Adobe Commerce and Magento Open Source both ship a feature called Cookie Restriction Mode. Turn it on and shoppers get a notice bar at the top of the store, and non-exempt cookies wait until they accept. That sounds like a finished consent tool. It isn't one, and treating it like one is how stores end up out of compliance.
The stakes are real. In September 2025 France's CNIL fined SHEIN 150 million euros, partly because trackers fired before any choice and kept running after visitors said no (CNIL). A store that shows a bar but still drops _ga on page load is exactly the pattern that gets penalized.
What Cookie Restriction Mode actually does
Adobe's built-in feature lives in the admin under Stores › Settings › Configuration › General › Web › Default Cookie Settings. Set Cookie Restriction Mode to Yes, save, and flush the cache. Magento then classifies its default cookies as exempt or non-exempt: exempt cookies are the ones the store needs to work (cart, session, form keys), and non-exempt cookies hold until the shopper clicks accept (Adobe Commerce docs).
One nice detail: Adobe's Product Recommendations respects restriction mode. When it's on, recommendations won't store behavioral data in cookies or local storage until the visitor agrees (Adobe docs). So the first-party pieces Adobe controls do behave.
Where the native feature stops
The gaps are what matter for GDPR and the ePrivacy Directive:
- One accept action, no per-category choice. The notice bar is take-it-or-leave-it. EU rules expect separate purposes (analytics, marketing) and a reject that's as easy as accept.
- No consent record. Restriction mode doesn't log who consented, when, or to what. Article 7 of the GDPR says you have to be able to demonstrate consent, and you can't demonstrate what you never stored. See proof of consent.
- No Google Consent Mode v2 signal. If you run Google Ads or GA4 for EEA or UK shoppers, Google has required Consent Mode v2 since March 2024. Restriction mode doesn't emit those signals.
- The policy link can 404. Adobe's own docs warn that if you change the URL key of your privacy policy, the link inside the restriction notice breaks unless you add a URL rewrite.
- Third-party tags aren't governed. Anything added through GTM, a marketplace extension, or theme layout XML fires on render. Restriction mode only manages Magento's own cookies.
Getting real, granular consent on Magento
Two routes close the gap. You can install a marketplace extension (Amasty, Plumrocket, and others publish GDPR cookie modules), or you can embed a consent management platform that loads from a CDN. The embed route keeps the logic off your app servers and works the same across every store view.
For the embed, drop the loader into the store's <head>. In Magento you can add it through Content › Design › Configuration, edit the theme, and use the Scripts and Style Sheets field under HTML Head, or add it to a custom layout XML block. Whatever path you pick, it has to load before GA4, GTM, or any pixel:
<!-- Head: load the consent script FIRST, before any tag -->
<script async src="https://cdn.cookiebeam.com/banner/YOUR_BANNER_ID/default/loader.js"></script>Then route your analytics and marketing tags through Google Tag Manager and set Consent Mode defaults to denied for EEA and UK traffic. The banner pushes a gtag('consent', 'update', ...) when the shopper accepts.
Blocking the scripts you control
A CMP that loads first can hold tags until consent, but only if the tags are marked. CookieBeam blocks scripts client-side by type: change a tag's type from text/javascript to text/plain and add a data-category. The runtime executes it only after the shopper opts into that category.
<!-- Before: fires on render, no matter what the banner says -->
<script src="https://cdn.some-analytics.com/tag.js"></script>
<!-- After: held until the shopper accepts "analytics" -->
<script type="text/plain" data-category="analytics" src="https://cdn.some-analytics.com/tag.js"></script>Consolidating every non-essential tag behind either GTM or the CMP means one gate governs them all, instead of restriction mode covering Magento cookies while a Meta Pixel in a CMS block leaks past it.
Multi-store and multi-language stores
Magento's strength is running several storefronts from one install: multiple websites, store views, currencies, and languages under a single admin. Consent has to follow that structure. A banner that only speaks English defeats the purpose on a German store view, because the EU expects the consent request in a language the visitor understands. When you pick a solution, check that it renders per store view, translates the banner text, and applies your rules to every domain and subdomain the install serves. The native Cookie Restriction Mode message does translate with your locale, but since it's a single notice bar, that's the extent of what it adapts. A CMP that geo-detects the visitor and switches both language and legal framework (opt-in for the EU, opt-out for a US store view) is what keeps a multi-region catalog consistent.
Keep the cookie policy honest
Magento stores collect cookies from more places than most: payment gateways, review widgets, personalization, chat, abandoned-cart tools. A hand-maintained cookie table goes stale the first time a merchandiser installs an extension. This is where scanning earns its place. A CMP crawls your published store views, classifies the cookies it finds, and keeps the policy list in sync. See automated scanning versus manual audits for why the manual approach drifts.
Test before you trust it
- Open the storefront in a fresh private window from an EU IP and check Application › Cookies before clicking anything. Only exempt cookies should exist.
- Click reject and confirm no
_ga,_gid, or_fbpappears, and no marketing beacons fire in the Network tab. - Accept, then confirm the tags load and Consent Mode reads granted.
- Re-run a full audit after installing any extension, since each one can add cookies.
With CookieBeam the loader also holds unknown scripts by default and keeps a timestamped consent record, so a Magento store passes the same checks a dedicated platform would. If you're weighing tools, the CMP comparison and the ecommerce consent guide are the next reads.