How to Comply with GDPR and Cookie Consent Requirements in Magento 2

Question

Accepted Answer

The General Data Protection Regulation (GDPR) requires businesses serving EU customers to obtain consent before setting non-essential cookies, provide mechanisms for data access and deletion requests, and clearly communicate data processing practices. Magento 2 includes native cookie restriction capabilities, but achieving full compliance requires careful configuration and understanding of which cookies are essential for store operation.

Cookie Consent in Magento 2

Native Cookie Restriction Mode

Magento includes a built-in cookie restriction feature. Enable it at Stores → Configuration → General → Web → Default Cookie Settings → Cookie Restriction Mode = Yes.

When enabled:

A cookie consent banner appears on the first visit
Non-essential cookies are blocked until the visitor accepts
The user_allowed_save_cookie cookie tracks whether the visitor has given consent

Limitations of Native Mode

Magento's native cookie restriction mode is basic. It blocks Magento-set cookies but does not automatically block third-party scripts (Google Analytics, Facebook Pixel, chat widgets) that set their own cookies. For full GDPR compliance, you need a cookie consent management solution that:

Categorizes cookies by purpose (essential, analytics, marketing, preferences)
Blocks third-party scripts until the visitor consents to the relevant category
Records consent with a timestamp for audit purposes
Allows visitors to withdraw consent

Cookie Classification

Essential Cookies (No Consent Required)

These cookies are required for basic store functionality. Blocking them breaks the shopping experience:

Cookie
  Purpose

form_key
  CSRF protection for form submissions

private_content_version
  Triggers loading of customer-specific content (mini-cart, name)

store
  Selected store view

currency_code
  Selected currency

X-Magento-Vary
  Cache key differentiator (customer group, store view, currency)

PHPSESSID
  PHP session identifier

mage-cache-sessid
  Session ID for local storage cache

These cookies must never be blocked by cookie consent tools. Blocking form_key prevents form submissions (add to cart, checkout). Blocking private_content_version prevents the mini-cart and customer greeting from updating.

Analytics Cookies (Consent Required)

These cookies track visitor behavior and require explicit consent:

Cookie
  Service

_ga, _gid, _gat
  Google Analytics

_fbp, _fbc
  Facebook Pixel

__utma, __utmb, __utmc, __utmz
  Google Analytics (legacy)

_hjid, _hjSession
  Hotjar

Marketing Cookies (Consent Required)

Cookies used for retargeting, advertising, and personalized marketing require consent.

Cookie Exclusion in Varnish/Cache

When using Varnish or Full Page Cache, the cookie exclusion strategy must align with GDPR requirements:

Strip analytics cookies (_ga, _gid, _fbp, etc.) from cache key computation. These cookies do not affect page content and should not create separate cache entries.
Never strip essential cookies (form_key, private_content_version, currency_code) from cache processing. These affect page content and must be included in cache key computation.

This dual approach ensures both caching efficiency and GDPR compliance.

See also: How to Configure Varnish Cache for Magento 2

Customer Data Requests

GDPR grants individuals the right to access and delete their personal data.

Right to Access (Data Export)

When a customer requests their data:

Go to Customers → All Customers and find the customer record
The customer's profile contains personal information, addresses, orders, and reviews
Export this data in a readable format (CSV or PDF)

Magento 2.4+ includes a Privacy Settings section under Stores → Configuration → Customers → Customer Configuration with settings for:

Data retention period: How long to keep customer data after account deletion
Enable data export: Allow customers to request their data from the frontend

Right to Erasure (Data Deletion)

When a customer requests data deletion:

Delete or anonymize the customer account
Remove personal data from orders (anonymize shipping/billing addresses)
Delete reviews containing personal information
Remove newsletter subscriptions

Magento does not fully automate data erasure. Manual review is required to ensure all personal data is removed from orders, invoices, and other records.

Analytics Implications

When cookie consent is not given, analytics scripts do not load, and no tracking data is collected for those visits. This means:

Google Analytics will undercount traffic from EU visitors who decline cookies
Conversion tracking may show lower numbers than actual conversions
Attribution models become less accurate

This data gap is an inherent consequence of GDPR compliance. Consider using server-side analytics or consent-aware tracking solutions to capture anonymized, aggregate data without requiring cookie consent.

Implementation Checklist

Enable Magento's native cookie restriction mode
Install a cookie consent management extension for granular category-based consent
Classify all cookies into categories (essential, analytics, marketing)
Configure consent tools to block non-essential scripts until consent is given
Verify essential cookies are never blocked
Set up data access and deletion workflows
Update your privacy policy to describe all cookies and data processing activities
Test the complete consent flow on the frontend

Cookie	Purpose
`form_key`	CSRF protection for form submissions
`private_content_version`	Triggers loading of customer-specific content (mini-cart, name)
`store`	Selected store view
`currency_code`	Selected currency
`X-Magento-Vary`	Cache key differentiator (customer group, store view, currency)
`PHPSESSID`	PHP session identifier
`mage-cache-sessid`	Session ID for local storage cache

Cookie	Service
`_ga`, `_gid`, `_gat`	Google Analytics
`_fbp`, `_fbc`	Facebook Pixel
`__utma`, `__utmb`, `__utmc`, `__utmz`	Google Analytics (legacy)
`_hjid`, `_hjSession`	Hotjar