Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Magento (rebranded Adobe Commerce since 2018) is a leading open source e commerce platform written in PHP. Magento Open Source can be self hosted on EU infrastructure for full GDPR control, while Adobe Commerce Cloud offers managed hosting on AWS Frankfurt or Dublin. Magento sets first party cookies for the cart, session and checkout. Marketing cookies added through extensions or the integrated Adobe Analytics tag require prior consent.
Magento was created in 2008 by Varien, acquired by eBay in 2011, then by Adobe in 2018 for 1.68 billion USD. Since 2021 the platform exists as Magento Open Source (free, community), Adobe Commerce (paid, with B2B and headless features) and Adobe Commerce Cloud (managed PaaS on AWS). The community fork Mage-OS continues the open source lineage independently. Magento powers around 200,000 active stores worldwide and remains the dominant choice for mid market and enterprise e commerce in the EU.
Magento is a server side PHP application running on Apache or Nginx with MySQL or MariaDB as the database. The storefront serves rendered HTML and uses Knockout.js for the cart and checkout. Customer state is persisted in PHP sessions backed by Redis or the database, and a small set of first party cookies tie the browser to the session. Adobe Commerce Cloud automates the deployment on AWS with auto scaling and a Fastly based CDN.
Strictly necessary cookies set by core Magento include PHPSESSID (PHP session, session), form_key (anti CSRF, session), private_content_version (caching invalidation, 1 year), mage-cache-storage (cart cache, session), mage-messages (storefront messaging, session) and X-Magento-Vary (cache vary key, session). Customer authentication adds persistent_shopping_cart (1 year). Marketing extensions and integrated tags (Adobe Analytics, Google Analytics, Meta Pixel) add their own cookies that require consent.
The strictly necessary checkout cookies are exempt from the Art. 5(3) ePrivacy consent requirement because they are necessary to provide the requested service (the contract). Marketing, analytics and personalisation cookies added through extensions or the integrated Adobe Analytics tag always require prior consent. The persistent_shopping_cart cookie sits in a grey area: most regulators accept it as strictly necessary if the visitor explicitly opted in to the Remember me feature.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Install a CMP that natively integrates with Magento (Cookiebot, CookieFirst, Klaro for Magento, Amasty Cookie Notice, MageWorx Cookie Manager). Configure the storefront layout XML so every marketing tag is wrapped behind the consent state. Use the built in Magento GDPR features (Customer Privacy module: data export, anonymisation, Right to Erasure workflow) to satisfy data subject requests. Adobe Commerce Cloud customers get the Adobe Privacy Service for the Right to Erasure across the Marketing Cloud.
Self hosted Magento on EU infrastructure has zero third country transfer for the storefront itself. Adobe Commerce Cloud customers can choose AWS Frankfurt or Dublin to keep all data in the EU. Adobe is certified under the EU US Data Privacy Framework, and the Master Subscription Agreement includes Standard Contractual Clauses as a fallback. Always check that the third party extensions you install do not silently transfer data to the US.
Choose AWS Frankfurt or Dublin if you use Adobe Commerce Cloud. Sign the Adobe Customer DPA. Install a CMP integrated with Magento and gate every marketing tag behind it. Enable the Magento Customer Privacy module to handle data subject requests. Document Adobe Inc as a processor in your Article 30 register if you use Adobe Commerce Cloud. Audit every third party extension before installation to confirm its data flows.
Websites using Magento must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the Magento platform itself when used as an e commerce store. A DPIA may be triggered by the marketing extensions (advertising pixels, recommendation engines, fraud scoring) installed from the Adobe Commerce Marketplace if those involve large scale profiling.
Sample consent text
We use cookies and similar technologies to operate this store. Cookies that are strictly necessary for the cart, checkout and security are always active. Marketing, analytics and personalisation cookies require your consent. You can change your choice at any time via the Cookie preferences link in the footer.
Third-party domains contacted
magento.comadobe.commage-os.org(merchant controlled storefront domain)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first_party | session | PHP server session cookie that links the visitor browser to the Magento application session. Strictly necessary. |
| form_key | first_party | session | Anti CSRF token used to protect form submissions. Strictly necessary. |
| mage-cache-storage | first_party | session | Local storage cache for the cart and customer state. Strictly necessary. |
| private_content_version | first_party | 1 year | Used by the full page cache to invalidate private blocks (cart count, mini cart). Strictly necessary. |
| X-Magento-Vary | first_party | session | Cache vary key used by Varnish or the built in full page cache to serve the correct customer specific page. Strictly necessary. |
| persistent_shopping_cart | first_party | 1 year | Restores the customer cart and address when the visitor returns from the same browser. Requires consent unless the visitor opted in to Remember me. |
Magento uses cookies for user preferences — inform visitors with a consent banner.
Strictly necessary first party cookies on the merchant domain: PHPSESSID, form_key, mage-cache-storage, private_content_version, X-Magento-Vary (all session). The customer Remember me feature adds persistent_shopping_cart (1 year). Marketing extensions and integrated tags add their own cookies that fall outside the strictly necessary scope.
The strictly necessary checkout cookies do not require consent under the Art. 5(3) ePrivacy exemption. Marketing, analytics and personalisation cookies installed via Magento extensions or the integrated Adobe Analytics tag always require prior consent.
Performance of contract (Art. 6(1)(b) GDPR) for cart, checkout and customer account management. Legal obligation (Art. 6(1)(c)) for invoicing and tax records. Legitimate interest (Art. 6(1)(f)) for security and fraud prevention. Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for marketing tags.
Self hosted Magento on EU infrastructure does not transfer any data outside the EU. Adobe Commerce Cloud customers can choose AWS Frankfurt or Dublin to keep data in the EU. Adobe is certified under the EU US Data Privacy Framework and the Master Subscription Agreement includes Standard Contractual Clauses.
A DPIA is generally not required for the platform itself when used as a standard e commerce store. A DPIA may be required for marketing extensions (advertising pixels, recommendation engines, fraud scoring) installed from the Adobe Commerce Marketplace if they involve large scale profiling.
Pick a CMP integrated with Magento (Cookiebot, CookieFirst, Klaro for Magento, Amasty Cookie Notice). Gate every marketing tag behind the consent state. Enable the Magento Customer Privacy module to handle data subject requests. Keep your hosting in the EU (self hosted or Adobe Commerce Cloud Frankfurt or Dublin) and audit each third party extension before installation.
Other open source e commerce platforms: PrestaShop (France), Sylius (Symfony), Spryker (Germany, headless), OroCommerce (B2B), CommerceTools (Germany, MACH), Shopware (Germany). Hosted alternatives include Shopify, BigCommerce and Salesforce Commerce Cloud.
List the strictly necessary cookies (PHPSESSID, form_key, mage-cache-storage, private_content_version, X-Magento-Vary, persistent_shopping_cart) with their lifetime and purpose. Re scan after every extension installation or upgrade. Document Adobe Inc as a processor if you use Adobe Commerce Cloud.