PrestaShop GDPR & privacy

Our best PrestaShop modules for GDPR and cookies

Five modules for what actually gets checked — not for what gets shown.

Having a banner does not mean being compliant. What gets checked is: do your trackers load before the click? Is refusing as easy as accepting? Can you prove what the user chose?

The problem

Sound familiar?

A banner that blocks nothing

Your banner displays while Analytics is already running. It documents your breach instead of preventing it.

Refusing harder than accepting

Bright Accept button, grey Settings link. Both exist — and it is still a breach.

A right to be forgotten that paralyses you

A customer demands erasure. You fear destroying your accounting — so you do nothing.

No trace of anything

Under audit you must show who did what and when. With no log, your answer is an assertion.

The shortlist

Our selection, ranked

Every module below is built, maintained and supported by our team. The ranking reflects what we would install first on a client store.

  1. A banner that actually blocks: no script before the click. Built on the open-source tarteaucitron.js engine.

    The GDPR-compliant cookie banner without giving up measurement. Modern Axeptio-style banner, Google Consent Mode v2 pre-integrated, audit log, automatic third-party service scanner.

    5.0 (1) 220.00 View the module
  2. GDPR Customer Account Deletion for PrestaShop 8 & 9

    The right without collateral damage

    The customer deletes their account; orders are anonymised, not deleted. Your accounting stays intact.

    Delete My Account button compliant with GDPR for PrestaShop 8 and 9. Email token confirmation, personal data anonymization with accounting retention, automatic unsubscribe on…

  3. Who changed what, and when? With no log your answer is an assertion — with one, it is evidence.

    Track every creation, update and deletion in the PrestaShop back office with the field-by-field before/after detail, the employee, the IP address and the timestamp.…

  4. Age verification for CBD, alcohol, vape. A real block — a home-made modal drives customers away without protecting you.

    Block access to your store until the visitor has confirmed their age. Standard mode for CBD, alcohol, vape, firearms. Medical mode for healthcare professionals.…

  5. Fake accounts and disposable addresses pollute your database. It is hygiene, not compliance — but without it, compliance is hard to prove.

    Check the real validity of emails at signup and bulk-delete customers whose address does not exist — without ever erasing a real customer by…

Side-by-side comparison

GDPR is not a banner

Most stores believe they are compliant because they have a cookie banner. But the banner is the most visible part — and the least controlled. What actually gets checked is: do you drop trackers before consent? Is refusing as easy as accepting? Can you prove what the user clicked?

To those three questions, the majority of European stores answer no — with a banner on the page.

The three pillars that matter

Consent, technically enforced: no script may load before the click. A banner that is merely decorative while Google Analytics is already running is worse than no banner — it documents your breach.

The rights of data subjects: access, rectification, erasure. The right to be forgotten is not a principle, it is a button the customer must be able to press — and it must not destroy your accounting.

Provability: under audit, you must be able to show who did what and when. With no audit log, your statement is only an assertion.

Consent Mode v2 is no longer optional

If you use Google Ads or GA4 in Europe, Google now requires Consent Mode v2. Without it you lose conversion data and remarketing reach. From this point on, GDPR compliance and the effectiveness of your advertising hang by the same thread.

Buying guide

How to choose

Start with what actually gets checked

The cookie banner — but a real one. The difference is not cosmetic: a compliant banner loads not one script before the click. If your Google Analytics is already running while the banner is still showing, your banner is a piece of evidence against you.

The three most frequently sanctioned rules

  • No tracker before consent. A technical block, not a display.
  • Refusing as easy as accepting. Same level, same visibility, same number of clicks. A bright Accept button beside a grey link is a breach.
  • Being able to change your mind. At any time, without hunting through the site.

Consent Mode v2: compliance and advertising on the same thread

If you use Google Ads or GA4 in Europe, Google now requires Consent Mode v2. Without it you lose conversion attribution and remarketing. This is no longer a legal straitjacket — it is a condition for your advertising to work at all.

What these modules do NOT do

They cover the technical side. Your privacy policy, your record of processing, your processor contracts, your internal procedures are not included — and those are exactly what a supervisory authority looks at first. No module replaces that work. Claiming otherwise would be dishonest.

What you gain

Consent that actually blocks

No script loads before the click. The banner is not decoration — it is a technical block.

Consent Mode v2 natively

Consent Mode v2 is now required by Google. Without it you lose conversion data and remarketing reach.

The right to be forgotten without collateral damage

The customer deletes their own account. Orders are anonymised, not deleted: your accounting stays intact.

Provable under audit

Who changed what, and when? With no audit log, your answer under scrutiny is only an assertion.

A clean database

Fake accounts and disposable addresses pollute your database — and your database is precisely what you must protect.

An age gate that really blocks

Age verification for CBD, alcohol, vape: a block, not a polite question.

Implementation

From install to results

  1. A banner that actually blocks

    No script before the click. If your Analytics runs while the banner shows, your banner is evidence against you.

  2. Make refusing as easy as accepting

    Same level, same visibility, same number of clicks. One of the most frequently sanctioned rules in Europe.

  3. Switch on Consent Mode v2

    Required by Google. Without it you lose conversion attribution and remarketing. Compliance and advertising on the same thread.

  4. Open the right to be forgotten

    The customer deletes their account, the orders are anonymised. The two obligations do not contradict each other.

  5. Log everything

    Under audit you must show who did what and when. It never hurts you — it protects you.

“We had a banner, we thought we were compliant. The audit found Analytics was already running while the banner was still showing. Our banner was the evidence.”

Customer feedback — PrestaShop 8 store, cosmetics

Frequently asked questions

Is a cookie banner enough?

No — and this is the commonest misunderstanding. A banner that merely displays while Google Analytics already runs in the background is worse than none: it documents that you know the rule and break it. What counts is the technical block — no script may load before the click.

Must refusing really be as easy as accepting?

Yes, and it is one of the most frequently sanctioned rules in Europe. Refusing must be possible at the same level, with the same visibility and the same number of clicks as accepting. A bright “Accept” button beside a grey “Settings” link is a breach, even if both technically exist.

What is Consent Mode v2 for?

It is the signalling Google requires to keep processing your advertising data when a user refuses. Without it you lose conversion attribution and remarketing reach. In other words: GDPR compliance and the effectiveness of your advertising now hang by the same thread.

Does the right to be forgotten destroy my accounting?

No, and that is the whole craft of it. The customer deletes their account; the orders are anonymised, not deleted. You keep the accounting records you are legally required to hold for ten years, and the customer still disappears from your database. The two obligations do not contradict each other — they simply require you to tell them apart.

Is an audit log mandatory?

Not always, but under audit it is the difference between an answer and an assertion. The audit log shows who changed what and when. It never hurts you — it protects you the moment someone asks what happened on 14 March.

What has email verification got to do with GDPR?

It does not protect personal data, it protects the quality of your data — and that is the precondition for everything else. A database polluted with fake accounts and disposable addresses distorts your metrics, lands your emails in spam, and makes any clean-up harder. It is hygiene, not compliance — but without hygiene, compliance is hard to prove.

Is age verification mandatory for everyone?

Strictly: only for categories where selling to minors is prohibited (alcohol, vape, CBD, some medical products). Practically: also for your payment providers and carriers, who impose their own terms. A home-made modal is worse than none — it drives customers away without protecting you legally.

Do these modules make me GDPR-compliant?

No, and this must be said plainly. These modules cover the technical side: consent, blocking, erasure, traceability. Your privacy policy, your record of processing activities, your processor contracts and your internal processes are not included — and those are what a supervisory authority looks at first.

Not sure which one fits your store?

Tell us your context — we answer with a straight recommendation, not a sales pitch.