Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OpenCart is an open source PHP ecommerce platform. The customer self hosts the application, which gives full control over the storage region. The storefront sets strictly necessary session, cart and language cookies. Optional analytics or advertising tags installed via extensions require consent.
OpenCart is a free and open source PHP ecommerce platform launched in 2008. It is distributed under a GPL licence and maintained by OpenCart Limited in Hong Kong with a large worldwide community. The application runs on a standard LAMP stack (PHP, MySQL or MariaDB) and supports themes and a large catalogue of extensions through the OpenCart Marketplace. The customer self hosts on their own infrastructure, which gives full control over the storage region.
By default OpenCart sets PHPSESSID, OCSESSID, currency and language cookies on the storefront. These are strictly necessary to maintain the shopper context, the cart and the localization preferences. The /admin area uses its own authentication cookies. Optional analytics or advertising cookies appear only when the merchant installs the corresponding extension (Google Analytics, Meta Pixel, Klaviyo) or adds custom scripts to the theme.
Strictly necessary cart and session cookies fall under the Article 5(3) ePrivacy carveout. Article 6(1)(b) GDPR (performance of a contract) covers the order processing flow. Any optional analytics or advertising tag installed via extensions requires prior opt in consent under Article 5(3) ePrivacy. The merchant is the controller of all data managed in OpenCart. There is no SaaS processor since the platform is self hosted.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Self hosted OpenCart does not transfer anything by itself. Pick an EU based hosting provider (OVH, Scaleway, Hetzner, Strato, IONOS, AWS Frankfurt or Ireland) and a CDN with EU presence (Cloudflare with the EU data localization suite, BunnyCDN, Fastly EU) to keep data inside the EEA. Be careful with installed extensions that connect to US APIs (Stripe, PayPal, Mailchimp), each of these adds a separate transfer that must be documented.
Host inside the EU, protect /admin behind an IP allowlist or VPN, enforce strong passwords and consider an OpenCart 2FA extension. Document the deployment in your record of processing activities with hosting provider, retention period for orders and the list of installed extensions. Add a consent banner (OpenCart GDPR cookie law extensions, Cookiebot, CookieFirst) to gate analytics and advertising tags. Implement DSAR flows leveraging the built in OpenCart customer data export available since version 3.0.3.
Websites using OpenCart must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a typical OpenCart shop. It should be considered when the shop processes large volumes of orders with sensitive data, when behavioral analytics extensions are installed, or when the shop integrates with third party advertising platforms. Document the hosting region, the access controls on /admin and the installed extensions in the record of processing activities.
Sample consent text
This shop is powered by OpenCart. OpenCart sets a session and cart cookie that are strictly necessary for the checkout to work. Optional analytics or advertising cookies installed by extensions are activated only after you accept them in the consent banner.
Third-party domains contacted
opencart.comwww.opencart.comextensions.opencart.comcdn.opencart.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first-party | Session | Standard PHP session identifier used by OpenCart to maintain the shopper context across pages. Strictly necessary. |
| OCSESSID | first-party | Session | OpenCart specific session identifier used for cart state and checkout flow. Strictly necessary. |
| currency | first-party | 30 days | Stores the currency selected by the shopper. Strictly necessary for the shopping experience. |
| language | first-party | 30 days | Stores the language selected by the shopper. Strictly necessary for the shopping experience. |
OpenCart uses cookies for user preferences — inform visitors with a consent banner.
Yes. OpenCart sets PHPSESSID, OCSESSID, currency and language cookies on the storefront. These are strictly necessary for the cart, checkout and localization. Optional analytics and advertising cookies appear only when the merchant installs the corresponding extension.
No consent is required for the strictly necessary cart, session and language cookies. Prior opt in consent is required for any analytics or advertising cookie added via extensions or theme customization.
Article 6(1)(b) GDPR (performance of a contract) for order processing, Article 6(1)(f) (legitimate interest) for the strictly necessary cookies, Article 6(1)(a) (consent) for optional tracking tags. The merchant is the controller, the hosting provider acts as processor for the infrastructure.
Self hosted OpenCart does not transfer anything by itself. The merchant chooses the hosting provider and the CDN. Pick EU based providers to keep data inside the EEA. Be careful with installed extensions that connect to US APIs (Stripe, PayPal, Mailchimp), each adds a separate transfer.
A DPIA is not generally required for a typical shop. It is recommended when large volumes of personal data are processed, when behavioral analytics extensions are installed, or when the shop integrates with third party advertising platforms.
Host inside the EU, protect /admin behind IP allowlist or VPN, enforce strong passwords and 2FA, document the deployment in your RoPA, add a consent banner via an OpenCart GDPR extension and implement DSAR flows via the native customer data export available since version 3.0.3.
Other open source ecommerce platforms include WooCommerce (WordPress), PrestaShop (France), Shopware (Germany), Magento Open Source, Sylius, Saleor and Drupal Commerce. For hosted solutions consider Shopify, BigCommerce, Lightspeed eCom and Wix Stores.
List the strictly necessary OpenCart cookies (PHPSESSID, OCSESSID, currency, language) in your cookie disclosure with purpose and duration. Add an entry for each installed extension or theme script with retention and any third country transfer information.