Magento 2 GDPR: Consent, Data Export & Erasure Done Right
GDPR for Magento 2: what a store actually has to do
For a shop, GDPR (and UK GDPR) obligations reduce to a practical list: get valid consent for non-essential cookies and marketing, let customers see the data you hold on them, delete it when they ask (where no legal basis requires keeping it), and be able to evidence all of the above. Magento Open Source gives you almost none of this out of the box — there's a basic cookie notice, and nothing for consent records, data export or erasure.
The four capabilities you need
| Obligation | What it means in Magento |
|---|---|
| Cookie consent | A banner that blocks non-essential scripts until consent, with per-category choices — not just an “OK” notice |
| Right of access | Export everything held on a customer — account, addresses, orders, subscriptions — in a portable format |
| Right to erasure | Delete or anonymise the customer's personal data on request, without destroying order accounting records |
| Evidence | A log of consents and requests, so you can show what was agreed and when |
How GDPR Pro covers it
Our GDPR Pro for Magento 2 module implements the full loop: a configurable cookie-consent banner with category controls, customer-account tools for data export and erasure/anonymisation requests, an admin queue to review and action requests, and consent logging throughout. Erasure anonymises order data rather than deleting it, so your accounting stays intact while the personal data goes.
One honest note: a module implements the mechanics — what you put in your privacy policy, retention periods, and lawful bases are decisions for you (and if in doubt, a professional). No extension makes a store “GDPR compliant” by itself.
Frequently asked questions
Is Magento 2 GDPR compliant out of the box?
No. It has a basic cookie notice and no consent records, data export or erasure workflow — those need a module or custom build.
Does erasure delete my order history?
With GDPR Pro, no — personal fields are anonymised while order records survive for accounting and tax purposes, which GDPR permits.
Does the cookie banner work on a headless storefront?
Consent state and settings are exposed so headless frontends can honour them; the Luma banner works natively. Verified on Magento Open Source 2.4.9, PHP 8.4 and 8.5.
GDPR Pro is a one-off purchase — no subscription — and is included in the AgenticEcom Suite.
