Shopify Checkout and Attribution: How the Thank-You Page Determines Your Entire Ad Strategy
The purchase event is the most important data point in e-commerce. It determines how Google and Meta optimise all your campaigns. Most shops have the worst data there.
Key Takeaways
- The purchase event determines how Google Ads Smart Bidding steers, how Meta builds Lookalike Audiences, and what ROAS your reports show
- Shopify's checkout runs on a separate domain — cookies, consent, and GTM work differently there
- Enhanced Conversions with 7 hashed user data fields are the biggest quick win for better attribution
- An optimised thank-you page setup delivers 15-30% more attributed conversions than a standard setup
Every time someone buys in your shop, your tracking sends a purchase event. This single data point determines: how Google Ads steers your Smart Bidding, how Meta builds your Lookalike Audiences, what ROAS your reports show, and whether your campaigns get more or less budget tomorrow.
The problem: most shops invest 90% of their tracking effort on the product page and 10% on the thank-you page. It should be the other way around. Because the product page delivers engagement signals — important, but replaceable. The thank-you page delivers the conversion signal — and that is the anchor for all campaign optimisation.
Why the thank-you page is special — and especially difficult
The Shopify checkout problem
Shopify hosts the checkout on a separate domain (checkout.shopify.com). That means: your theme code (Liquid snippets) does not work there. Your GTM container is not automatically loaded. Cookies from your main domain are not readily accessible (domain change). The consent status must be read again.
The consequences: many shops have a completely different tracking setup on the thank-you page than on the rest of the site. Or none at all — they rely on Shopify's native events. And those are incomplete: no Enhanced Conversions, no engagement score, no click-ID persistence, no custom visitor identity.
The two paths
Order Status Page Script: Via Shopify Admin → Settings → Checkout → Order Status Page. Here you can include a script that loads on the thank-you page after purchase. Access to the full order object in Liquid. Suitable for basic to advanced tracking.
Shopify Web Pixel (Custom Pixel): JavaScript that runs in a sandbox in the checkout. Access to analytics.subscribe events. Independent of theme code. Suitable for event-based tracking.
| Method | Access to | Consent | GTM |
|---|---|---|---|
| Order Status Script | Order object, Liquid | Own consent check | Own GTM instance |
| Web Pixel | analytics.subscribe events | Shopify Consent API | Own GTM instance |
| Native Shopify | Standard events | Automatic | Not controllable |
What is possible on the thank-you page — maximum data
Data only available on the thank-you page
The thank-you page is the only place where you have access to complete purchase data — including personal data of the buyer:
- Full billing address (city, state, ZIP, country)
- Email and phone of the buyer (even without login)
- Transaction ID, value, tax, shipping, currency
- Coupon or discount code (first applied)
- All line items with SKU, name, brand, category, variant, price, quantity
new_customerflag (fromcustomer.orders_count)
Why this is game-changing
Email + Phone + Name + Address → SHA256-hashed = maximum Enhanced Conversions. Google Ads receives 7 hashed fields for conversion attribution. Instead of relying only on the click ID, Google can attribute the conversion even when the cookie is missing, the user switches devices, or the purchase happens days after the click.
Same data set for Google Enhanced Conversions and Meta Advanced Matching. One data setup, two platforms. The hashed fields are identical — email, phone, first name, last name, city, ZIP, country.
new_customer flag → Google Ads New Customer Acquisition Bidding. Google Ads can automatically bid higher for new customers. The requirement: the flag must be sent in the purchase event.
Full line items → Smart Shopping optimisation. Google Ads can optimise individual products in Smart Shopping and Performance Max when items are correctly transmitted with SKU, brand, and category.
Enhanced Conversions data guide
| Field | Shopify Liquid | Preparation | Hash |
|---|---|---|---|
order.email | downcase | SHA256 | |
| Phone | order.billing_address.phone | Digits only + country code | SHA256 |
| First Name | order.billing_address.first_name | downcase, trim | SHA256 |
| Last Name | order.billing_address.last_name | downcase, trim | SHA256 |
| City | order.billing_address.city | downcase, trim | SHA256 |
| State | order.billing_address.province_code | downcase | SHA256 |
| ZIP | order.billing_address.zip | Remove spaces | Plain text |
| Country | order.billing_address.country_code | downcase | Plain text |
Technician checklist: purchase event
- [ ]
first_time_accessedcheck (fires only once — no duplicate on reload) - [ ] Own Consent Mode v2 defaults (separate context on checkout domain)
- [ ] Own GTM loader (SST first-party + fallback)
- [ ] Visitor identity read from cookie (also on checkout domain)
- [ ] Click IDs (gclid, fbclid) read from cookies
- [ ] Meta cookies (_fbp, _fbc) in dataLayer
- [ ] User data SHA256-hashed in Liquid (not in JavaScript — no PII in the browser)
- [ ] All line items in GA4 item schema
- [ ]
new_customerflag set - [ ] ecommerce.value in euros (not cents — checkpoint 5 in the tracking audit)
- [ ] Transaction ID is unique (order.name or order.id)
Web Pixel — The modern alternative
What Web Pixel are
Shopify Custom Pixel: JavaScript that runs in a sandbox in the checkout. Has access to analytics.subscribe events (checkout_started, checkout_completed, payment_info_submitted, and others). Can load its own GTM container. Independent of theme code.
When to use Web Pixel instead of Order Status Script
Web Pixel are the right choice if you have Shopify Plus and use more checkout customisation, if you want event-based rather than page-based tracking, or if you want to use the analytics.subscribe API. For most standard Shopify shops, the Order Status Script is sufficient and simpler to implement.
Web Pixel implementation tutorial
- Shopify Admin → Settings → Customer Events → Add Custom Pixel
- Load GTM container in the pixel (own instance — not the main container from the storefront)
analytics.subscribe('checkout_completed', ...)→ dataLayer.push purchase event- Read consent from cookie → set Consent Mode
- Extract user data from event data and hash (client-side in the pixel)
- Configure GTM tags (GA4, Google Ads, Meta)
Web Pixel checklist
- [ ] Custom pixel created and active
- [ ] Own GTM instance (not the main GTM)
- [ ] analytics.subscribe for checkout_completed and checkout_started
- [ ] Consent cookie from main domain readable (SameSite=None, Secure)
- [ ] User data correctly hashed
- [ ] Test result: purchase visible in GA4 DebugView
- [ ] Test result: conversion visible in Google Ads
- [ ] Test result: server events visible in Meta Events Manager
Saving attribution across the domain change
The problem
When the user moves from yourshop.com to checkout.shopify.com, cookies are lost. The _ga cookie is set on yourshop.com — on checkout.shopify.com it does not exist. Click IDs (gclid, fbclid) stored in cookies on the main domain are not accessible on the checkout domain. The consequence: Google and Meta cannot attribute the purchase to the correct click.
The solution: Click-ID persistence and visitor identity
gclid, gbraid, wbraid, and fbclid are extracted from URL parameters on the first page load and stored in a custom cookie. This cookie must be SameSite=None and Secure — only then is it also readable on the checkout domain (checkout.shopify.com). Additionally, it is stored in sessionStorage as a fallback.
The custom visitor ID in the cookie links the checkout visit with the shopping session. SST can set the cookie server-side — HttpOnly, 13 months, and readable across the domain change.
Attribution recovery checklist
- [ ] Click IDs are extracted from URL parameters on first page load
- [ ] Click IDs are stored in cookie (90 days, SameSite=None, Secure) and sessionStorage
- [ ] On the thank-you page: click IDs read from cookie and pushed to dataLayer
- [ ] Visitor-ID cookie is readable on checkout domain
- [ ] SST receives the click IDs and uses them for Enhanced Conversions and CAPI
- [ ] Test result: gclid visible in GTM Preview on thank-you page
Meta Conversions API — Server-Side Purchase
Why CAPI is especially important for purchase
Purchase is the most expensive and rarest event — every lost attribution is costly. Meta CAPI sends server-side, independent of ad blockers, Safari, and cookie issues. Event Match Quality (EMQ) rises significantly when user data (email, phone) is included. Deduplication ensures that browser event and server event are not double-counted.
Meta CAPI setup guide (via SST)
- Create Meta Conversions API tag in the SST container
- Configure Pixel ID and access token
- Event name: Purchase, event data from dataLayer
- User data mapping: em, ph, fn, ln (hashed)
- Send _fbp and _fbc cookies (for attribution)
- Set event_id (same in browser and server event — for deduplication)
Meta CAPI quality checklist
- [ ] Server events visible in Meta Events Manager (alongside browser events)
- [ ] Event Match Quality above 6 (out of 10)
- [ ] Deduplication works (no duplicate purchases in Meta)
- [ ] _fbp and _fbc are sent correctly
- [ ] User data fields: at minimum em + fn + ln + country
- [ ] Purchase value and currency match between browser and server
The comparison table — What most shops have vs. what is possible
| Data Point | Typical Setup | Optimised Setup |
|---|---|---|
| Events on thank-you page | purchase (basic) | purchase + user_data + click_ids + visitor_identity |
| User Data | None or unhashed | SHA256: email, phone, name, address (7 fields) |
| Enhanced Conversions | Not active | Active, coverage above 90% |
| Meta CAPI | Not active | Server-side, EMQ above 6 |
| new_customer flag | No | Yes → NCA Bidding |
| Purchase deduplication | No (fires multiple times) | first_time_accessed check |
| Consent on checkout | Missing or wrong | Own defaults + cookie check |
| Visitor Identity | Lost on domain change | Custom cookie survives |
| Click-ID Persistence | Lost on domain change | Custom cookie (90 days) |
| Attribution Window | 7 days (Safari) | 13 months (server cookie) |
The difference between left and right: 15–30% more attributed conversions. That means: Smart Bidding has 15–30% more signals. Your campaigns optimise on a more complete data foundation. Your ROAS rises — at the same ad spend.
Conclusion
The thank-you page is not the end of the customer journey — it is the beginning of your data strategy. What you measure there determines how well all your campaigns perform tomorrow.
A standard setup sends a purchase event with order value and transaction ID. That is sufficient for basic reports. An optimised setup additionally sends: 7 hashed user data fields for Enhanced Conversions, click IDs for correct attribution, a custom visitor identity for cross-session tracking, server-side events for Meta CAPI, and a new_customer flag for NCA Bidding.
The effort: one script on the Order Status Page plus SST configuration. The result: 15–30% more attributed conversions and a data foundation that Smart Bidding can actually use.
If you want to check where your setup stands, start with the 15-point tracking audit. If you want to read the full e-commerce tracking guide, find it here. And if you do not want to do it yourself — we do it for you.
You might also like
Enterprise-Grade E-Commerce Tracking on Shopify — No App, No Agency, No Compromise
Your Shopify store loses 20–40% of all conversion data. That costs you ad performance, attribution, and revenue. Here is how to get that data back.
Read article → Tracking & ComplianceThe Hidden ROI: How Tracking Infrastructure Lifts Your Google Ads ROAS by 20–40%
Tracking infrastructure is not an IT expense — it is the most profitable investment in your ad performance. Four layers, one calculation.
Read article →Our service
Tracking & Data Architecture
20–40% of your conversion data is missing. Server-side tracking, Consent Mode v2, 18+ events, and engagement scoring bring it back.