GDPR Pro for Magento 2 — Consent, Data Export, Erasure & Cookie Control
GDPR Pro makes your Magento 2 store demonstrably compliant. It shows a configurable cookie-consent banner that keeps non-essential cookies off until customers opt in, logs every consent decision for your audit trail, and gives customers self-service data export, correction and erasure requests. D…
"We'll sort GDPR later" is a fine until it's a fine
Data-protection law isn't optional, and "compliant enough" doesn't survive a complaint. You need a cookie banner that actually holds non-essential cookies until a customer agrees, a record proving they agreed, and a way to honour access, correction and deletion requests inside the legal deadline. Stock Magento gives you none of it. GDPR Pro gives you all of it — the consent banner, the audit log, and the data-subject request workflow — built into your store and your admin, not bolted on from a third-party service that becomes its own compliance problem.
What you'll use it for
- Pass a cookie audit — show a compliant banner with reject-all and granular categories, and prove non-essential cookies wait for consent.
- Answer DSARs on time — let customers self-serve export, correction and deletion so requests don't pile up in your inbox past the deadline.
- Honour erasure safely — anonymise rather than hard-delete, keeping tax and accounting records valid while removing the person.
- Audit your own data — scan content for stray personal information before a regulator or a breach finds it for you.
How a data-subject request flows
Consent done properly
The cookie banner is configurable — position, light or dark theme, your own title and message, a "Reject All" button and a "Customise Preferences" panel with granular categories (necessary, analytics, marketing, preferences). When "explicit consent" is on, non-essential cookies stay off until the customer actively opts in — the GDPR default — and every choice is written to a consent log so you can demonstrate compliance. Bump the consent version whenever your policy changes and returning visitors are re-prompted automatically.
The rights customers can exercise
Customers request from their account, and you handle it from a request grid in the admin — with optional approval before anything is removed. Export bundles their data (orders, quotes, addresses, reviews — you choose) in JSON, XML or CSV. Rectification records what they want corrected. Erasure can either delete or, recommended, anonymise their orders so personal data is scrubbed while the financial record survives. A daily cleanup removes old consent logs and completed requests after your retention period.
A PII scanner that respects privacy
Scanning for personal data shouldn't create a new data-protection risk. GDPR Pro's PII scanner runs fully on-premise by default — nothing leaves your server. If you switch on optional AI verification to cut false positives, only redacted, hashed snippets are sent, and the module is explicit that the AI provider then becomes a third-party sub-processor you must cover in your processing agreement. It uses your own encrypted AI key, and the honest default is off. Compliance tooling that's careful about compliance.
Specifications
| Cookie banner | Position, theme, title, message, Reject All and granular preferences; explicit-consent mode; consent versioning |
|---|---|
| Consent log | Audit record of every consent decision, with daily retention cleanup |
| Data export | JSON / XML / CSV; include orders, quotes, addresses and reviews |
| Rectification | Customer-submitted correction requests (Article 16) |
| Erasure | Delete or anonymise orders; optional admin approval; notification email |
| PII scanner | On-premise by default; optional AI verification with hashed snippets and your own key |
| Headless | GraphQL consent config, save consent, and export/deletion/rectification request mutations |
| Delivery & licence | Composer install, per-domain licence key, updates via Composer |
Works with
Part of the AgenticEcom suite for Sales, Customers & Marketing:
Consent gates the tags fired by Analytics & Tag Manager; form consent ties to Custom Forms. Included in the Enterprise bundle.
Frequently asked questions
Does the cookie banner actually block cookies until consent?
With explicit-consent mode enabled, non-essential cookies stay off until the customer opts in — the GDPR standard. The banner offers Reject All and a granular preferences panel, and every decision is logged.
Can customers request their data or deletion themselves?
Yes. From their account they can request a data export, ask for corrections, or request deletion. You manage every request from an admin grid, with optional approval before any data is removed.
If I delete a customer, do I lose their order history for accounting?
Not if you choose anonymisation. Instead of hard-deleting, orders are kept but personal data is scrubbed, so the financial record stays valid for tax and accounting while the individual is no longer identifiable.
Does the PII scanner send my data to a third party?
No, not by default — it runs entirely on your server. Optional AI verification, which is off unless you enable it, sends only redacted hashed snippets, and the module makes clear the AI provider then counts as a sub-processor under your agreement.
Which Magento and PHP versions are supported?
Magento Open Source 2.4.9 and later 2.4.x, verified on PHP 8.4 and 8.5.