TL;DR
_shopify_y is the cookie behind Shopify's own visitor counts, a first-party identifier with a one-year lifetime, paired with _shopify_s, a 30-minute session cookie. They power Shopify Analytics, which is exactly why Shopify Analytics never matches GA4: different cookies, different identity, different session rules. As of January 1, 2026, Shopify started phasing both out on storefronts in favor of the Web Pixels API, so any guide telling you to read _shopify_y from the browser is now pointing at a moving target. You cannot use _shopify_y for your own attribution anyway, it is Shopify-internal, and the modern way to capture identity is the pixel client ID, not the cookie.
Key Takeaways
-
_shopify_yis a first-party visitor cookie (one-year lifetime in Shopify's policy);_shopify_sis a 30-minute session cookie. Both feed Shopify Analytics. - As of January 1, 2026, Shopify began retiring
_shopify_yand_shopify_son storefronts, moving visitor and session identity to the Web Pixels API. - These cookies are why Shopify Analytics and GA4 report different visitor and session numbers. Two cookie systems, two identities, two session definitions.
- A Shopify store sets a small set of its own cookies for analytics, marketing, essential function, consent, and cart, alongside any platform cookies your pixels add.
-
_shopify_yis Shopify-internal. You cannot read it for your own attribution, and you should not try. The supported source of a stable visitor ID is the Web Pixels API client ID. - Hydrogen and headless storefronts have an upgrade deadline of April 30, 2026 to keep visitor and session attribution reliable in Shopify Analytics.
What is _shopify_y?
_shopify_y is Shopify's unique-visitor cookie. It is set first-party on the storefront, and its job is to recognize the same browser across visits so Shopify can count one person as one visitor rather than as a new visitor every session. Shopify's cookie policy lists it with a one-year lifetime, which is what makes it a "visitor" cookie rather than a "session" one: it persists long enough to tie return visits to the same identifier.
The value is opaque and Shopify-controlled. It exists for Shopify Analytics, the visitor and returning-visitor numbers in your Shopify dashboard are built on it, not for you to parse. That distinction matters, and it comes back in the last section.
What is _shopify_s?
_shopify_s is the session half of the pair. Where _shopify_y tracks the visitor over a year, _shopify_s tracks a single session, with a 30-minute rolling expiry: each new activity extends it, and 30 minutes of inactivity ends the session. That is how Shopify decides where one visit stops and the next begins.
Together they encode Shopify's model of "who" and "when this visit": _shopify_y is the person, _shopify_s is the current visit. Shopify Analytics counts sessions and visitors off these two cookies, with its own definitions baked in, which is the root of a reconciliation problem most merchants hit.
Are _shopify_y and _shopify_s going away?
Yes, and this is the part most existing guides get wrong. Shopify's developer changelog states that starting January 1, 2026, Shopify will no longer set the _shopify_y and _shopify_s cookies on merchant storefronts. The cookie policy still lists them with their one-year and 30-minute lifetimes, so you will see conflicting information depending on which Shopify page you land on, but the direction is clear: Shopify is moving storefront visitor and session identity off these cookies and onto the Web Pixels API.
For most merchants this is invisible plumbing. For anyone who built attribution or analytics that reads _shopify_y from document.cookie, it is a deadline. Shopify's guidance is to stop reading the cookie and use the Web Pixels API client ID, which is the supported, durable source of a visitor identifier. Hydrogen and headless storefronts have a firmer cutoff: Shopify warns that without the relevant upgrade by April 30, 2026, visitor and session attribution will not be reliable in Shopify Analytics. The same upgrade pressure runs through cross-domain and headless tracking, where identity is hardest to keep stable.
Which cookies does a Shopify store actually set?
It helps to separate Shopify's own cookies from the ones your marketing pixels add. Shopify's storefront cookies, from its cookie policy, are a short and purposeful list:
| Cookie | Lifetime | Purpose |
|---|---|---|
_shopify_y |
1 year (being retired on storefronts, 2026) | Visitor identifier for Shopify Analytics |
_shopify_s |
30 minutes | Session identifier for Shopify Analytics |
_shopify_essential |
1 year | Core store function: session, checkout, anti-tampering |
_tracking_consent |
1 year | Stores the visitor's privacy preferences |
_landing_page |
2 weeks | Records the landing page of an incoming visit |
_orig_referrer |
2 weeks | Records where a visitor came from |
cart |
2 weeks | Cart contents |
localization |
2 weeks | Localizes the cart to the right country |
Your pixels add their own, and these are platform cookies, not Shopify's. The durations below are the platforms' own published defaults and should be read as approximate rather than Shopify-official:
| Cookie | Setter | Purpose | Approx. lifetime |
|---|---|---|---|
_ga, _ga_*
|
Google Analytics 4 | Visitor and session identity for GA4 | 2 years (default) |
_fbp |
Meta Pixel | Browser identifier for Meta attribution | 90 days |
_fbc |
Meta Pixel | Stores the Meta click ID (fbclid) |
90 days |
_ttp |
TikTok Pixel | Visitor identifier for TikTok matching | ~13 months |
_rdt_uuid |
Reddit Pixel | Reddit visitor identifier | ~90 days |
Click identifiers like rdt_cid and the Google Ads gclid, gbraid, and wbraid family are URL parameters a pixel captures, not cookies the store sets. The point of the split: a handful of these cookies are Shopify's and a handful belong to whichever ad platforms you run, and only the first set is governed by Shopify's own policy.
What happens to these cookies under consent?
Cookies do not all fire unconditionally. When a store has privacy rules configured, Shopify's Customer Privacy API carries the visitor's consent state, and _tracking_consent is where that decision is stored. Pixels are expected to read that signal and act on it.
In practice, browser events respect Shopify's Customer Privacy API signals, so marketing cookies and the events that depend on them are gated by the visitor's choice rather than firing for everyone. The essential cookies a store needs to function are treated differently from analytics and marketing cookies, which is the distinction most consent banners present to a shopper. The exact behavior depends on how the store's privacy rules and consent banner are configured, so the cookie list above describes what can be set, not what fires before a visitor has chosen.
Can you use _shopify_y for your own attribution?
No, and this is the most common mistake the _shopify_y query hides. The cookie is Shopify-internal: the value is Shopify's to define and change, it is being retired on storefronts, and it was never an identifier you were meant to read for your own tracking. Building attribution on it means building on a foundation Shopify is actively moving.
The supported approach is the Web Pixels API client ID, the stable visitor identifier Shopify exposes to pixels through its standard events. That is what a modern Shopify tracking setup consumes, and it is the reason Shopify Analytics and GA4 visitor counts never match: each system identifies visitors with its own mechanism. For the broader shift away from third-party cookies and toward first-party and server-side identity, see first-party cookies on Shopify.
This is where a tracking app earns its place. WeltPixel Conversion Tracking captures the platform identifiers that matter, the GA4 client ID, the Meta and TikTok click IDs, the Google Ads gclid family, and the Reddit click ID, and bridges them to server-side events, so a purchase still matches the buyer even when cookie lifetimes shorten or consent settings cut the browser story short. It does not read _shopify_y for your attribution, because that was never the right source.
FAQ
What is the _shopify_y cookie used for?
It is Shopify's first-party visitor cookie, used by Shopify Analytics to recognize a returning browser and count unique visitors. Shopify's policy lists a one-year lifetime, though Shopify began retiring it on storefronts in January 2026.
What is the difference between _shopify_y and _shopify_s?
_shopify_y identifies the visitor over the long term (one year). _shopify_s identifies a single session with a 30-minute rolling expiry. One is "who," the other is "this visit."
Why don't my Shopify Analytics numbers match GA4?
Because they count from different cookies. Shopify uses _shopify_y and _shopify_s with its own visitor and session definitions; GA4 uses _ga and _ga_* with its own. Two independent systems will not produce the same totals.
Can I read _shopify_y to track my customers?
No. It is Shopify-internal, its value can change, and it is being phased out on storefronts. Use the Web Pixels API client ID, which is the supported source of a stable visitor identifier.
Capture identity where it is stable
Shopify's own cookies are changing under you, which makes the browser a shaky place to anchor attribution. WeltPixel Conversion Tracking captures the platform identifiers that survive, the GA4 client ID, Meta and TikTok click IDs, the Google Ads gclid family, and Reddit's click ID, and bridges them to server-side events, so identity holds even as cookie lifetimes and consent rules tighten.
Install WeltPixel Conversion Tracking on the Shopify App Store