DocsStorefrontCatalystFeatures

Cookie Consent

Catalyst includes a built-in cookie consent manager powered by c15t. When enabled, it presents shoppers with a consent banner and a preference dialog, controls which Script Manager scripts load based on shopper selections, and stores preferences locally in the shopper’s browser. Cookie consent is available in Catalyst v1.3.0 and later.

This documentation describes how Catalyst’s cookie consent tools work. It is not legal advice. Merchants are solely responsible for ensuring their storefront complies with all applicable privacy laws — including GDPR, CCPA, and any other regulations in the jurisdictions where they operate. We recommend consulting qualified legal counsel to confirm your implementation meets your specific compliance requirements.

Cookie consent is available in Catalyst v1.3.0+. To upgrade, follow the instructions in the versioning guide.

Cookie consent is controlled by a storefront-level setting in the BigCommerce control panel.

  1. Open Security Settings in the control panel.
  2. Scroll to Your customers’ privacy.
  3. Enable Cookie consent tracking.

When enabled, Catalyst displays the consent banner to shoppers who have not yet made a selection. When disabled, no banner is shown and all scripts load unconditionally.

If your store has a privacy policy page, you can surface a link to it from within the consent banner.

  1. Open Security Settings.
  2. Scroll to Your customers’ privacy.
  3. Enter your Privacy Policy URL.

BigCommerce organizes scripts into consent categories in Script Manager and the Scripts API. Catalyst maps these to the categories c15t uses to gate script loading.

BigCommerce categoryc15t categoryBehavior
EssentialnecessaryAlways loaded; cannot be declined
FunctionalfunctionalityLoaded only after shopper consents
AnalyticsmeasurementLoaded only after shopper consents
MarketingmarketingLoaded only after shopper consents

Scripts categorized as Essential load on every page regardless of the shopper’s consent selection. All other scripts are blocked until the shopper explicitly accepts the corresponding category.

BigCommerce’s consent categories are mapped automatically, so existing Script Manager configurations continue to work without modification.

c15t supports three modes for storing and managing consent decisions. Catalyst ships with offline mode by default.

FeatureOffline (default)HostedCustom
Geolocation and jurisdiction detectionManualAutomaticYour implementation
Consent audit trailNoYesYour implementation
Server-side consent awarenessNoYesYour implementation
Cross-device syncNoYesYour implementation
Setup effortNoneMinimalModerate

Offline mode

In offline mode, consent preferences are stored exclusively in the c15t-consent first-party cookie in the shopper’s browser. No consent data is transmitted to external servers.

Because offline mode does not transmit consent decisions to any external service, it does not create a data processing relationship with a third-party consent platform. Your storefront remains subject to GDPR, CCPA, and any other applicable privacy regulations regardless of which consent mode you use.

Offline mode has several limitations with direct implications for GDPR and CCPA compliance on production storefronts:

  • No audit trail. Consent decisions are never recorded server-side. Without a server-side record, you may be unable to produce evidence of prior consent choices if audited or challenged under applicable privacy regulations.
  • No geolocation or jurisdiction detection. Different regulations apply to different regions — for example, EU residents and California residents have different consent rights. Offline mode cannot automatically detect jurisdiction or apply different consent rules per region; this must be handled manually.
  • No cross-device or cross-session persistence. If a shopper clears their browser cookies or switches devices, their consent preferences are lost and the banner displays again, making it difficult to demonstrate consistent enforcement of previously recorded preferences.

Offline mode is best suited for development, demos, or storefronts where compliance audit trails are not required. For production storefronts subject to GDPR or CCPA, consider hosted or custom mode.

Hosted mode

Hosted mode connects to c15t’s backend infrastructure (or a self-hosted c15t server) to store consent records centrally. It is c15t’s recommended mode for production environments.

To switch to hosted mode, replace mode: 'offline' with a backendURL in core/components/consent-manager/consent-providers.tsx:

core/components/consent-manager/consent-providers.tsx
1<C15TConsentManagerProvider
2  options={{
3    backendURL: 'https://your-c15t-instance.example.com',
4    storageConfig: {
5      storageKey: 'c15t-consent',
6      crossSubdomain: true,
7    },
8    consentCategories: ['necessary', 'functionality', 'marketing', 'measurement'],
9    enabled: isCookieConsentEnabled,
10  }}
11>

Hosted mode provides automatic geolocation and jurisdiction detection, centralized audit trails, server-side consent awareness, and cross-device sync. If the backend is temporarily unavailable, it falls back to local storage. See the c15t documentation for backend setup instructions.

When using hosted mode, consent data transmitted to the backend may be subject to GDPR, CCPA, or other applicable privacy regulations depending on your implementation and jurisdiction.

Custom mode

Custom mode lets you connect c15t’s frontend components to your own existing consent infrastructure — a CRM, database, or third-party compliance service. This is useful if your organization already has a CPM and wants to use Catalyst’s consent UI without adopting c15t’s backend.

To enable custom mode, set mode: 'custom' and provide an endpointHandlers object with two required functions in core/components/consent-manager/consent-providers.tsx:

core/components/consent-manager/consent-providers.tsx
1<C15TConsentManagerProvider
2  options={{
3    mode: 'custom',
4    endpointHandlers: {
5      async init() {
6        // Called on page load. Return geolocation, jurisdiction,
7        // and any localized translation strings your CPM provides.
8        const res = await fetch('/my-api/consent/init');
9        const data = await res.json();
10        return { data, response: res, error: null };
11      },
12      async setConsent(options) {
13        // Called when a shopper grants or updates consent.
14        // options.body contains the consent payload to persist.
15        const res = await fetch('/my-api/consent', {
16          method: 'POST',
17          headers: { 'Content-Type': 'application/json' },
18          body: JSON.stringify(options?.body),
19        });
20        return { data: await res.json(), response: res, error: null };
21      },
22    },
23    storageConfig: {
24      storageKey: 'c15t-consent',
25      crossSubdomain: true,
26    },
27    consentCategories: ['necessary', 'functionality', 'marketing', 'measurement'],
28    enabled: isCookieConsentEnabled,
29  }}
30>

The init handler runs on page load and should return the shopper’s existing consent state along with any jurisdiction or geolocation data your CPM tracks. The setConsent handler runs whenever a shopper makes or updates a consent decision, and is responsible for persisting that choice to your backend.

Custom mode does not include automatic offline fallback or retry logic. Your endpointHandlers implementation is responsible for handling network errors and degraded states.

For full type definitions and additional handler options, see the c15t client modes documentation.

Resources