Everything you'd want to know before you install.
A detailed look at how DataFirefly Cookie Consent — GDPR/CNIL & Google Consent Mode v2 for Shopware 6 works, why we built it the way we did, and the thinking behind the features above.
Why a dedicated consent plugin on Shopware
Shopware 6's native cookie banner is a functional cookie management MVP that was never designed for current regulatory requirements. No native Google Consent Mode v2, no audit log usable as evidence, no strict equivalence between Accept all and Reject all at the first level, no smart EEA detection, no audit of trackers actually active on your site. In 2026, these shortcomings are no longer just an inconvenience: they cost money (lost European Google Ads conversions because Consent Mode v2 is not properly implemented) and expose to penalties (up to 4 percent of annual worldwide revenue under GDPR, already applied to hundreds of European online retailers by data protection authorities). DataFirefly Cookie Consent is designed to fully replace the native banner and bring everything that's missing, in one install and zero specific development.
Native Google Consent Mode v2 at the right time
Google announced Consent Mode v2 in November 2023, made it mandatory for European Ads conversions in March 2024, and extended it to GA4 audiences shortly after. Concretely, if your European site does not declare the 7 Consent Mode v2 signals (ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, security_storage) before GTM or GA4 loads, Google considers your site non-compliant and stops feeding back conversions from visitors who refused cookies. You lose measurement and therefore optimisation performance. DataFirefly Cookie Consent prints the gtag consent default block at the very top of the storefront head, with wait_for_update at 500 milliseconds to give the visitor time to respond to the banner, then emits gtag consent update as soon as they click. The plugin also bundles an optional GTM loader (just fill in your GTM ID in the configuration) that will be loaded automatically AFTER the default block. You can also configure a standalone GA4 ID (without GTM) if your setup is simpler.
v3 Banner: action equivalence, all layouts
The banner has been redesigned to meet the strict requirements of the French CNIL and the Italian Garante Privacy. Three buttons at the first level (Accept all, Reject all, Customise) with strict visual equivalence: same size, same contrast, same typographic hierarchy. No dark pattern design that would push to accept by default. Three layouts to choose from based on your branding (full-width bar at the bottom for classic e-commerce sites, discreet corner card for content sites, blocking centered modal for sites with high consent stakes), two positions (top or bottom), three themes (light, dark, or auto following prefers-color-scheme), customisable accent colour via color picker. A persistent floating button at the bottom-left lets the user reopen preferences at any time, as recommended by the CNIL. And everything is responsive below 640 pixels with full-width buttons and full-screen modal.
Real audit: what your visitors actually see
Most consent plugins ask you to manually declare the cookies your site sets. This is fragile: a developer adds a new GTM tag, you forget to update the declaration, and your compliance is off. DataFirefly Cookie Consent takes the problem the other way. From the admin module, you launch an audit on your URL: the plugin fetches your homepage, scans the HTML and scripts to detect actually present trackers (23 recognised trackers: Google Analytics 4, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Snapchat Pixel, Twitter X Pixel, Bing UET, Matomo, Microsoft Clarity, Hotjar, Mixpanel, Plausible, HubSpot, Intercom, Crisp, Tawk, YouTube embed, Vimeo embed, Stripe Elements and more), and queries the Shopware database to detect the 11 server plugins known for setting non-compliant cookies. A 0 to 100 compliance score is calculated by comparing detected trackers with the categories you have enabled in the banner, and discrepancies are surfaced as issues classified critical, warning and info. You know exactly what to fix.
Audit log: CNIL-compliant irreversible evidence
GDPR requires consent evidence usable in case of audit, that is a timestamped record you can produce on demand. But this evidence must also respect GDPR: no question of storing the IP in clear text for 5 years. DataFirefly Cookie Consent applies a unique double protection: each IP is first hashed with SHA-256 using a random 64-character salt generated at plugin install and never exposed. Even if the database leaks, the IP is mathematically unrecoverable. But since a pure hash loses geographic information, the plugin also stores a truncated version of the IP in parallel: for IPv4 only the class C network is kept (xx.xx.xx.0), for IPv6 the 64-bit prefix. You keep the ability to analyse global geographic patterns without being able to re-identify a user. The log also contains the sales channel, language, policy version at consent time, banner version, snapshot of enabled categories and Consent Mode v2 signals, plus truncated user agent and referer. Everything is exportable as CSV (with BOM UTF-8 and semicolon separator, so directly openable in French Excel) or JSON pretty, from the admin module, in one click. And a Shopware scheduled task automatically purges entries older than the configured retention period (1825 days by default, CNIL recommendation).
Smart EEA detection and Cloudflare-ready
GDPR only applies to visitors residing in the EEA plus a few aligned countries (United Kingdom, Switzerland). For non-EEA visitors, you can legally not show a consent banner, which mechanically improves average acceptance rate and therefore measurement quality. DataFirefly Cookie Consent detects visitor country smartly: if your site is behind Cloudflare, it uses the CF-IPCountry header which is added free by Cloudflare on every request (and which is the fastest and most reliable method available). Otherwise, it parses Accept-Language to guess the country from the main browser locale. The list of 31 EU and EEA countries plus United Kingdom and Switzerland is hardcoded in the plugin to not depend on any external service. The eeaOnly mode (toggle in configuration) triggers the logic: if enabled, visitors detected outside EEA simply don't see the banner, without any cookie set, and with an implicit consent generated for Consent Mode v2.
Complete Vue 3 Admin module compatible with 6.7
The entire administration module has been developed directly on the Vue 3 stack and Meteor components (mt-button, mt-card, mt-text-field, mt-select), which are the official Shopware 6.7 components. The migration from 6.6 (sw-*) is handled automatically by Shopware in the background. Concretely, your admin looks like native Shopware 6.7, with perfect integration in the menu (Marketing then DataFirefly Cookie Consent), three well-structured pages (Dashboard, Audit, Log), and all texts translated in the plugin's 5 languages (French, English, Spanish, German, Italian). The dashboard displays 6 real-time KPIs computed in SQL, the Audit page uses a pure SCSS conic score ring (no external graphic dependency), and the log leverages the native sw-data-grid component with pagination, guaranteeing visual consistency even if your Shopware admin is customised.
What the plugin does not do
DataFirefly Cookie Consent is intentionally focused on GDPR consent and Consent Mode v2. It does not manage the GDPR records of processing register (GDPR article 30), it does not perform automatic DSAR exports of customer personal data (GDPR article 15), it does not generate your privacy policy (you must have your own policy URL), and it does not work on Shopware Cloud (the Shopware-hosted SaaS version, which does not allow server plugin installation). It is compatible with all self-hosted Shopware 6.6 and 6.7 installations (your own server, VPS, or Shopware-compatible shared hosting). For other GDPR compliance needs on Shopware, other DataFirefly plugins cover these scopes.
There are no reviews yet.