GDPR and cookie optimization for Magento


With the introduction of GDPR, it is important to correctly apply the basic principles of user consent to existing and new websites. Basically, a Belgian e-commerce website should have a cookie policy that is fully compliant with the latest (stricter) rules of Europe.

Would you like help setting up a cookie policy and cookie banner for Magento in accordance with the rules of GDPR? Then feel free to read on!


What are cookies?

Cookies are small text files that a website places on your computer, tablet, cell phone or almost any device with a browser. In these files, for example, information about your session is stored. This means you do not have to log in every time you refresh the page. Or, the cookies can be used to track user behavior and clicks, for analytical or marketing purposes.

You already have noticed, there are different types of cookies. You will find different formats and categories on numerous websites. We classify them as follows:

Functional cookies
These are necessary to guarantee a enjoyable experience on the website or the online shop. Think of remembering a session after logging in. Or linking a shopping cart to your session. Without these types of cookies, a website or e-commerce platform can be difficult or incorrect to work with.

Analytical cookies
The administrators of websites also want to know how people deal with their website. They can do this using analytical tools such as Google Analytics or Hotjar. These tools place cookies to track a session and to send data correctly to their servers. With this data, a webmaster or digital marketer can view how the website is being used in an anonymized way and formulate adjustments or improvements.

Marketing cookies
Why is it that after visiting a product on a e-commerce website you suddenly see that product on Facebook or your favorite news website? Because of marketing cookies. They keep track of - and share data with marketing tools like Google Ads - about your surfing behavior. With this data they will try to advertise very personally. This way you get to see shoes just about everywhere after you've visited an e-commerce platform with sneakers.

Not all cookies have the same purpose. And with the introduction of GDPR and the stricter rules on privacy, it is important to break them down and ask permission from the user - you - whether the cookie can be placed or not.

Consent required: for which cookies?

The non-functional cookies, analytical and marketing cookies, are not necessary for the website to function properly. In this regard, they are unnecessary and are often used to collect user data. Therefore, the administrator of the website is obliged to ask permission to place them. The idea behind this is that visitors are more aware of the information that is collected from them.

You only have to give permission once, unless you delete the functional cookie that stores the permission. This cookie usually has an extended lifespan which is indicated in the cookie policy.

Just like the functional cookie for your permission, the administrator of the website must also indicate what he/she will do with that data. The rules are strict, the user must be informed of the consequences of accepting the cookies.

Magento and cookies. Basic setup, room for optimizations.

We have a lot of experience with Magento and we have noticed that the way Magento deals with cookies complies with the requirements of GDPR. However, there's still much room for optimizations: for example, it isn't easy to determine per cookie or tool which group it belongs to. At PHPro, we have developed several solutions that will make your webshop instantly compliant. Together we look at the tools you want to use, what type of tools they are, and we configure the Magento cookie policy and privacy policy to be fully in line with the guidelines.

So we make sure that your cookies and how they work are clearly shown to visitors. We allow them to review, consent, or withdraw cookies and find out more about them.


Explain what you are doing and what you are going to do

You can find this explanation in the cookie policy. This is a comprehensive document that indicates who collects data, what will happen with the data, how this is done and so on. The goal is to give you as a user a complete, clear and unambiguous picture of the consent you give or do not give.

  • Identity of the organization
    • Name of the organization (company name)
    • Full, physical address of the organization
    • VAT number
    • Other contact details such as an e-mail address and/or a telephone number


  • What cookies do you place?
    • What type of cookie is it?
    • Why do you place these cookies? (purposes)
    • Who places the cookie? You or a third party? (And refer to the cookie policy of that third party)
    • What is the lifespan of each cookie?

You have to give a lot of information and this is a tough exercise, especially the first time. Allow yourself to be guided by our experts, for example. Once you have the list, you only need to update it when you make changes.

Request permission. How do you do that?

There are several ways to ask permission for the use of cookies. Which one is best for your website or webshop, that's up to you. Below we give some good examples that you can consider.

Cookie wall

The cookie wall is an overlay which is visible immediately when loading a website and requires you to make a choice around the cookies before you can continue to browse the website. Although this seems like an 'invasive' way to obtain the necessary permissions, it is certainly not a bad one. It ensures that users know immediately that you are working with cookies and it immediately points them in the right direction for more information.

However, it is less user-friendly because it prevents the user from seeing the content he or she wants to see. It is usually used when a website depends on advertising revenue and proper permissions are required. Some websites even go so far as to prevent further use of the website if you only use functional cookies. Our advice? Test well and above all think "user experience first".


Cookie bar with clear call-to-action

The cookie bar or cookie banner is a more subtle way to request permissions for cookies. It can often be found at the bottom or top of the page, large enough to be visible, but it certainly doesn't get in the user's way like a cookie wall. The text and buttons should be clear and unambiguous. Just like the buttons you offer: one to accept and one to reject or set preferences.

With this method of working, it may happen that the user does not make any choice at all, so you can only place functional cookies. As a result, it is possible that you may lose analytical and marketing data. Our advice? It is the most commonly used format and users meanwhile know what to do.

Pop-ups and small windows

This third version is an alternative to the cookie bar. Suppose the cookie banner and the cookie wall don't fit in the design, you can also choose a pop-up or a small window in the corner of the screen. Similar to the cookie banner it is not disturbing, but it is clearly visible next to or over part of the content.

We also advise the same as with the cookie banner: make sure you have unambiguous texts and buttons and make sure you let users choose their own preferences.

Scrolling is consent? That's not how you do it.

We have just discussed how you can ask for permission. And, frankly, it's not that difficult, only the consequences can be unpleasant for marketers and operators of websites. They lose a lot of data and fear that their data will not be sufficiently representative.

Many websites, especially older websites, are missing the request for permission. However, some websites deliberately start applying 'implicit permission'. This means that the user agrees to all cookies without clicking anywhere or simply by using the website. They often show a text at the top or bottom of the page, but this disappears as soon as you scroll or sit on the website for a certain time.

This is not allowed. And don't do this either. With one exception: if you only place functional cookies.

Since the adoption of GDPR, cookies and privacy have become a popular topic for all our customers. We advise them to follow the legislation and we help them to create good copy, clear buttons and nice designs in order not to scare users and - on the contrary - convince them to allow cookies. We also know from experience that the loss of data is a legitimate fear for (digital) marketers and e-commerce managers, but with the right elements and designs you can convince the majority of users to still allow analytical and marketing related cookies.

Want to know more about GDPR on your website?

Want to know more about GDPR and cookies? Or are you looking for the best way to deal with them on your e-commerce platform or website? We are happy to share our experiences with you.