IDIOMA: ES ES EN EN FR FR

How to Comply with the GDPR in PrestaShop

· prestatools · 12 min read

GDPR in PrestaShop: why you can’t ignore it

If you sell online to customers in the European Union, your PrestaShop store must comply with the General Data Protection Regulation (GDPR). It’s not optional, it doesn’t only affect large companies and the penalties for non-compliance are very real.

The problem is that many PrestaShop stores believe GDPR compliance means simply adding a privacy policy page and a generic cookie notice. The reality is considerably more complex: it involves controlling what data you collect, how you process it, what third-party scripts run on your store and what rights your customers have over their personal information.

In this guide we’ll walk through step by step everything you need to do to make your PrestaShop store truly GDPR compliant — not just apparently compliant.

⚠️ What’s at stake

💰

Fines up to 4% of annual global turnover.

📉

Google Ads blocked without Consent Mode v2 since 2024.

🔒

Loss of trust if customers perceive you don’t protect their data.

What is the GDPR and who does it affect

The General Data Protection Regulation (GDPR) is the European regulation governing how businesses collect, store, process and delete the personal data of EU citizens. It has been in force since May 2018 and applies to any business that processes data of EU residents, regardless of where the company is located.

If your PrestaShop store sells to customers in Spain, France, Germany, Italy or any other EU country, you are required to comply. This includes not only the data you collect directly (name, email, address) but also data collected by third-party scripts running on your store: Google Analytics, Facebook Pixel, remarketing tools, chat widgets and any other service that uses cookies.

Most common GDPR mistakes in PrestaShop stores

These are the failures we find most frequently in compliance audits:

Decorative cookie banner that informs but doesn’t block scripts. Analytics and marketing cookies load before the user accepts.

Non-granular consent. A single “Accept all” button with no option to choose which cookie categories to accept.

Pre-ticked newsletter checkbox at checkout or registration. GDPR requires consent to be active, not passive.

No data deletion process. No way for a customer to request their personal data be deleted from the store.

Generic privacy policy copied from the internet that doesn’t reflect the actual data the store collects or third-party services it uses.

No Consent Mode v2. Google Ads loses conversion data and campaigns stop working properly in the EU since 2024.

How to comply with GDPR in PrestaShop step by step

Let’s walk through each GDPR requirement that affects an online store and how to implement it concretely in PrestaShop.

1

Implement a cookie banner with real script blocking

This is the most critical point and the one most stores get wrong. The GDPR requires that no non-essential scripts (analytics, marketing, social media) are executed until the user has given explicit consent. Simply showing an informational notice is not enough — scripts must be genuinely blocked.

The banner must offer the user the option to accept or reject each cookie category granularly (functional, analytical, marketing), include a link to the cookie policy and allow preferences to be changed at any time.

Additionally, since March 2024, Google requires stores using Google Ads in the EU to implement Google Consent Mode v2, a standard that communicates consent status to Google services so campaigns work correctly.

Requirement: Real script blocking before consent + granular categories + Consent Mode v2

2

Review registration and checkout forms

All forms where you collect personal data (registration, checkout, newsletter, contact) must meet these requirements:

Active consent: Acceptance checkboxes for terms and newsletter MUST NOT be pre-ticked. The user must check them voluntarily.

Clear information: State what the data will be used for before the user submits it. Never collect data you don’t need.

Privacy policy link: Each form must include a visible link to your privacy policy, not hidden in the footer.

In PrestaShop, pay particular attention to the account creation form and checkout. If you use newsletter modules like Mailchimp or Brevo, ensure the subscription is opt-in (customer ticks the box), not opt-out.

3

Write a proper privacy policy

Your privacy policy cannot be a generic text copied from the internet. It must accurately reflect what data your store collects, what it’s used for, how long it’s kept and who it’s shared with. A proper privacy policy for PrestaShop must include:

📋 Controller identity

Company name, registration number, address, contact email and DPO details if applicable.

📦 Data you collect

Name, email, address, phone, IP, payment data (processed by gateway), cookies.

🎯 Purpose of processing

Order management, newsletter sending, behavioural analysis, remarketing.

🤝 Third parties with access

Google Analytics, Meta Pixel, payment gateway, carrier, email marketing provider.

⏱️ Retention periods

How long you keep each type of data and when it’s deleted.

⚖️ User rights

Access, rectification, erasure, portability, objection and how to exercise them.

4

Guarantee customer data rights

The GDPR grants EU citizens a series of rights over their personal data that your store must be able to handle. The most relevant for an ecommerce are:

🔍 Right of access

The customer can request a copy of all personal data you hold about them.

✏️ Right to rectification

The customer can correct inaccurate data. PrestaShop allows this from “My Account”.

🗑️ Right to erasure

The customer can request their data be deleted. PrestaShop 1.7+ includes this option in the back office.

📤 Right to portability

The customer can request their data in a readable format to take to another service.

PrestaShop 1.7, 8.x and 9.x include a native GDPR module that allows managing access and erasure requests from the back office. Make sure it’s installed and activated.

5

Ensure mandatory legal pages are in place

Your PrestaShop store must have these legal pages accessible from any page (usually in the footer):

📄

Privacy policy: Details what data you collect, why, who you share it with and how to exercise rights.
🍪

Cookie policy: Lists all cookies your store uses (own and third-party), their purpose and duration.
📜

Legal notice: Company details (legal name, registration number, registered address).
📋

Terms and conditions: Sale conditions, returns, shipping, warranties and withdrawal rights.

Create these pages as CMS pages in PrestaShop (Design > Pages) and link them in the footer. If you’re unsure how to write them, consult an ecommerce-specialised lawyer — a generic template may not cover your specific case.

6

Protect stored data

The GDPR doesn’t just regulate what data you can collect — it also regulates how you protect it. Your PrestaShop store must implement security measures appropriate to the type of data it handles:

🔐

SSL certificate (HTTPS): The entire store must run on HTTPS. No exceptions. Most hosts include it free with Let’s Encrypt.
🔑

Secure back office passwords: Use long, unique passwords for the PrestaShop admin. Enable two-factor authentication if your hosting supports it.
💾

Encrypted backups: Make regular backups of the database and files. Store them encrypted and on a different server from production.
🔄

Updated PrestaShop and modules: Security updates fix vulnerabilities. Keep everything up to date.

Google Consent Mode v2: what it is and why it’s mandatory

Google Consent Mode v2 is a technical standard that communicates to Google services (Analytics, Ads, Tag Manager) whether the user has consented to each type of cookie. Since March 2024, Google requires it for all advertisers operating in the EU.

Without Consent Mode v2, your Google Ads campaigns can lose conversion data, remarketing audiences stop working properly and Google may limit the delivery of your ads to EU users.

❌ Without Consent Mode v2

Google Ads loses conversion data in the EU. Remarketing audiences degrade. Google may block ad delivery to European users.

✅ With Consent Mode v2

Google Ads receives correct consent signals. Conversions are attributed properly. Campaigns function normally in the EU.

Manually implementing Consent Mode v2 requires modifying the Google Analytics and Google Ads tracking code to read the consent status from the cookie banner and send the correct signals. It’s technical and error-prone.

PrestaShop Module

Comply with GDPR and Consent Mode v2 automatically

CookieBoost adds a modern cookie banner with automatic script blocking, granular categories and full Google Consent Mode v2 compatibility. No paid external services, no code changes, configurable from the PrestaShop back office.

CookieBoost GDPR cookie banner PrestaShop

GDPR compliance checklist for PrestaShop

Use this list to verify your store meets all requirements. Each ticked item is one less risk point:

☑️

Cookie banner with real script blocking before consent
☑️

Granular cookie categories (functional, analytical, marketing)
☑️

Google Consent Mode v2 implemented and sending correct signals
☑️

Option to change cookie preferences at any time
☑️

Newsletter checkboxes not pre-ticked at registration and checkout
☑️

Privacy policy link visible on all forms
☑️

Privacy policy specific and up-to-date with your store’s actual data
☑️

Cookie policy with a list of all cookies, their purpose and duration
☑️

Legal notice and terms and conditions accessible from the footer
☑️

Data deletion process available for customers (PrestaShop native GDPR module)
☑️

HTTPS active across the entire store with a valid SSL certificate
☑️

Regular encrypted backups
☑️

PrestaShop and modules updated to the latest security versions

Frequently asked questions about GDPR in PrestaShop

Does the GDPR apply if my company is not in the EU?

Yes. The GDPR applies to any company that processes data of EU residents, regardless of where it’s located. If you sell to customers in Spain, France or any other EU country, you must comply.

Is it enough to show a cookie notice without blocking scripts?

No. The GDPR and the ePrivacy Directive require that non-essential scripts (analytics, marketing, social media) be blocked until the user gives explicit consent. A banner that only informs but doesn’t block does not comply.

What happens if I don’t implement Google Consent Mode v2?

Since March 2024, Google may limit the functionality of Google Ads and Analytics for EU users who haven’t implemented Consent Mode v2. This includes loss of conversion data, degradation of remarketing audiences and possible limitations on ad delivery.

Does PrestaShop include anything for GDPR natively?

Yes. PrestaShop 1.7+ includes a native GDPR module that manages access and data deletion requests. However, it doesn’t include a cookie banner with real script blocking or Consent Mode v2 compatibility, which are the most critical requirements.

Do I need a Data Protection Officer (DPO)?

It depends on the volume and type of data you process. Most small and medium-sized online stores are not required to appoint a DPO, but they must have an identified data controller in their privacy policy. Consult a legal advisor if you’re unsure.

Are non-compliance fines real?

Yes. EU data protection authorities have imposed multimillion-euro fines on companies of all sizes. Penalties can reach 20 million euros or 4% of annual global turnover, whichever is higher. Regulators across Europe have fined SMEs for violations such as using cookies without consent.

Conclusion

GDPR compliance in PrestaShop is not a bureaucratic formality solved with a privacy policy page. It’s a set of technical and organisational measures affecting forms, cookies, third-party scripts, customer rights and the security of stored data.

The most critical point — and the one most stores get wrong — is the cookie banner. A banner that doesn’t block scripts before consent doesn’t comply with the regulation, exposes the store to penalties and, since 2024, can directly affect the performance of Google Ads campaigns.

The good news is that most of these requirements can be resolved with configuration and the right modules, without custom development or costly external services.

PrestaShop Module

Make your store GDPR compliant today

CookieBoost manages cookie consent with real script blocking, granular categories and integrated Google Consent Mode v2. Compatible with PrestaShop 1.7, 8.x and 9.x, without paid external services.

CookieBoost GDPR Consent Mode PrestaShop

¿Buscas módulos PrestaShop que no fallen cuando tu tienda crece?

En PrestaTools desarrollamos módulos pensados para entornos reales. Código limpio, sin impacto en velocidad y soporte técnico directo.

Ver catálogo de módulos →

Artículos relacionados

How to choose a good PrestaShop module (and what mistakes to avoid)

How to Add WhatsApp to Your PrestaShop Store (With and Without a Module)

PrestaShop vs WooCommerce: which one to choose in 2026

¿Te ha resultado útil? Compártelo:

LinkedIn X WhatsApp
← Anterior The 15 Most Common PrestaShop Errors and How to Fix Them