.avif)
.jpg)
%20-%20Copy-p-500.webp)
.webp)
%20-%20Copy.png)
.svg)