What Cookies Does a PrestaShop Store Actually Set?
Every PrestaShop installation drops cookies the moment a visitor lands on the homepage. The core platform relies on a session cookie - typically PHPSESSID - and its own PrestaShop-[hash] cookie to track the shopping cart, customer login state, and language or currency preferences. These are functional cookies, and most privacy laws treat them as strictly necessary for the store to operate.
The trouble starts with everything else. A typical PrestaShop store running Google Analytics sets _ga, _ga_[ID], and _gid. Add the Meta Pixel and you pick up _fbp and fr. Payment gateways like PayPal and Stripe may inject their own tracking cookies during checkout. Third-party modules for live chat, retargeting, and A/B testing pile on more.
None of these non-essential cookies may be placed before the visitor gives informed, specific consent. That is the core rule under Article 5(3) of the ePrivacy Directive, reinforced by the GDPR's requirements for a valid legal basis.
GDPR and ePrivacy Rules That Apply to E-commerce Stores
Two regulations matter most for PrestaShop merchants selling to visitors in the European Economic Area. The ePrivacy Directive (often called the "cookie law") requires prior consent before storing or accessing information on a user's device, with narrow exceptions for cookies that are strictly necessary to provide the service the user requested. The GDPR governs how the personal data collected through those cookies is processed afterwards.
Under Article 7 of the GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not count. Bundling consent for analytics with consent for marketing in a single toggle does not count either. The CNIL fined Criteo EUR 40 million in 2023 partly for processing data without valid consent from partner websites - a reminder that the obligation extends across the advertising chain.
If your store attracts visitors from the United States, the CCPA/CPRA adds opt-out requirements for the sale or sharing of personal information through cookies like advertising pixels.
Why PrestaShop's Built-in EU Compliance Module Falls Short
PrestaShop ships with a basic GDPR compliance module that handles data export and deletion requests. It does not function as a cookie consent manager. It does not scan your store for cookies, does not block scripts before consent, and does not present visitors with granular category choices.
Many merchants assume installing this module makes their store compliant. It does not. Without script blocking, _ga and _fbp fire on page load regardless of consent state. That violates Article 5(3) of the ePrivacy Directive and exposes the store to enforcement risk.
Third-party PrestaShop cookie modules from the Addons marketplace vary widely in quality. Some display a banner but never actually block cookies - they simply inform the visitor without waiting for a decision. Others lack Google Consent Mode v2 support, which means your analytics data degrades even when visitors do consent.
Common Gaps in PrestaShop Cookie Modules
| Feature | Built-in GDPR Module | Typical Addons Module | Dedicated CMP |
|---|---|---|---|
| Cookie scanning and detection | No | Sometimes | Yes |
| Script blocking before consent | No | Varies | Yes |
| Granular category consent | No | Sometimes | Yes |
| Google Consent Mode v2 | No | Some modules | Yes |
| Geo-detection for regional rules | No | Rarely | Yes |
| Consent proof and audit log | No | Rarely | Yes |
| Automatic cookie policy text | No | Basic | Yes |
Cookies in the PrestaShop Checkout Flow
The checkout is where cookie compliance gets tricky for e-commerce. PrestaShop's checkout process relies on session cookies to maintain the cart and authenticate the customer. These are strictly necessary and do not require consent.
Payment gateway cookies sit in a grey area. When a visitor selects PayPal or a card processor, the gateway may set its own cookies for fraud detection and session management. Most DPAs consider fraud-prevention cookies strictly necessary, but advertising or analytics cookies set by the same gateway are not exempt.
Conversion tracking scripts are a different matter entirely. If you fire a _fbp event or a Google Ads _gcl_au cookie on the order confirmation page without consent, that is a compliance violation - even though it only fires after purchase. Consent must be obtained before the cookie is set, not after the transaction completes.
How to Add a Compliant Cookie Banner to PrestaShop
The most reliable method is to add a consent management script to your PrestaShop theme's header template. This loads the cookie banner before any other third-party scripts, giving it the ability to block non-essential cookies until the visitor makes a choice. The PrestaShop installation guide in the Kukie.io Help Centre walks through this process step by step.
In PrestaShop 1.7 and 8.x, you can inject the script snippet through the back office by navigating to Design > Theme & Logo > Pages Configuration, or by editing the header.tpl (Smarty) or head.html.twig (Symfony) template directly. Place the CMP script tag as the first element inside <head> so it initialises before Google Tag Manager, analytics, and marketing pixels.
Script Blocking and Tag Management
A proper cookie consent solution should intercept third-party scripts and prevent them from executing until the visitor grants consent for that cookie category. For PrestaShop stores using Google Tag Manager, this means the CMP must fire consent signals that GTM reads before triggering tags.
Without this integration, GTM loads all tags immediately and the banner becomes decorative rather than functional. Kukie.io supports automatic script blocking and forwards consent signals to Google Consent Mode v2, so tools like GA4 and Google Ads receive accurate consent state data.
Running a Cookie Audit on Your PrestaShop Store
Before configuring any consent banner, scan your store to see exactly which cookies it sets. Many merchants are surprised to discover cookies from modules they installed months ago, abandoned third-party integrations, or CDN providers.
A cookie scanner crawls your store's pages - homepage, category pages, product pages, cart, and checkout - and returns a full list of cookies with their names, domains, durations, and likely categories. This audit forms the basis for your cookie policy and your banner's category configuration.
Schedule regular scans to catch new cookies introduced by module updates or newly installed integrations. A cookie that appeared silently after a PrestaShop update could create a compliance gap you never notice.
Geo-detection and Regional Consent Rules
Not every visitor to your PrestaShop store faces the same legal requirements. EU and UK visitors need prior opt-in consent under GDPR and PECR. Visitors from California require a visible opt-out mechanism under the CCPA. Visitors from Brazil fall under the LGPD, which has its own consent framework.
A CMP with geo-detection identifies the visitor's location and displays the appropriate consent experience. EU visitors see an opt-in banner with granular categories. US visitors outside California might see no banner at all, depending on your risk tolerance. This prevents consent fatigue for visitors in jurisdictions with lighter requirements while keeping you compliant where the rules are strict.
Frequently Asked Questions
Does PrestaShop's built-in GDPR module handle cookie consent?
No. The built-in module addresses data subject rights like access and deletion requests. It does not scan for cookies, block scripts, or display a consent banner with category-level choices.
Which PrestaShop cookies are strictly necessary and exempt from consent?
Session cookies like PHPSESSID and the PrestaShop-[hash] cart and login cookie are strictly necessary. Language, currency, and checkout session cookies also qualify. Analytics, marketing, and advertising cookies always require consent.
Do I need cookie consent for payment gateway cookies at checkout?
Fraud-prevention cookies set by payment gateways are generally considered strictly necessary. Any analytics or advertising cookies set by the same provider during checkout still require prior consent.
How do I add a cookie banner to PrestaShop 8?
Add a CMP script tag to your theme's <head> section, either through the back office theme editor or by editing head.html.twig directly. The script must load before any third-party analytics or marketing tags.
Can I use Google Consent Mode v2 with PrestaShop?
Yes, provided your CMP supports it. The consent management platform must send default and updated consent signals to Google's gtag or GTM dataLayer so that GA4 and Google Ads respect the visitor's choices.
How often should I scan my PrestaShop store for new cookies?
Run a scan after every module installation, theme update, or new third-party integration. Scheduling a monthly automated scan catches changes you might otherwise miss.
Take Control of Your Cookie Compliance
If you are not sure which cookies your PrestaShop store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
