Skip to main content
Back to Guides
Setup5 min read

Cookie Consent on Joomla: What Core Doesn't Do

Joomla ships privacy tools (a data-request dashboard and a Privacy Consent plugin), but none of it is a cookie banner. Core won't stop a single analytics cookie on page load. Here's how to add real consent.

Joomla added a set of privacy tools back in version 3.9, and they're still in Joomla 4 and 5. There's a privacy dashboard for handling data requests, and a Privacy Consent plugin that records when users agree to your policy. Useful features, but none of them is a cookie banner. Joomla core will not stop a single analytics cookie from firing when a page loads.

What Joomla core privacy tools actually cover

Two core pieces get confused with cookie consent. Neither is (Joomla Privacy documentation):

  • The Privacy component (com_privacy) and dashboard, found under the Users menu, handle data subject requests. A visitor asks to export or delete their personal data, and an admin moves the request from pending to confirmed to completed.
  • The System - Privacy Consent plugin adds a consent box when people submit data, so a new registrant has to agree to your privacy terms. It records the date and IP of that agreement.

Both are about consent to process personal data. Neither blocks a cookie, categorizes trackers, or shows a cookie banner. For that, Joomla sends you to extensions.

Choosing an extension that actually blocks

The Joomla Extensions Directory has a Cookie Control category, and the options vary a lot in what they do. A few that block, rather than merely notify:

  • n3t Cookie Consent stops JavaScript cookies from being stored until consent, and auto-describes cookies using the Open Cookie Database.
  • Concord ships an automatic detection and blocking engine for scripts, cookies, and iframes, with logging.
  • GDPR by J!Extensions Store manages cookies and resources and is built around Google's Consent Mode.

Here's the warning that matters: plenty of Joomla cookie extensions only display a notice bar and block nothing. A bar that appears while your cookies are already set is the exact failure regulators penalize, so confirm any extension actually holds scripts before it shows the banner.

Where consent code goes in Joomla

To load a consent script, you need it in the site's <head> before any analytics or marketing tag. In Joomla you can edit your template's index.php, use a template that exposes a custom head-code field, or install a small system plugin that injects code into the head. Whatever the method, order decides whether blocking works: the consent script must run before the tags it governs.

<!-- Head: load the consent script FIRST, before any tag -->
<script async src="https://cdn.cookiebeam.com/banner/YOUR_BANNER_ID/default/loader.js"></script>

Route your analytics and marketing tags through Google Tag Manager, and set Consent Mode defaults to denied for EEA and UK traffic. Google has required Consent Mode v2 for those regions since March 2024.

Where trackers sneak into a Joomla site

Before you can gate cookies, you have to know where they come from, and on Joomla they enter from several directions. Many templates ship a Google Analytics field in their options, so a tracking ID gets pasted there and fires site-wide with no consent hook. Third-party modules and plugins (a chat module, a social-share plugin, an embedded map) each load their own scripts. Performance plugins like JCH Optimize can combine and move scripts around, which occasionally changes load order in ways that break a fragile blocking setup, so test after enabling one. And multilingual Joomla sites add their own wrinkle: if you run content in several languages through Joomla's language associations, the banner has to appear in the right language for each visitor. A consent tool that detects the visitor's location and language, then serves the matching banner and legal rules, saves you from maintaining a separate banner per language.

Blocking scripts with a CMP

A CDN-loaded consent platform gives you one gate over every tag, whichever extension or module put it there. CookieBeam holds a tag until consent when you set its type to text/plain and add a data-category:

<!-- Before -->
<script src="https://www.googletagmanager.com/gtag/js?id=G-XXXX"></script>

<!-- After: waits for the visitor to accept "analytics" -->
<script type="text/plain" data-category="analytics" src="https://www.googletagmanager.com/gtag/js?id=G-XXXX"></script>

It also scans your published pages to keep the cookie policy in sync and stores a timestamped consent record, which is what you need to demonstrate consent under Article 7 of the GDPR.

Reject has to be as easy as accept

A compliant Joomla banner needs more than an accept button. EU regulators expect a reject option that's as visible and easy to use as accept, no pre-ticked category boxes, and plain text on what each category does. Many lightweight Joomla extensions ship accept-only by default, or arrive with categories pre-enabled, and both of those fail the standard. When you configure whichever extension you chose, add a reject button on the first layer, default every non-essential category to off, and make sure the copy names the purposes rather than hiding behind a vague cookie message. See cookie banner dark patterns and the reject-all requirement for the specifics regulators check.

Publish a cookie policy too

A banner without a linked policy is half the job. GDPR and ePrivacy rules expect visitors to read what each cookie does, how long it lasts, and who sets it. Publish a dedicated cookie policy article in Joomla and link it from both the banner and the footer, and see cookie policy versus privacy policy for what belongs where.

Test before you publish

  • Open the site in a fresh EU-IP private window and check Application › Cookies before clicking. Only strictly necessary cookies should exist.
  • Reject and confirm no _ga or _fbp appears.
  • Accept and confirm the tags load.
  • Re-run an audit after adding any extension or third-party embed.

If you're still deciding whether you need a banner at all, start with do I need a cookie banner, then compare tools in the CMP comparison.

Joomla Cookie Consent & GDPR (2026 Guide) | CookieBeam | CookieBeam