Why Magento Stores Face a Unique Cookie Compliance Challenge
Magento - now branded as Adobe Commerce - ships with a generous set of cookies out of the box. Session cookies like PHPSESSID keep shoppers logged in. Form validation cookies like form_key protect against cross-site request forgery. Caching cookies such as mage-cache-sessid and mage-cache-storage speed up page loads by storing content locally.
That is before you add Google Analytics, Meta Pixel, remarketing tags, or any of the hundreds of extensions available on the Adobe Commerce Marketplace.
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a visitor's device requires prior informed consent unless the cookie is strictly necessary for a service the user explicitly requested. A store that sets _ga, _fbp, or advertising cookies before a visitor clicks "Accept" is already in breach.
Common Cookies on a Magento Store
Before configuring any consent mechanism, you need a clear picture of what your store actually sets. A cookie scan is the fastest way to build this inventory, but the table below covers the most common Magento cookies and their classification under privacy regulations.
| Cookie Name | Purpose | Category | Consent Required? |
|---|---|---|---|
PHPSESSID | PHP session identifier | Strictly necessary | No |
form_key | CSRF protection for forms | Strictly necessary | No |
mage-cache-sessid | Cache session identifier | Strictly necessary | No |
mage-cache-storage | Local content caching | Strictly necessary | No |
mage-messages | Error and success messages | Strictly necessary | No |
product_data_storage | Recently viewed products | Functional | Depends on jurisdiction |
_ga / _ga_* | Google Analytics tracking | Analytics | Yes |
_fbp | Meta Pixel tracking | Marketing | Yes |
_gcl_au | Google Ads conversion | Marketing | Yes |
Session and CSRF cookies qualify as strictly necessary because the checkout process cannot function without them. Analytics and marketing cookies always require consent under the GDPR and similar frameworks.
Magento's Built-in Cookie Restriction Mode
Adobe Commerce includes a native cookie restriction feature. When enabled, it displays a simple notice bar at the top of the store and prevents non-essential cookies from being set until the visitor accepts.
The problem is that this built-in mechanism is minimal. It does not offer granular category-based consent, does not record proof of consent, and does not integrate with Google Consent Mode v2. Since March 2024, Google requires granular consent signals from any site running Google Ads or Analytics tags. A simple accept/reject bar does not send the ad_storage, analytics_storage, or ad_user_data parameters that Google now expects.
For stores selling to EU visitors, the native solution also lacks a proper reject-all button. The CNIL and several other European data protection authorities have ruled that refusing cookies must be as easy as accepting them.
Content Security Policy Headers and Your Cookie Banner
Magento 2.4.7 and later versions enforce Content Security Policy (CSP) headers in restrict mode on payment pages and in report-only mode elsewhere. CSP controls which external scripts, styles, and resources a page is allowed to load.
This matters for cookie consent because your banner script is, from Magento's perspective, an external resource. If the CSP header does not whitelist the banner's domain, the browser will block the script entirely. On checkout pages, where CSP runs in full restrict mode, this can silently prevent your consent mechanism from appearing at all.
To allow an external cookie banner to load, you need to add its domain to Magento's CSP whitelist. This is done through the csp_whitelist.xml configuration file or via a custom module that registers the domain under the script-src and style-src directives. The Magento installation guide in the Kukie.io Help Centre walks through the exact steps.
What a Proper Consent Setup Looks Like
A compliant cookie banner on a Magento store needs to do more than display a notification. It must block non-essential cookies until the visitor makes a choice, offer granular cookie categories (analytics, marketing, functional), and record each consent decision with a timestamp.
The banner also needs to respect geography. A visitor from Germany requires a strict opt-in mechanism under the GDPR. A visitor from California falls under the CCPA, which uses an opt-out model. A visitor from a country with no specific cookie law may not need a banner at all. Region-based detection lets you serve the right experience to the right visitor without slowing down your store for everyone.
Consent signals should flow through to your tag management setup. If you use Google Tag Manager, the banner needs to fire consent-aware triggers so that analytics and advertising tags only activate after permission is granted.
Checkout Tracking and Conversion Measurement
E-commerce stores depend on conversion tracking. Without it, you cannot measure return on ad spend, optimise campaigns, or understand which channels drive revenue.
The tension is real: e-commerce cookie compliance means some visitors will decline marketing cookies, and their purchases become invisible to advertising platforms. Google Consent Mode v2 partially addresses this through conversion modelling, where Google estimates conversions from non-consenting users based on statistical patterns from consenting ones. Enabling this requires your banner to send the correct consent state parameters before any Google tag loads.
For Meta Pixel and other platforms, server-side tracking through Magento's Conversions API integration can recover some attribution data without relying on browser cookies. This approach sends conversion events directly from your server, bypassing client-side cookie restrictions entirely.
Step-by-Step: Adding a Cookie Banner to Magento
The general process for adding an external consent management platform to Magento involves these steps:
Run a cookie audit to identify every cookie your store sets, including those from third-party extensions and payment gateways.
Categorise each cookie as strictly necessary, functional, analytics, or marketing.
Add the banner script to your Magento theme's
default_head_blocks.xmllayout file or via the Admin panel under Content > Design > Configuration > HTML Head.Update your CSP whitelist to allow the banner script domain. Create or edit
csp_whitelist.xmlin your custom module'setcdirectory.Configure conditional script loading so analytics and marketing tags only fire after consent.
Test the banner across storefront pages, checkout, and the customer account area.
Full technical instructions, including the CSP configuration snippets, are available in the Kukie.io Help Centre Magento cookie consent guide.
Multi-Store and Multi-Language Considerations
Magento's multi-store architecture means a single installation can serve multiple storefronts, each with its own domain, language, and target market. Your consent setup needs to account for this.
Each store view may need a different banner language and a different legal basis for processing. A German store view should display the banner in German and apply GDPR opt-in rules. A US store view might show an English banner with CCPA opt-out language. A Brazilian store view falls under the LGPD. Cookie banners that support multilingual configuration and geo-based rule sets handle this without requiring separate installations per region.
Frequently Asked Questions
Does Magento set cookies that require consent by default?
Most default Magento cookies like PHPSESSID and form_key are strictly necessary for the store to function and do not require consent. If you have added analytics or marketing tools, those cookies will require consent under GDPR and similar laws.
How do I add a cookie banner to Magento 2?
Add the banner script to your theme's head section through default_head_blocks.xml or via the Admin panel. You will also need to whitelist the script domain in your CSP configuration. See the Kukie.io Magento installation guide for detailed steps.
Why is my cookie banner not showing on checkout pages in Magento?
Magento 2.4.7 and later enforce strict Content Security Policy headers on payment pages. If your banner script domain is not included in the CSP whitelist, the browser silently blocks it. Adding the domain to csp_whitelist.xml resolves this.
Is Magento's built-in cookie notice GDPR compliant?
The native cookie restriction mode is a basic accept bar that lacks granular consent categories, proof-of-consent logging, and a reject-all option. Most privacy regulators consider this insufficient for GDPR compliance.
Do I need separate cookie consent for each Magento store view?
If your store views target different countries, each one should display a banner in the local language with consent rules matching that jurisdiction. A consent platform with geo-detection and multilingual support handles this automatically.
How does Google Consent Mode v2 work with Magento?
Your cookie banner sends consent state parameters like ad_storage and analytics_storage to Google tags before they fire. This enables conversion modelling for non-consenting users while keeping your Google Ads and Analytics data collection compliant.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Magento store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
