DataFirefly Cookie Consent for Shopware 6 — Documentation
GDPR/CNIL banner for Shopware 6 with native Google Consent Mode v2, real tracker audit and cryptographically protected audit log.
Overview
DataFirefly Cookie Consent is a Shopware 6 plugin that fully replaces the native cookie banner with a modern GDPR/CNIL/Garante Privacy compliant system, with native Google Consent Mode v2, real tracker auditing, and a cryptographically protected audit log for consent evidence.
Requirements and compatibility
- Shopware 6.6.x or 6.7.x (composer constraint
~6.6.0||~6.7.0) - PHP 8.2 or higher
- Self-hosted installation (the plugin does not work on Shopware Cloud SaaS)
- HTTPS recommended in production (the Secure cookie flag is only added on HTTPS)
- Cloudflare recommended for optimal EEA detection (CF-IPCountry), but not required
Installation
Installation via ZIP upload (recommended)
- Download
DataFireflyCookieConsent-1.0.1.zipfrom your DataFirefly customer account - In the Shopware admin, go to Extensions → My Extensions → Upload extension
- Select the ZIP file and confirm
- Click Install then Activate
- Clear the cache:
bin/console cache:clear - Recompile the theme:
bin/console theme:compile
Installation via Composer (CLI)
cd /var/www/shopware
# Unzip into custom/plugins/
unzip DataFireflyCookieConsent-1.0.1.zip -d custom/plugins/
# Refresh list, install, activate
bin/console plugin:refresh
bin/console plugin:install --activate DataFireflyCookieConsent
bin/console cache:clear
bin/console theme:compile
Resources/app/storefront/dist/. You do not need to run build-storefront.sh for the banner to work.General configuration
All configuration is done from Extensions → My Extensions → DataFirefly Cookie Consent → ⋮ → Configure. Options are scopable per sales channel (select the channel at the top of the config page).
General section
- Enabled: enables or disables the plugin entirely (Shopware’s native banner takes over when disabled)
- Policy version: version of your privacy policy (default
1.0). Increment it when you change your policy to force re-consent - Policy URL: URL to your privacy policy page (shown as a link in the banner)
- Respect Do Not Track: if enabled, automatically rejects cookies for visitors with DNT enabled in their browser
Banner section
- Layout:
bar(full-width bar),card(discreet corner card), ormodal(blocking centered modal) - Position:
bottomortop - Theme:
light,dark, orauto(follows prefers-color-scheme) - Accent color: customisable accent colour via color picker (default
#3b82f6) - Show floating button: shows the persistent floating button at the bottom-left to reopen preferences
Categories section
Enable or disable individually the 3 optional categories. The Strictly necessary category is always active.
- Functional enabled: personalisation cookies, user preferences
- Analytics enabled: Google Analytics 4, Matomo, audience measurement
- Marketing enabled: ad tracking, retargeting
Google Consent Mode v2
The plugin automatically prints the gtag('consent', 'default', ...) block with priority 1 in the storefront head, with the 7 signals required since March 2024: ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, security_storage.
Consent Mode section
- GTM Container ID: your GTM ID (
GTM-XXXXXXX). If set, the plugin automatically loads GTM after the default block. Leave empty to skip GTM loading - GA4 Measurement ID: your GA4 ID (
G-XXXXXXXXXX). If set and GTM is empty, the plugin loads GA4 standalone. Leave empty if you load GA4 via GTM - URL passthrough: preserves URL parameters for Ads conversions when consent is refused (recommended)
- Ads data redaction: anonymises ads data when consent is refused (recommended)
- Wait for update (ms): delay before the first GA4/Ads ping, giving the visitor time to respond to the banner. Default
500ms
gtag consent default block with all signals set to denied — 2) GTM loader if configured — 3) GA4 loader if configured (and GTM empty) — 4) banner loads and signals updated via gtag consent update on visitor click.Categories to signals mapping
When the visitor clicks a button, selected categories are automatically mapped to Consent Mode v2 signals:
- Functional →
functionality_storage,personalization_storage - Analytics →
analytics_storage - Marketing →
ad_storage,ad_user_data,ad_personalization - Necessary →
security_storage(always granted)
EEA detection and eeaOnly mode
The plugin automatically detects the visitor’s country to determine GDPR applicability (31 EU/EEA countries + United Kingdom + Switzerland).
EEA section
- EEA only mode: if enabled, the banner is shown only to visitors detected in the EEA. Other visitors receive implicit consent and see nothing
- Cloudflare support: if enabled (true by default), reads the
CF-IPCountryandCF-Connecting-IPheaders added by Cloudflare in priority
CF-IPCountry header is added free on every request. Without Cloudflare: fallback to Accept-Language to guess country from browser locale (less reliable but functional).Tracker audit
From the admin module (Marketing → DataFirefly Cookie Consent → Audit), launch an audit of your URL to detect actually present trackers and obtain a 0-100 compliance score.
How to launch an audit
- Go to Marketing → DataFirefly Cookie Consent → Audit
- Enter the URL to audit (defaults to your current shop URL)
- Click Launch audit
- The result is displayed in a few seconds: visual score (conic ring), detected trackers, risky plugins, issues classified critical/warning/info
What is detected
- 23 JavaScript trackers: Google Analytics 4, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Snapchat Pixel, Twitter X Pixel, Bing UET, Matomo, Microsoft Clarity, Hotjar, Mixpanel, Plausible, HubSpot, Intercom, Crisp, Tawk, YouTube embed, Vimeo embed, Stripe Elements, and more
- 11 risky Shopware plugins: database query to detect server plugins known for setting non-compliant cookies
Score interpretation
- 90-100: excellent, optimal compliance
- 70-89: good, a few minor adjustments to make
- 50-69: medium, critical issues to address
- 0-49: non-compliant, urgent action required
Audit log and exports
Every consent event (accept_all, reject_all, custom, withdraw) is logged in the dfcc_consent_log table with millisecond timestamp, sales channel, language, policy version, snapshot of categories and Consent Mode v2 signals, double-protected IP and user agent.
Visitor IP protection
Unique double protection:
- SHA-256 hash with a 64-character random salt generated at install and never exposed. Mathematically non-invertible.
- Truncated version in parallel: IPv4 → last octet zeroed (class C network), IPv6 → 64-bit prefix. Allows geographic analysis without re-identification.
Consulting the log
- Go to Marketing → DataFirefly Cookie Consent → Log
- Filter by event type and date range if needed
- The table paginates 50 entries per page
Exporting for CNIL/DPA evidence
From the Log page, click Export CSV or Export JSON: the downloaded file contains all entries matching the active filters.
- CSV: BOM UTF-8 + semicolon separator (directly openable in French/Italian Excel)
- JSON: pretty (indented) with preserved unicode
Log section
- Retention days: retention duration in days (1825 by default = 5 years, CNIL recommendation)
- A Shopware scheduled task automatically purges entries older than this every night
Public JavaScript API
The plugin exposes a global window.dfcc API usable from any JavaScript code on your site.
// Open the banner and preferences modal
window.dfcc.open();
// Accept / reject all via code
window.dfcc.acceptAll();
window.dfcc.rejectAll();
// Withdraw consent (clears cookie + localStorage)
window.dfcc.withdraw();
// Get the current state
const cats = window.dfcc.getConsent();
// → { necessary: true, functional: false, analytics: true, marketing: false }
// or null if no consent yet given
// Check consent for a category
if (window.dfcc.hasConsent('analytics')) {
// load your analytics script
}
// Diagnose storage state (debug)
console.log(window.dfcc.debug());
// → { cookieRaw, localStorageRaw, parsed, policyVersion, protocol, domain }
// Plugin version
console.log(window.dfcc.version);
// → "1.0.1"
DOM events
The plugin emits two custom events on window:
// Emitted as soon as the plugin is initialised on the page
window.addEventListener('dfcc:ready', (event) => {
console.log('DFCC ready', event.detail.config);
});
// Emitted on every consent change (accept, reject, custom, withdraw)
window.addEventListener('dfcc:consent', (event) => {
const { categories, eventType, consentMode } = event.detail;
console.log('Consent changed:', eventType, categories);
// Load a third-party script if marketing is accepted
if (categories.marketing) {
loadMyMarketingScript();
}
});
Multi-channel (sales channels)
All configuration is scopable per sales channel. To configure a specific channel differently:
- Go to Extensions → My Extensions → DataFirefly Cookie Consent → Configure
- At the top of the page, select the sales channel to configure
- Modify the options: only modified options in this view override the default config
Advanced customisation
Banner wording
The banner text uses Shopware’s standard storefront snippets. To customise a text, create your own snippet plugin and override the dfcc.banner.* and dfcc.modal.* keys:
<!-- custom-snippets/storefront.en-GB.json -->
{
"dfcc": {
"banner": {
"title": "Your custom title",
"body": "Your custom description."
}
}
}
CSS styling
All banner elements use CSS classes prefixed with .dfcc- (e.g. .dfcc-banner, .dfcc-modal, .dfcc-button--primary). Override them from your theme or via the Custom Code Manager DataFirefly plugin.
Troubleshooting
The banner does not appear
- Check that Enabled is ticked in the plugin config
- Check that EEA only mode is not enabled while you test from outside the EEA
- Check in DevTools console:
window.dfccmust be defined. If not, the JS is not loaded → re-runbin/console theme:compile - Clear the domain cookies in DevTools → Application → Cookies → Clear all, then reload
Banner reappears on every page (bug in v1.0.0, fixed in v1.0.1)
- Update to v1.0.1 if you haven’t already
- Run
window.dfcc.debug()in the console to diagnose - If
cookieRawis empty butlocalStorageRawis filled: your browser is blocking the cookie write (check HTTPS protocol and Secure/SameSite flags) - If both are empty but a consent was clicked: open a support ticket with the
debug()result
Google Ads conversions not feeding back
- Check that GTM Container ID or GA4 Measurement ID is set
- Check in DevTools → Network: the
gtag consent defaultblock must run before GTM/GA4 loads - Enable url_passthrough and ads_data_redaction to preserve conversions from visitors who refused
- Check in GA4 → Admin → Data collection → Consent Mode that parameters are recognised
CSV exports open badly in Excel
The file is generated with BOM UTF-8 and semicolon separator (French Excel standard). If your Excel expects a comma (English versions), use JSON export instead, or import via Data → From CSV file and specify the separator.
Uninstallation
To deactivate temporarily:
bin/console plugin:deactivate DataFireflyCookieConsent
Data remains in the database, Shopware’s native banner takes over.
To uninstall completely:
bin/console plugin:uninstall --keep-user-data DataFireflyCookieConsent
# or to also delete the dfcc_consent_log table and config:
bin/console plugin:uninstall DataFireflyCookieConsent
--keep-user-data flag, the audit log (dfcc_consent_log) is lost. If you plan to reinstall later, always use --keep-user-data.Changelog
1.0.1 — May 23, 2026 (persistence patch)
- Complete rewrite of the client-side storage layer
- Direct cookie write with combined Max-Age and Expires
- Secure flag added only on HTTPS
- Automatic localStorage fallback if cookie write fails
- Write→read self-check with console log on desync
- New
window.dfcc.debug()method
1.0.0 — May 23, 2026 (initial release)
- Shopware 6.6 and 6.7 compatibility
- v3 banner with 3 layouts, 2 positions, 3 themes
- Native Google Consent Mode v2 with 7 signals
- Real tracker audit (23 trackers + 11 risky plugins)
- Audit log with double-protected IP (SHA-256 + truncate)
- Smart EEA detection (31 countries + UK + CH, Cloudflare support)
- Vue 3 Admin module (mt-*): dashboard, audit, log
- CSV and JSON exports
- Storefront and admin snippets for 5 languages