What Cookies Does OpenCart Set by Default?
Every OpenCart installation drops a handful of cookies the moment a visitor lands on your store. Some are strictly necessary for the site to function. Others sit in a grey area that trips up many store owners.
The core session cookie, PHPSESSID, identifies a visitor's browsing session. Without it, the shopping cart would forget its contents between page loads. OpenCart also sets a currency cookie to remember which currency the visitor selected and a language cookie to store their language preference.
These three cookies ship with every default OpenCart installation. But most stores add more.
Google Analytics (_ga, _ga_*), Meta Pixel (_fbp), and remarketing tags all introduce marketing cookies that track visitor behaviour across the web. Payment gateway redirects, live chat widgets, and embedded product videos can each set their own cookies too. A typical OpenCart store might have 15 to 30 cookies active before a single click on "Add to Cart".
Which OpenCart Cookies Require Consent?
Under Article 5(3) of the ePrivacy Directive, you must obtain consent before placing any cookie that is not strictly necessary for the service the user explicitly requested. The GDPR then governs how that consent is collected - it must be freely given, specific, informed, and unambiguous.
Not every cookie needs a consent prompt. Strictly necessary cookies can fire without permission.
| Cookie | Purpose | Category | Consent Required? |
|---|---|---|---|
PHPSESSID | Session identifier for cart and login | Strictly necessary | No |
currency | Stores selected currency | Functional | Depends on jurisdiction |
language | Stores selected language | Functional | Depends on jurisdiction |
_ga / _ga_* | Google Analytics tracking | Analytics | Yes |
_fbp | Meta Pixel tracking | Marketing | Yes |
_gcl_au | Google Ads conversion linking | Marketing | Yes |
| Payment gateway cookies | Fraud detection, session handoff | Strictly necessary | No (during checkout) |
The currency and language cookies sit in a grey zone. CNIL and the EDPB have indicated that preference cookies which go beyond what is strictly necessary for delivering the requested service do require consent. If your store auto-detects location and sets these cookies before the visitor makes an active choice, a consent mechanism is safer.
Checkout and Payment Cookies
Payment gateway cookies used during checkout - such as fraud-detection tokens from Stripe, PayPal, or Klarna - generally qualify as strictly necessary when they are essential to complete the transaction the visitor initiated. Store them in a clearly labelled category and document their purpose in your cookie policy.
OpenCart 4 vs OpenCart 3: Built-in Cookie Handling
OpenCart 4 introduced a basic cookie consent popup accessible through Admin, under System, then Settings, then the Option tab. It displays a footer notice linking to your legal policy pages.
This built-in popup has significant limitations. It does not block analytics or marketing scripts before consent. It offers no granular category selection - visitors cannot accept analytics while declining marketing cookies, which the GDPR requires as "specific" consent. There is no consent logging, no geo-detection, and no integration with Google Consent Mode v2.
OpenCart 3 and earlier versions have no built-in cookie consent at all. Store owners rely entirely on extensions or external solutions.
What European Regulators Expect from E-commerce Stores
Enforcement has accelerated sharply. The ICO launched a review of the top 1,000 UK websites in January 2025, issuing 134 warnings from just the first 200 sites checked. CNIL issued over 139 million euros in cookie-related fines between December 2022 and December 2024. The European Commission formally withdrew the proposed ePrivacy Regulation in February 2025, confirming that the existing ePrivacy Directive remains the legal framework for cookie rules.
Regulators look for several specific things on e-commerce sites.
Prior consent is non-negotiable: analytics and marketing scripts must not execute until the visitor actively opts in. Pre-ticked checkboxes, scrolling, or continued browsing do not count as valid consent. The banner must offer a genuine reject option that is as easy to reach as "Accept All" - dark patterns such as hiding the reject button behind extra clicks draw enforcement action. Consent records must be stored and retrievable, because under Article 7(1) GDPR you must be able to demonstrate that consent was given.
Options for Adding Cookie Consent to OpenCart
You have three main approaches.
OpenCart Marketplace Extensions
The OpenCart Marketplace lists several cookie consent extensions, including "Cookie Consent Pro" and "GDPR-Friendly Cookie Consent Manager". These install through the Extension Installer and add banner functionality directly to your store's front end.
The quality varies considerably. Check whether the extension blocks scripts before consent (not just after), supports granular categories, logs consent records, and receives regular updates. Some popular modules stopped receiving maintenance in early 2025.
External CMP via Script Tag
An external consent management platform works by adding a single script tag to your OpenCart theme's header template. The script loads the banner, manages consent state, and controls when other scripts fire. This approach separates consent logic from your store code, so updates to your CMP do not require modifying OpenCart files.
Kukie.io works this way - a single snippet added to your OpenCart header file handles cookie scanning, banner display, geo-detection, and script blocking. The OpenCart installation guide walks through the exact placement.
Manual Implementation
Building your own consent mechanism from scratch is technically possible but rarely practical. You would need to handle script blocking, consent storage, category management, geo-based rule variation, and consent logging - all while keeping pace with regulatory changes. For most store owners, the maintenance burden outweighs any savings.
How to Install a Cookie Banner on OpenCart
The installation process depends on your OpenCart version, but the core steps follow the same pattern.
For OpenCart 3.x, open the file catalog/view/theme/YOUR_THEME/template/common/header.twig (or .tpl for older versions). Paste the CMP script tag just before the closing </head> tag. For OpenCart 4.x, the template path is similar but uses the Twig templating engine exclusively.
After adding the script, run a cookie scan to detect every cookie your store sets. Assign each detected cookie to the correct category - strictly necessary, functional, analytics, or marketing. Configure your banner text, then set up region rules so that visitors from the EU see an opt-in banner while visitors from less regulated regions see an appropriate alternative.
Test the installation by visiting your store in a private browser window, declining all cookies, and then checking the browser's developer tools to confirm that analytics and marketing cookies are absent.
Handling Google Analytics and Marketing Tags on OpenCart
Most OpenCart stores use Google Analytics 4 and at least one advertising pixel. These scripts must not fire before consent.
If you use Google Tag Manager, configure it to respect consent signals. Google Consent Mode v2 allows GA4 and Google Ads tags to operate in a limited, cookieless mode when consent has not yet been granted, then switch to full measurement once the visitor opts in. This preserves some conversion modelling data without violating consent requirements.
For Meta Pixel and other third-party tags loaded outside GTM, use your CMP's script blocking feature to prevent execution until the visitor grants marketing consent. The conditional script loading approach ensures that no tracking cookie appears in the browser before the visitor makes a choice.
Common Compliance Mistakes on OpenCart Stores
Several patterns appear repeatedly across OpenCart sites during audits.
Setting analytics cookies on page load before any banner appears is the most frequent violation. This often happens when the GA4 tracking code is hardcoded into the header template without any consent gate. Relying on OpenCart 4's built-in popup without actual script blocking is another common error - the popup informs, but does not prevent cookies from firing.
Ignoring e-commerce-specific cookie obligations is also widespread. Abandoned cart recovery tools, live chat plugins, and personalisation cookies all require consent if they track behaviour beyond the current session. Each extension you install on OpenCart can introduce new cookies that need to be scanned, categorised, and controlled.
Frequently Asked Questions
Does OpenCart set cookies that require GDPR consent?
The core PHPSESSID session cookie is strictly necessary and does not require consent. But analytics cookies like _ga, marketing cookies like _fbp, and some functional cookies do require prior consent under the ePrivacy Directive and GDPR.
Is the OpenCart 4 built-in cookie popup enough for GDPR?
No. The built-in popup displays a notice but does not block scripts before consent, offer granular category choices, or log consent records. You need a proper consent management solution that actually prevents non-essential cookies from loading until the visitor opts in.
How do I block Google Analytics on OpenCart until consent is given?
Use a consent management platform that supports script blocking, or implement Google Consent Mode v2 through Google Tag Manager. Both approaches prevent analytics cookies from firing until the visitor grants explicit consent.
Do payment gateway cookies on OpenCart need consent?
Payment processing cookies used during an active checkout - such as fraud detection tokens from Stripe or PayPal - are generally classified as strictly necessary. They should still be documented in your cookie policy but do not typically require prior consent.
Can I use a free OpenCart GDPR extension for cookie consent?
Free extensions exist, but many lack script blocking, consent logging, and geo-detection. If your store serves EU visitors, check that any extension actually prevents cookies from loading before consent and provides a proper reject option.
How many cookies does a typical OpenCart store set?
A default OpenCart installation sets three to four cookies. Once you add analytics, advertising pixels, live chat, and payment gateways, the count typically rises to 15 to 30 cookies, most of which require consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your OpenCart store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
