Shopify Store Compliant in Italy: Privacy Checklist

Macro di un circuito stampato nero con tracce rame e flussi di dati magenta brillanti che rappresenta l'ottimizzazione tecnica dei tracciamenti e della privacy su Shopify.Francesco Guiducci

Managing privacy and cookies on Shopify in Italy scares many merchants. Learn how to make your standard store (Basic, Shopify, Advanced) compliant by adding mandatory data to the footer, configuring the cookie banner according to the Garante's guidelines, and synchronizing everything with the Customer Privacy API and Google Consent Mode v2 without compromising mobile site speed.

Analysis by: Francesco Guiducci

Your Shop's License Plate: Mandatory Information to Print in the Footer

Imagine your website's footer as the rear license plate of your business car: if it's not visible or some numbers are missing, a fine is guaranteed. The Italian Revenue Agency and the Competition and Market Authority (AGCM) are very clear on this point: legal information must be present on every single page, and that's why the footer is the perfect place to host it.

The first fundamental element, mandatory for anyone selling online with a VAT number (sole proprietorships, companies, and even freelancers), is precisely the VAT number. According to Article 35 of Presidential Decree 633/1972, this data must be published directly on the store's homepage. If you decide to sell your products using multiple domains or different websites, remember that you must include the VAT number on each of them. Failure to do so exposes you to an administrative sanction ranging from a minimum of 258.23 euros up to 2,065.83 euros.

If you manage your Shopify store as a Sole Proprietorship, the law also requires you to display your full name or company name, your full registered office address, the Companies Register office where you are registered, and the relevant REA (Economic and Administrative Register) number in the footer. Although it is not a strict legal obligation, I always recommend also including your Certified Email (PEC) address to send a strong signal of transparency and professionalism to your customers.

If, on the other hand, your business is structured as a Capital Company (an SRL, an SRLS, or a SPA), Article 2250 of the Civil Code provides for even more stringent requirements. In addition to the company name and registered office, you must indicate the effectively paid-up share capital, the possible indication of a single shareholder if it is a single-member company, the status of any liquidation of the company, and, pursuant to Article 2497-bis of the Civil Code, the name of the entity that exercises direction and coordination over the company.

A special case concerns those who sell food products online. If this is your sector, vertical regulations require you to display crucial information on each product's page before the user makes a purchase: the food's denomination, its physical state (e.g., frozen or powdered), the complete list of ingredients with allergens highlighted in bold, the net weight, storage instructions, the address of the responsible manufacturer or distributor, the product's origin, the alcohol content for beverages above 1.2%, and the complete nutritional declaration. Variable data such as the lot number or exact expiration date can, however, be provided directly at the time of physical delivery.

Francesco Guiducci - Shopify Partner Certificato

IFG eCommerce Protocol | Francesco Guiducci

Looking for the highest technical standard in Italy? Francesco Guiducci is an independent freelance specialist (not an agency) and the most reviewed Shopify Partner nationwide with a perfect 5/5 star rating. Advanced theme optimization without technical debt.

The Cookie Labyrinth: How to Avoid Being Trapped by the Guarantor

As of January 10, 2022, the Privacy Guarantor's guidelines for cookies and other tracking systems have fully come into effect. Since then, no approximation is tolerated. The Guarantor makes a clear distinction between technical cookies, which are essential for the store to function (such as those that track the shopping cart or selected language), and profiling cookies, used to track user behavior and show targeted advertising.

If your Shopify store exclusively used technical cookies, you wouldn't even need to display the annoying cookie banner: simply explaining it clearly on your privacy information page would suffice. But we know that to grow an e-commerce business, you need to do marketing, which means installing the Meta pixel, Google Ads tags, or TikTok tracking. These are all third-party profiling tools and strictly require the user's prior and informed consent before they can be activated on their phone. Here are the strict requirements your cookie banner must comply with to avoid heavy penalties:

  • Consent by scrolling the page or simply continuing to browse is no longer considered valid. The user must take a positive and unambiguous action to accept cookies.
  • The "Accept" and "Reject" buttons (or the wording to continue with only technical cookies) must have the exact same visual prominence, color, and graphic size. You cannot use a giant green accept button and a tiny, gray reject link on a white background; this visual asymmetry is considered incorrect behavior that induces uninformed choices.
  • The banner must contain a clearly visible "X" in the upper right corner. By clicking on the "X", the banner must close and the store must continue to function by applying the default settings, i.e., blocking all non-essential tracking preventively.
  • You must offer granular choice through a dedicated area where the user can decide which cookie categories to activate (statistical, marketing, preferences) and which third-party providers to authorize. No selection box must be pre-selected.
  • Statistical cookies (such as Google Analytics) are exempt from prior consent only if the user's IP is minimized (masking at least the last part of the address), if the data is not cross-referenced with other platforms, and if it is not transferred to third parties. If you use Google Analytics in its standard configuration without these protections, you must block it preventively as if it were a profiling cookie.
  • Once a user expresses their preference (whether acceptance or refusal), you cannot bother them by re-presenting the banner at every visit. That choice must remain valid for at least 6 months. You can only show the banner again before this period if the data processing conditions change significantly or if the user has deleted cookies from their device, preventing your site from recognizing their previous choice.
  • You must be able to demonstrate that consent was legally given through an electronic consent record compliant with GDPR standards.

Pure Mechanics: Connecting the Customer Privacy API and Google Consent Mode v2

Now let's move on to my favorite part: the engineering of your Shopify store. Many merchants make the mistake of installing heavy third-party apps from the Shopify App Store that promise instant, one-click compliance. The problem is that these apps often inject very heavy external JavaScript scripts that block page rendering, causing site performance to plummet on your customers' mobile devices. A banner that appears late or causes the store content to jump while loading (the so-called Cumulative Layout Shift) makes visitors leave before they've even seen your products.

The correct and invisible way to handle all this is to leverage Shopify's native engine: the Customer Privacy API. Shopify has integrated this system directly into the core of the platform, allowing data tracking to be regulated at the operating system level of the site.

When you connect a professional consent management platform (CMP) like Iubenda, it doesn't have to physically block scripts using brutal and external methods. Instead, it simply communicates the user's choice to Shopify's Customer Privacy API, which then coordinates the unlocking of native pixels and checkout behaviors cleanly and swiftly.

If you use Google Ads and Google Analytics 4, the other fundamental piece is Google Consent Mode v2 (GCM v2), which has become mandatory in Europe. Without the ad_user_data and ad_personalization consent signals sent to Google with each tracking event, your remarketing lists will quickly empty, and your advertising campaigns will lose all their effectiveness.

In my standard store workflow, I eliminate software conflicts and speed up loading by configuring the integration between Iubenda and Shopify as follows:

I disable the remote "autoblocking" function in Iubenda's external systems. This function scans the page in real-time, slowing down code execution. Instead, I let the Customer Privacy API manage native consents.

I use the native application or lightweight extensions like "CMP Insert Code" to insert the Iubenda snippet into the theme. This system automatically implements specific callbacks for Shopify, avoiding manual modification of the theme.liquid file and preventing sudden crashes during theme updates.

In Iubenda's code configuration panel, I optimize the inlineDelay value by lowering it to 300 milliseconds compared to the standard 500. This tiny calibration significantly reduces the visual activation time of the banner, avoiding annoying layout shifts and improving the Core Web Vitals performance score on mobile, which is essential for both SEO and user experience.

If you want to delegate this surgical fine-tuning without stressing yourself with code and scripts, check out my services list to see how I secure your store.

Compliance should not be a limit to the sales of your standard e-commerce. With the right technical calibration, you can reassure your customers about the security of their data, strictly adhere to the Data Protection Authority's rules, and avoid frightening penalties, while keeping your store light and responsive like a well-oiled racing machine.

IFG eCommerce Technical Mapping Semantic Triggers

  • Shopify Customer Privacy API
  • Iubenda Shopify speed optimization
  • Google Consent Mode v2 e-commerce Italy
  • Mandatory data footer Shopify
  • Cookie banner penalties Garante 2026
Sources & Report References
Garante per la Protezione dei Dati Personali - Linee guida cookie e altri strumenti di tracciamento - 10 giugno 2021 Iubenda Help Center - Cookie Solution per Shopify e integrazione Customer Privacy API Iubenda Help Center - Cache ed ottimizzazione del caricamento della Iubenda Cookie Solution Shopify Help Center - Customer Privacy Settings and Policies Google Analytics Help - Set up consent banner with a consent management platform on Shopify

Leave a Comment

Please note, comments need to be approved before they are published.
Go now

Discover other articles

Rappresentazione concettuale astratta con flussi luminosi magenta su sfondo nero delle connessioni multi-magazzino e tracciamento inventario nativo di Shopify.
5 July 2026
Francesco Guiducci
Gestione Multi-Magazzino Shopify senza App
Quando ho fondato il mio studio di consulenza monopersonale IFG eCommerce, ho capito che una delle sfide più grandi per...
Rappresentazione astratta e minimalista di nodi di connessione tecnologici con accenti di luce magenta su sfondo nero assoluto per ottimizzare i bundle Shopify.
4 July 2026
Francesco Guiducci
Shopify Bundles Nativo su Basic: Aumenta l'AOV senza App
Se gestisci un e-commerce su Shopify, sai bene che aumentare lo scontrino medio (AOV) è la vera chiave per sopravvivere...
Rappresentazione astratta e minimalista di un database di dati tecnici e tabelle di confronto collegate su Shopify.
3 July 2026
Francesco Guiducci
Specifiche e Tabelle Confronto su Shopify senza App
Se sei stanco di pagare abbonamenti mensili per app che rallentano lo store, sappi che nel mio lavoro quotidiano con...
Rappresentazione geometrica astratta con prismi rosa magenta su sfondo nero che simboleggia la velocità di elaborazione e l'ottimizzazione del codice per e-commerce Shopify.
2 July 2026
Francesco Guiducci
Ottimizzare il Cart Drawer di Dawn senza App su Shopify
Ogni giorno incontro piccoli imprenditori stanchi di vedere il proprio e-commerce rallentato da decine di applicazioni di terze parti. Quando...