GDPR compliance is mandatory for all online stores targeting European Union customers. For PrestaShop merchants, this means implementing proper cookie consent, data processing transparency, and Google Consent Mode v2. This guide covers everything you need to be compliant in 2026.
What is GDPR and Why Does It Matter for PrestaShop?
The General Data Protection Regulation (GDPR) requires that EU merchants obtain explicit consent before collecting personal data or setting non-essential cookies. Violations can result in fines up to 4% of global annual revenue.
Google Consent Mode v2
As of March 2024, Google requires all advertisers using Google Ads or Analytics to implement Consent Mode v2. Without it, your Google Ads remarketing and conversion tracking will not work properly for EU visitors.
What Consent Mode v2 Does
- Adjusts Google tag behavior based on user consent choices
- Uses modeling to estimate conversions when consent is withheld
- Required for EU users to maintain ad measurement accuracy
GDPR Requirements for PrestaShop Stores
- Cookie consent banner — clearly inform users about cookie usage before any non-essential cookies are set
- Granular consent — separate consent for analytics, marketing, and functional cookies
- Privacy Policy page — accessible from all pages, explaining data processing
- Right to access/delete — customers must be able to request their data or deletion
- Data retention policy — define how long you keep customer data
PrestaShop GDPR Modules
PrestaShop includes a built-in Official GDPR module (available on PrestaShop Addons) that handles:
- Customer data access and deletion requests from the account area
- Consent checkboxes on contact forms and registration
- Data processing log
For cookie consent with Consent Mode v2, you will need a dedicated cookie consent module that integrates with Google Tag Manager.
Checklist: GDPR Compliance for PrestaShop
| Task | Status |
|---|---|
| Cookie consent banner implemented | Required |
| Google Consent Mode v2 configured | Required for Ads/GA |
| Privacy Policy page published | Required |
| Customer data deletion workflow | Required |
| SSL/HTTPS on all pages | Required |
| Data retention policy documented | Required |
Related Resources
See our PrestaShop 9 module compatibility guide and our full module catalog.
Setting Up Google Consent Mode v2 on PrestaShop
Google Consent Mode v2 is required for all merchants using Google Ads or Google Analytics who receive traffic from EU/EEA users. The setup involves three parts: a cookie consent banner, Google Tag Manager, and the Consent Mode configuration.
Step-by-Step Setup via Google Tag Manager
- Install a GDPR cookie consent module on PrestaShop that supports Consent Mode v2 signals (look for modules that set
gtag('consent', ...)) - Create a GTM account and add the GTM container code to your PrestaShop theme
- In GTM, create a Consent Initialization trigger that fires before all other tags
- Set default consent state for EU users:
gtag("consent", "default", { "analytics_storage": "denied", "ad_storage": "denied", "ad_user_data": "denied", "ad_personalization": "denied", "region": ["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","HR", "IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT", "RO","SI","SK","FI","SE","NO","IS","LI"] }); - Your consent module updates consent state when the user accepts or rejects:
gtag("consent", "update", { "analytics_storage": "granted", "ad_storage": "granted" }); - Enable Google Analytics 4 Consent Mode in your GA4 property settings
Expanded GDPR Compliance Checklist
| Requirement | Status | Where to Configure |
|---|---|---|
| Cookie consent banner | Required | GDPR module |
| Granular consent (analytics, marketing, functional) | Required | GDPR module settings |
| Google Consent Mode v2 | Required if using Google Ads/GA | GTM + consent module |
| Privacy Policy page | Required | CMS pages → Privacy Policy |
| Terms & Conditions page | Required | CMS pages → T&Cs |
| Customer data deletion request workflow | Required | GDPR module → Customer account |
| Data access request workflow | Required | GDPR module → Customer account |
| Data retention policy | Required | Document internally |
| SSL/HTTPS on all pages | Required | Hosting + PS Settings → General |
| Breach notification procedure | Required | Internal process documentation |
Legal FAQ
Do I need cookie consent for Google Analytics?
Yes, if you use Google Analytics with full tracking capabilities for EU users. However, with Consent Mode v2 properly configured, Google can model conversions even when consent is denied, so your analytics are not completely blind for non-consenting users.
Can I use pre-ticked consent boxes?
No. Under GDPR, consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes do not constitute valid consent. Users must actively tick the box or click "Accept" themselves.
What is "legitimate interest" and when can I use it?
Legitimate interest is a legal basis alternative to consent, allowed for certain processing activities (e.g., fraud prevention, direct marketing to existing customers). It does NOT apply to advertising cookies or tracking technologies — these always require explicit consent.
How long can I store customer data?
GDPR does not set a fixed retention period. You must define what is necessary for your business purpose. Common practice: order data for 10 years (accounting requirements), inactive customer accounts for 3-5 years, then delete or anonymize.
What must I do if there is a data breach?
If the breach risks the rights and freedoms of individuals, you must notify your national data protection authority within 72 hours of becoming aware of it. If the breach is likely to result in high risk to individuals, you must also notify the affected individuals directly without undue delay.
For any PrestaShop SEO or compliance questions, check our complete PrestaShop 9 features and migration guide.