Why Your MODX Site Needs a Cookie Banner
MODX Revolution powers thousands of websites that rely on analytics, marketing pixels, and session tracking. Every one of those tools drops cookies onto your visitors' devices. Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's terminal equipment requires prior consent, unless the cookie is strictly necessary to deliver a service the user explicitly requested.
That rule applies regardless of your CMS. If your MODX site sets _ga, _fbp, or any other non-essential cookie before a visitor actively opts in, you are in breach.
European data protection authorities are no longer issuing gentle warnings. The Dutch DPA contacted 50 organisations in April 2025 with three-month remediation deadlines. CNIL imposed a 150 million euro fine on a major tech company in 2025 for cookie consent violations. Smaller businesses are now firmly in scope.
Cookies Commonly Found on MODX Websites
Before adding a banner, you need to know what your site actually sets. A cookie scan will give you the full picture, but MODX sites typically include several categories of cookies.
| Cookie | Category | Purpose | Consent Required? |
|---|---|---|---|
PHPSESSID | Strictly Necessary | PHP session identifier | No |
MODX | Strictly Necessary | MODX manager session | No |
_ga | Analytics | Google Analytics client ID | Yes |
_gid | Analytics | Google Analytics session | Yes |
_fbp | Marketing | Meta Pixel tracking | Yes |
pll_language | Functional | Language preference (Polylingual) | Depends on jurisdiction |
PHPSESSID and the MODX manager session cookie are strictly necessary and do not require consent. Everything else needs to be blocked until the visitor makes a choice. Functional cookies like pll_language sit in a grey area - some DPAs classify language preferences as strictly necessary, while others require opt-in. Check the rules for your target jurisdictions using a region-specific compliance reference.
How MODX Templates and Chunks Work for Code Injection
MODX uses a template system built around three core elements: Templates, Chunks, and Snippets. Templates define the overall HTML structure of a page. Chunks are reusable blocks of HTML that you embed inside templates using the [[$chunkName]] syntax. Snippets execute PHP logic.
For a cookie consent banner, the key location is the <head> section of your template. Most MODX sites use a shared head Chunk - often called something like head or htmlHead - that every template references. Placing your consent script here means it loads on every page without duplicating code.
This is the same approach you would use for any site-wide script. The difference with a consent management script is that it must load before any analytics or marketing tags fire.
Adding a Cookie Banner Script to MODX
The installation process follows a simple pattern: paste the consent script into your head Chunk, ensure it appears before any tracking scripts, and save. The MODX installation guide in the Help Centre walks through each step with screenshots.
Step 1: Locate Your Head Chunk
Open the MODX Manager. Navigate to Elements in the left panel, expand the Chunks category, and find the Chunk that contains your <head> content. If your template includes the head HTML directly rather than referencing a Chunk, you can edit the template itself under Elements > Templates.
Step 2: Paste the Consent Script
Place the consent script as the first item inside <head>, before any Google Analytics, Meta Pixel, or other tracking code. The script tag typically looks like this:
<script src="https://cdn.kukie.io/banner/your-site-id.js" defer></script>
The exact snippet for your site is available in your Kukie.io dashboard after registration.
Step 3: Move Tracking Scripts Below the Consent Script
Any analytics or marketing scripts in your head Chunk must appear after the consent script. This ensures the consent management platform can intercept them and block execution until the visitor grants permission. If you use Google Tag Manager, the GTM container script should also sit below the consent script.
Step 4: Clear the MODX Cache
MODX caches aggressively. After saving your Chunk or Template changes, go to Manage > Clear Cache in the Manager toolbar. Without this step, visitors may still see the old version of your site without the banner.
Blocking Cookies Before Consent in MODX
Displaying a banner is only half the requirement. The banner must actually prevent non-essential cookies from being set until the visitor opts in. GDPR Recital 32 is explicit: silence, pre-ticked boxes, and inactivity do not constitute valid consent.
There are two approaches to blocking cookies on a MODX site. The first is conditional script loading, where your consent tool rewrites script tags so they only execute after consent. The second is server-side blocking via a MODX Snippet that checks the consent cookie value before outputting tracking code.
A dedicated CMP handles the first approach automatically. If you prefer server-side control, you could write a MODX Snippet that reads the consent cookie and conditionally includes your analytics Chunk. Most site owners find the client-side approach simpler and less error-prone.
Configuring Cookie Categories
European regulators expect granular consent. Your visitors must be able to accept analytics cookies while rejecting marketing cookies, or vice versa. A single "accept all" button without alternatives does not satisfy GDPR consent requirements.
Set up your cookie categories to reflect what your MODX site actually uses. A typical configuration includes:
Strictly Necessary -
PHPSESSID, MODX session cookies (always on, no toggle)Functional - language preferences, UI customisation cookies
Analytics -
_ga,_gid, Matomo cookiesMarketing -
_fbp, advertising pixels, retargeting tags
Map each cookie to its correct category. A cookie scanning tool automates this process by crawling your site, identifying every cookie, and suggesting the appropriate classification.
Geo-Detection and Regional Consent Rules
Not every visitor needs the same consent experience. The GDPR and ePrivacy Directive apply to visitors from the EU and EEA. The UK GDPR and PECR cover UK visitors. The CCPA gives California residents opt-out rights rather than opt-in requirements.
If your MODX site attracts international traffic, geo-detection ensures each visitor sees the legally appropriate banner. EU visitors get an opt-in banner. US visitors in California see an opt-out notice. Visitors from unregulated jurisdictions might see no banner at all.
This matters for performance too. Showing a full opt-in modal to visitors who do not legally require one adds friction and reduces engagement without any compliance benefit.
Google Consent Mode and MODX
If your MODX site uses Google Analytics 4 or Google Ads, Google Consent Mode v2 is worth configuring. Consent Mode sends consent signals to Google's tags, switching them between full measurement and cookieless pings depending on the visitor's choice.
Without Consent Mode, rejected consent means zero data from that visitor. With it, Google can apply conversion modelling to fill gaps in your analytics. The integration sits in your consent banner configuration rather than in MODX itself - check the Consent Mode setup guide for details.
Common Mistakes with MODX Cookie Banners
Several patterns appear repeatedly on MODX sites that fail compliance checks.
Placing the consent script after tracking scripts. If Google Analytics loads before the consent tool, cookies are set before the visitor can object. Script order in your head Chunk matters.
Forgetting to clear the MODX cache. You save your changes, test in the Manager preview, and everything looks correct. But the live site still serves the cached version without the banner. Always clear cache after making template or Chunk changes.
Using a cookie-wall approach. Blocking access to your site unless the visitor accepts all cookies violates EDPB guidelines. Consent must be freely given, meaning the visitor must have a genuine choice.
Ignoring dark patterns. Making the "reject" option hard to find, using confusing double negatives, or colour-coding buttons to push acceptance are all practices that DPAs actively penalise.
Frequently Asked Questions
Does MODX set cookies by default without any extras installed?
MODX sets a PHPSESSID cookie for PHP sessions and may set a manager session cookie. These are strictly necessary and do not require consent. Non-essential cookies come from extras, plugins, or third-party scripts you add.
Where do I paste the cookie banner code in MODX Revolution?
Place the consent script inside the Chunk or Template that contains your <head> section. It must appear before any analytics or marketing scripts. After saving, clear the MODX cache.
Can I use a MODX Snippet to conditionally load tracking scripts?
Yes. You can write a Snippet that reads the consent cookie value and only outputs tracking code if consent was granted. However, a client-side consent management platform handles this automatically and is simpler to maintain.
Do I need cookie consent if my MODX site only targets US visitors?
Several US states have privacy laws that affect cookie usage. California's CCPA requires opt-out mechanisms for selling or sharing personal information. If any EU visitors reach your site, GDPR consent rules apply to those visits.
How do I scan my MODX website for cookies?
Use an automated cookie scanner that crawls your site and identifies every cookie, local storage item, and tracking pixel. This gives you an accurate inventory to configure your banner categories correctly.
Will adding a cookie banner slow down my MODX website?
A well-built consent script loaded with the defer attribute has minimal impact on page speed. It should not block rendering or significantly affect Core Web Vitals scores.
Take Control of Your Cookie Compliance
If you are not sure which cookies your MODX site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
