ConsentPixel – Privacy · Verified

Magento · Adobe Commerce ⚡ No Extension Required

Cookie Consent for
Magento & Adobe Commerce
That Actually Works.

Magento's built-in Cookie Restriction Mode displays a notice bar while every tracking script on your store continues firing in the background. Google Analytics, Meta Pixel, Adobe Analytics, session-replay tools, marketing automation — all transmitting visitor data without consent. ConsentPixel — Privacy · Verified fixes this with one script tag. No extension. No Adobe Marketplace installation. No PHP.

Start Free 14-Day Trial → Scan My Magento Store
Magento Open Source & Adobe Commerce
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
Multi-store support
€20M
Max GDPR fine — or 4% of global annual revenue
$5,000
Per-visitor CIPA exposure from checkout session-replay
19
US states with active privacy laws in 2026
5 min
To install ConsentPixel on any Magento store

Why Magento Stores Face Serious Privacy Exposure

Magento and Adobe Commerce power some of the most complex eCommerce operations in the world — mid-market and enterprise brands with sophisticated marketing stacks, extensive analytics configurations, and often international multi-store architectures. That power comes with a compliance challenge that simpler platforms do not face to the same degree: a typical Magento store runs more third-party integrations, with more data sharing, across more jurisdictions, than almost any other eCommerce platform.

The tracking stack on an enterprise Magento store often includes: Google Analytics 4 via a dedicated extension, Google Tag Manager with dozens of tags, Adobe Analytics (for Adobe Commerce merchants in the Experience Cloud), Meta Pixel, TikTok, Microsoft Ads UET, Klaviyo or Dotdigital for email marketing, Hotjar or FullStory for session analysis, and a CRM integration — all firing by default on every page, for every visitor, without consent gating.

⚠️
Magento's Cookie Restriction Mode is not a compliance mechanism. It is a notice bar. While it displays, every third-party script on your store continues executing — Google Analytics loads, Meta Pixel fires, session-replay records your checkout. Magento's own documentation advises merchants to consult legal counsel for GDPR compliance beyond this basic notice. The notice does not block any script, pass any GCM v2 signal, log any consent event, or honour any GPC browser signal. For any store serving EU or California visitors, it provides zero legal protection.

Cookie Restriction Mode is enabled under Stores → Configuration → General → Web → Default Cookie Settings → Cookie Restriction Mode. Understanding exactly where it falls short is important for any compliance conversation with a Magento developer or agency.

✗ Not GDPR Compliant Magento Cookie Restriction Mode — four critical gaps

Cookie Restriction Mode was built to satisfy a basic EU cookie law notice requirement — not the GDPR consent standard that has been in force since 2018, and certainly not the technical requirements of US state privacy laws enacted in 2022–2026.

✗ No script blocking

All registered tracking extensions — GA4, Meta Pixel, GTM tags — continue executing the moment a visitor lands, before and regardless of any interaction with the notice bar.

✗ No Google Consent Mode v2

Cookie Restriction Mode passes no GCM v2 parameters to Google tags. EU/UK visitors who decline are invisible to your campaigns, conversion modelling, and smart bidding.

✗ No GPC signal detection

Cookie Restriction Mode cannot read the Global Privacy Control browser signal. California, Colorado, Virginia, and Connecticut visitors with GPC active are not automatically opted out.

✗ No consent audit log

No record of when visitors interacted with the notice, what they were shown, or what they chose. Under GDPR's accountability principle, you cannot demonstrate consent was obtained.

Trackers Commonly Running on Magento Stores

These are the tracking tools found most frequently across Magento and Adobe Commerce stores — installed via extensions from the Adobe Commerce Marketplace, via GTM, or via direct theme integration — and the specific privacy law exposure each creates.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
Typically installed via a dedicated Magento extension (WeltPixel, Amasty, MageByteSoft) or via GTM. Must not fire before GDPR consent. Requires all four GCM v2 parameters for EEA/UK visitors.
🔖
Google Tag Manager
GDPR · GCM v2 Dependency
GTM containers on Magento can hold 50+ tags. GCM v2 default block must fire in the document head before GTM loads — not inside an extension's output.
📘
Meta Pixel
GDPR · CCPA · CIPA
Captures add-to-cart, checkout initiation, purchase, and search events. Shares transaction data with Meta's ad network — a major GDPR lawful basis concern for EU stores.
🔥
Hotjar / Clarity / FullStory
GDPR · CIPA
Session-replay on Magento checkout is the highest-risk CIPA configuration. $5,000/visitor exposure. FullStory cases (Bloomingdale's, Nike) are the definitive warning.
🎨
Adobe Analytics
GDPR · CCPA
Adobe Commerce merchants integrated with Adobe Experience Cloud run Adobe Analytics alongside GA4. Both require consent gating for EU visitors.
📧
Klaviyo / Dotdigital
GDPR · CCPA
Email marketing integrations install onsite tracking scripts that identify visitors and build behavioural profiles before consent is established.
🎵
TikTok Pixel
GDPR · CCPA
Increasingly common on Magento fashion, beauty, and consumer goods stores. Under elevated regulatory scrutiny for cross-border data transfers in 2026.
🔍
Algolia / Elasticsearch
GDPR
Magento search extensions using Algolia transmit search queries and behavioural data to Algolia's servers — third-party personal data transfer requiring a lawful basis.
Yotpo / Trustpilot
GDPR · CCPA
Reviews and UGC platform widgets inject tracking scripts. Often overlooked when auditing consent configurations on Magento stores.

Magento Cookie Restriction Mode vs. ConsentPixel

Capability Magento Cookie Restriction Mode ConsentPixel
Technically blocks scripts before consent✗ No — notice only✓ Always
Google Consent Mode v2 (all 4 parameters)✗ No✓ All plans
Global Privacy Control (GPC) detection✗ No✓ Auto-detected
Multi-store per-channel configuration✗ No✓ Full support
CIPA session-replay blocking on checkout✗ No✓ Yes
US state law opt-out (19 states)✗ No✓ All plans
Consent audit log (timestamped)✗ No✓ All plans
Automatic tracker scanning✗ No✓ Continuous
Reject All at first layer (dark pattern-free)✗ No Reject option✓ Always equal to Accept
No Magento extension requiredN/A✓ One script tag

See exactly what fires on your Magento store before consent

ConsentPixel scans your store in a fresh session — no cache, no prior consent — and shows every script firing before your visitors have any opportunity to accept or decline.

Scan My Store Free →

How to Install ConsentPixel on Magento

ConsentPixel installs on Magento as a single script tag in the document head — no Adobe Commerce Marketplace extension, no Composer package, no PHP deployment. There are two approaches depending on your store's theme and developer access level. Both take under five minutes.

1

Create your ConsentPixel account and scan your store

Sign up at consentpixel.com, add your Magento store domain, and run the auto-scanner. ConsentPixel maps every tracker and cookie across your store — including those installed via Magento extensions, GTM containers, and third-party integrations. Copy your unique pixel snippet from the dashboard.

For multi-store or multi-website Magento setups, create a separate site in ConsentPixel for each store view or website that requires its own consent configuration, and generate the corresponding pixel snippet for each.

2

Method A — Layout XML (recommended for developers)

Add the ConsentPixel snippet to your theme's default_head_blocks.xml file. This ensures it loads before all other scripts on every page, including before GTM and any GA4 extension output. Create or edit the file at:

app/design/frontend/{Vendor}/{theme}/Magento_Theme/layout/default_head_blocks.xml 
<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
  <head>
    <!-- ConsentPixel — must be first script in head -->
    <script src="https://pixel.consentpixel.com/YOUR-SITE-ID.js" async="true"/>
  </head>
</page>

After saving, run bin/magento cache:flush and bin/magento setup:static-content:deploy to apply the change.

3

Method B — Admin HTML Head Scripts (no developer access needed)

In the Magento admin, navigate to Content → Design → Configuration. Select your store view and click Edit. Under HTML Head → Scripts and Style Sheets, paste the ConsentPixel snippet. Save the configuration and flush the cache.

Admin → Content → Design → Configuration → HTML Head → Scripts and Style Sheets 
<!-- ConsentPixel — paste as the first script -->
<script src="https://pixel.consentpixel.com/YOUR-SITE-ID.js" async></script>

If your store uses Varnish caching, purge the Varnish cache after saving. For multi-store setups, apply the appropriate snippet to each store view from the store view scope in Design Configuration.

4

Confirm load order — ConsentPixel before GTM and all Google extensions

The critical requirement is that ConsentPixel loads before any Google tag. In particular: if you use a Magento GTM extension (MagePal, Mirasvit, WeltPixel), that extension typically injects the GTM container snippet via a layout XML block. ConsentPixel must appear earlier in the head than that block.

Use the Layout XML method (Method A) and verify load order by opening DevTools → Network → filter for gtm.js and your ConsentPixel domain. ConsentPixel's domain must appear first in the waterfall — before googletagmanager.com, before google-analytics.com, before any advertising pixel.

5

Register your extensions and configure Google Consent Mode v2

In the ConsentPixel dashboard, register each Magento extension and third-party integration by category: Analytics (GA4, Adobe Analytics), Marketing (Meta Pixel, TikTok, Klaviyo), Functional (live chat, search widgets), and Session Recording (Hotjar, Clarity, FullStory).

Enable Google Consent Mode v2. ConsentPixel automatically injects all four GCM v2 parameters before any Google tag loads — protecting your Google Shopping and Google Ads conversion measurement for EU and UK visitors. This works regardless of which Magento GA4 extension you use, because ConsentPixel fires the default block at the head level before any extension output reaches the browser.

6

Verify and disable Magento's Cookie Restriction Mode

Once ConsentPixel is live and verified, disable Magento's native Cookie Restriction Mode to prevent two banners appearing simultaneously. Go to Stores → Configuration → General → Web → Default Cookie Settings → Cookie Restriction Mode → No. Flush the cache. Verify in incognito that only the ConsentPixel banner appears and no scripts fire before interaction.

💡
Using a Magento GA4 extension that claims GCM v2 support? Many Magento GA4 extensions advertise GCM v2 compliance — but most inject the consent default block via a layout block that fires after the GTM container has already loaded. This means GTM reads a fully loaded page before receiving the denied consent state. ConsentPixel fires at the absolute head level, before any extension output, ensuring the correct firing sequence. You can run both simultaneously — ConsentPixel handles the consent layer; your GA4 extension handles the eCommerce tracking once consent is granted.

What ConsentPixel Does for Your Magento Store

🛡️

True pre-consent script blocking

Every registered integration is held at head level — product pages, category pages, checkout, order confirmation, CMS pages. Nothing fires before the visitor's consent state is established. Replaces Cookie Restriction Mode with actual blocking.

🌐

Multi-store per-view consent

Each Magento store view gets its own consent configuration. GDPR opt-in for EU store views, CCPA opt-out for US stores, UK GDPR for British views — managed centrally, applied automatically per store view.

📡

Google Consent Mode v2 — correct firing order

ConsentPixel fires all four GCM v2 parameters at document head level — before any Magento extension output, before GTM, before GA4. The only CMP that guarantees correct firing sequence regardless of extension load order.

🔥

Session-replay blocking on checkout

Hotjar, Clarity, FullStory, and Lucky Orange are blocked until explicit consent — eliminating $5,000/visitor CIPA checkout exposure. Consent-gates recording scope on all Magento checkout, account, and form pages.

📋

Consent audit log per store view

Every consent decision is timestamped with banner version, category choices, and signal source. Maintained per store view for jurisdiction-specific audit records. Exportable for GDPR accountability documentation.

🔍

Continuous extension scanning

ConsentPixel scans your store on a schedule and alerts you when new trackers appear — including those introduced by Magento extension updates or new GTM tag deployments. Your consent configuration stays current automatically.

Magento Privacy Compliance Checklist (2026)

📋 Magento / Adobe Commerce Compliance Checklist — 2026 13 items
Audit every tracker on your Magento storeCheck all installed extensions, GTM tags, custom theme scripts, and third-party integrations — not just the obvious ones
Confirm no scripts fire before consent on a fresh incognito sessionDevTools → Network tab — GA4, Meta Pixel, GTM must not appear in waterfall before banner interaction
Disable Magento Cookie Restriction Mode if deploying ConsentPixelStores → Configuration → General → Web → Default Cookie Settings → Cookie Restriction Mode → No
Verify ConsentPixel loads before GTM and all Google extensionsConsentPixel domain must precede googletagmanager.com in the Network waterfall — check in DevTools after deployment
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK Google Ads and Google Shopping — must fire before GTM loads, not inside a Magento extension
Configure per-store-view consent rules for each jurisdictionEach Magento store view serving a different regulatory market needs its own consent configuration
Block session-replay tools on checkout and account pages$5,000/visitor CIPA exposure — Hotjar, Clarity, FullStory must never run on checkout without prior explicit consent
Add "Do Not Sell or Share" opt-out for US visitorsRequired for California and effectively all 19 US state privacy laws in 2026
Implement GPC browser signal recognitionMandatory in California, Colorado, Virginia, and Connecticut — must auto-honour without requiring visitor interaction
Review Adobe Analytics data transfers if using Adobe Experience CloudAdobe Commerce merchants must ensure Analytics Cloud data transfers comply with GDPR SCCs or EU-US DPF
Audit Algolia or other search extension data flowsSearch queries transmitted to third-party servers constitute personal data transfers requiring a lawful basis
Update privacy policy to disclose all extensions and third-party recipientsName GA4, GTM, Meta, Adobe Analytics, Klaviyo, Algolia, reviews platforms as data recipients
Enable per-store-view consent loggingTimestamped, jurisdiction-specific consent records per store view — required under GDPR's accountability principle

Frequently Asked Questions

Magento includes Cookie Restriction Mode, which displays a notice bar. It is not GDPR compliant — it does not block scripts, pass GCM v2 parameters, detect GPC signals, provide granular category consent, or maintain a consent audit log. Magento's own documentation recommends consulting legal counsel for GDPR compliance beyond this basic notice. Any store serving EU visitors needs a proper consent management solution with actual script blocking.
Add the ConsentPixel script tag to your theme's default_head_blocks.xml file as the first entry in the head block — before any GTM or GA4 extension output. Alternatively, paste it via Admin → Content → Design → Configuration → HTML Head → Scripts and Style Sheets. No Composer package, no Magento Marketplace installation, no PHP required. For multi-store setups, apply the store-view-specific snippet to each view via the store view scope in Design Configuration.
Yes — if your Magento store uses Hotjar, Clarity, FullStory, or any session-replay tool and receives visitors from California, CIPA applies. The Bloomingdale's and Nike FullStory cases demonstrate that enterprise retailers — organisations with full legal teams — still faced CIPA claims survive to trial because session-replay ran on checkout pages without prior consent. $5,000 per affected California visitor, no proof of harm required. ConsentPixel blocks all session-replay scripts until explicit consent is given.
Yes — ConsentPixel fully supports Magento's multi-store and multi-website architecture. Each store view gets its own pixel snippet and consent configuration. GDPR opt-in for EU store views, CCPA opt-out for US stores, UK GDPR for British views — all managed from a single ConsentPixel dashboard with separate consent logs per store view for jurisdiction-specific audit records.
The critical distinction is firing order. Most Magento GA4 extensions inject the GCM v2 default block via a layout XML block — which fires after the GTM container has already loaded. GTM reads the page before receiving the denied consent state, which means it does not correctly enter restricted mode for non-consenting visitors. ConsentPixel fires at document head level, before any extension output reaches the browser. You can run both: ConsentPixel handles the consent layer and GCM v2 default block; your GA4 extension handles eCommerce event tracking once consent is granted.
No. ConsentPixel is a single lightweight async script served from Cloudflare's global edge network with sub-50ms load times. For non-consenting visitors it actually improves Time to Interactive by blocking multiple heavy third-party scripts — a typical enterprise Magento store can carry 20+ extension-injected scripts that would otherwise all fire on load. Blocking these by consent state meaningfully reduces page weight for declined visitors.
Magento & Adobe Commerce Compliance — Open Source or Enterprise

Your extensions. Your customers.
Actually protected.

One script tag in your Magento head — before GTM, before GA4, before everything. No extension. No Marketplace installation. Full GDPR, CCPA, CIPA, and 19-state US compliance — with multi-store support, correct GCM v2 firing order, and session-replay protection on checkout.

Start Free 14-Day Trial Scan My Magento Store →
Scroll to Top