Running your store on Magento and need to manage cookies? In this guide, you’ll learn when you need a cookie policy or consent management platform (CMP) for Magento and how to add iubenda’s Privacy Controls and Cookie Solution to your Magento site using the official extension.
Jump directly to How to add iubenda’s Privacy Controls and Cookie Solution to your Magento site.
This guide covers Magento 2.x (Magento Open Source / Community, Magento Commerce / Enterprise, and Magento Commerce Cloud). Magento 1.9 reached end-of-life on June 30, 2020 and is no longer supported, so this guide doesn’t cover it. If you’re still on Magento 1.9, we recommend upgrading to Magento 2 before installing the extension.
Do I need a cookie policy for Magento?
Yes, and here’s why.
If you have EU-based users and your website uses cookies (which it most likely does), you need to manage cookie consents according to the ePrivacy Directive and GDPR. This means you need to block cookie scripts and similar technologies until the user gives consent.
Also, for the consent to be considered valid, you need to make certain disclosures via a cookie banner and link to a more detailed cookie policy. See our getting started guide.
Ecommerce sites like Magento stores also typically process payment, order, and marketing data, which brings additional obligations under privacy laws worldwide. Managing cookie consent properly is a foundational part of that setup.
Need to add a privacy policy to your Magento site? See our Magento privacy policy integration guide.
What the solution supports
When you install the iubenda extension for Magento, you get access to the full feature set of the iubenda cookie management platform:
- Fully customizable cookie banner with options to match your store’s branding and colors
- Automatic cookie policy generation based on the services detected on your site
- Auto-blocking of scripts that install cookies before consent is collected
- Integration with Google Consent Mode v2 (iubenda is a Google-certified CMP)
- Integration with IAB’s Transparency and Consent Framework (TCF v2.3)
- Support for US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, and others)
- Support for the Swiss Federal Act on Data Protection (FADP)
- Support for Brazil’s LGPD
- Granular, per-category consent (e.g. Functionality, Experience, Marketing)
- Geo-detection to limit consent requests to regions where legally required
- Storage of consent proofs for accountability
1. Generate a cookie policy
Before adding the cookie banner, generate a cookie policy for your Magento store. Head over to your iubenda dashboard and click on [Your website] > Privacy and Cookie Policy > Edit. Add each service your store uses (e.g. Google Analytics, payment gateways, embedded videos, social buttons, marketing pixels) so that your cookie policy accurately reflects your data processing activities.
Once your cookie policy is ready, the Privacy Controls and Cookie Solution will automatically link to it from your cookie banner.

If you already host your cookie policy at a custom URL, you can link to it manually in the Privacy Controls and Cookie Solution settings under Edit > Privacy and cookie policy > Edit > Link your own .
2. Add the cookie banner
Not sure what privacy documents you need for your Magento site? Take this quick quiz to see which laws apply to you and your business.
Once you’ve generated and customized your Privacy Controls and Cookie Solution, follow the steps below to install the iubenda extension on your Magento 2.x store. The extension supports Magento Open Source (Community Edition), Magento Commerce (Enterprise Edition), and Magento Commerce Cloud, and works best on PHP 7.4 or later.
Install the extension on Magento 2.x
- “Purchase” our free extension from the Magento Marketplace. Once done, it will appear on your purchases page.
- Connect to the server’s console log using SSH.
- Install our extension with
composer require iubenda/module-cookiesolutioncommand. If you need a version different than the latest release, add the version number to the command, for exampleiubenda/module-cookiesolution:2.2.0. - When requested, use the Magento Marketplace Public key for login and Private key for password (note that you are requested to purchase the extension to continue installation using composer).
- Once the extension is installed, check the status with
php bin/magento module:statuscommand. - The extension should have a disabled status. Enable it with
php bin/magento module:enable Iubenda_CookieSolutionand register it withphp bin/magento setup:upgrade. - If your store is in production mode, compile the build with
php bin/magento setup:di:compile. - Check if the extension is active again with
php bin/magento module:status. If so, purge the cache withphp bin/magento cache:clean.
Configure the extension
Once installation is complete, go to Stores > Configuration > iubenda > iubenda Privacy Controls and Cookie Solution in the Magento admin panel.

In a separate tab, open your iubenda Dashboard and go to [Your website] > Privacy Controls and Cookie Solution > Embed. Copy your Privacy Controls and Cookie Solution JavaScript snippet.
Paste the snippet into the extension configuration in Magento, click Save Config, and then clear the store cache.
Make sure you paste a valid JavaScript snippet. An empty or malformed snippet will prevent the banner from loading.
Once configured, the extension will display the cookie banner to first-time visitors and automatically link to your cookie policy. There’s no need for further code edits on your site.
Block custom scripts from the extension console
The extension includes Custom scripts and Custom iframes fields that let you block third-party scripts and iframes without editing your site’s code.
In the admin panel, go to Stores > Configuration > iubenda > iubenda Privacy Controls and Cookie Solution and scroll to the section titled Custom.

Enter your script or iframe sources as needed, then click Save Config at the top of the page. For example:
- Script: to block a social button that inserts scripts into the page via JavaScript, enter the script source (e.g.
connect.socialwebsite.net/en_US/track.js) into the Custom scripts field. - iframe: to block scripts inserted via an iframe such as
<iframe src="https://www.videowebsite.com/embed/xxFhMChxx">, entervideowebsite.com/embed/into the Custom iframes field. Be careful not to include the component id (e.g.xxFhMChxx) so that all scripts from that source are blocked.
About automatic blocking on Magento
The Magento extension automatically blocks scripts generated on the server side (returned by Magento via PHP). Scripts inserted into the page via JavaScript after the page has loaded aren’t blocked automatically. You can block them by adding their source to the Custom scripts / Custom iframes fields above, or by using the manual tagging method described in the next section.
3. Set up prior blocking of cookie scripts
Few categories of cookies are exempt from the consent requirement. Therefore, almost all scripts that install or can install cookies must be blocked before consent is obtained.
Simplify your cookie-blocking process with auto-blocking
There’s a simpler option available for the prior blocking of cookies and trackers. Our auto-blocking feature automates the process, saving you time and effort.
If you prefer to manually tag your scripts that install or may install cookies, you can still follow the process below for step-by-step instructions and practical examples. However, we highly recommend considering the auto-blocking feature for a more streamlined approach.
Learn more about auto-blocking and how it can simplify your cookie-blocking process.
How to implement prior blocking via manual tagging on your Magento site
Manual tagging is the method of prior blocking we’ll be using for the tutorial below. You can view other methods here.
To set up prior blocking, you need to make some minor changes to your site’s scripts. Here’s what to do:
- Identify the script/iframe for any additional services running on your store (e.g., a Twitter follow button, a live chat widget, a marketing pixel)
- Add some simple text to the HTML code (we’ll show you how below)
- Save
In this tutorial, we are going to block a Twitter follow button.
Not sure which services you need to block? If you’re using a cookie policy generated by iubenda, the services listed in your cookie policy are most likely the ones you need to modify now.
Step 1: Identify the script
In your Magento admin panel, locate the template, CMS block, or theme file that contains the script you need to modify (search for the service you want to block, in this case, the Twitter follow button).
Common places to look include Content > Blocks, Content > Pages, and your theme’s PHTML files. Open the file or block in the code editor.
Step 2: Modify your script
Now, we’re going to change the script. To do this, we will make 3 simple changes:
- Add this class:
_iub_cs_activateto the script tags, and change the “type” attribute fromtext/javascripttotext/plain - Replace the src with
data-suppressedsrcorsuppressedsrc - Specify the categories of the scripts/iframes with a special comma-separated
data-iub-purposesattribute, e.g.data-iub-purposes="2"ordata-iub-purposes="2, 3"
More about categories and purposes
Purposes are your legal reasons for processing the particular type of user data. Different scripts on your site will fall into different categories and serve different purposes. For example, Google Analytics may be used for Measurement, while the Pinterest button may be used for Experience (Purpose 3 below). Purposes are grouped into 5 categories, each with an id (1, 2, 3, 4, and 5):
- Necessary (id:
1) - Functionality (id:
2) - Experience (id:
3) - Measurement (id:
4) - Marketing (id:
5)
For even more detailed info on categories and purposes, see our guide here.
Let’s take the Twitter follow button as an example:
We need to 1. Add the class and change the “type” attribute, 2. replace the src and 3. specify the categories.
The code structure should look like this:
<p>Twitter follow button:</p>
<!-- please note type="text/plain" class="_iub_cs_activate" data-suppressedsrc="..." (manual tagging) and data-iub-purposes="3" (per-category consent) -->
<a href="https://twitter.com/iubenda" class="twitter-follow-button" data-show-count="false">Follow @iubenda</a>
<script async type="text/plain" class="_iub_cs_activate" data-suppressedsrc="https://platform.twitter.com/widgets.js" data-iub-purposes="3" charset="utf-8"></script>
If you’d rather wrap a block of code (for example, an inline script or an iframe embedded in a CMS block) instead of tagging individual attributes, you can use the wrapping comments recognized by the Magento extension:
<!--IUB-COOKIE-BLOCK-START-->
<script>
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.socialwebsite.net/en_US/sdk.js#xfbml=1&version=v2.3&appId=808061959224601";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'socialwebsite-jssdk'));
</script>
<!--IUB-COOKIE-BLOCK-END-->
To wrap HTML, IMG, or IFRAME elements:
<!--IUB-COOKIE-BLOCK-START-->
<iframe src="...
<img src="...
<!--IUB-COOKIE-BLOCK-END-->
If you’ve enabled the per-category consent feature, assign the purpose (in this example, the “Experience” purpose, id 3):
<!--IUB-COOKIE-BLOCK-START-PURPOSE-3-->
<script>
...
</script>
<!--IUB-COOKIE-BLOCK-END-PURPOSE-3-->
To stop automatic parsing/replacing on an iframe or script that contains a defined src:
<!--IUB-COOKIE-BLOCK-SKIP-START-->
<script type="text/javascript">...</script>
<!--IUB-COOKIE-BLOCK-SKIP-END-->
Step 3: Save
Save your template, CMS block, or theme file, then clear the Magento cache (php bin/magento cache:clean or System > Cache Management > Flush Cache) so that your changes appear on the storefront.
Not sure if you’ve set up correctly? Check out the live example and FAQs below.
Live example
This is an example that shows everything we have described above. You can use this CodePen as a guide to see what happens before and after blocking scripts via manual tagging.
To demonstrate the cookie blocking feature, we’ve embedded a YouTube video and a Twitter follow button:
Follow @iubenda
Both scripts are blocked through manual tagging. Since both the YouTube video widget and the Twitter follow button are part of the Experience purpose (id 3), we’ve added data-iub-purposes="3" to their scripts so that the Privacy Controls and Cookie Solution can properly identify them for release.
Click on the Accept button, or just activate the “Experience” toggle, to release these scripts (refresh the page to return to the starting point).
How can I tell if I’ve set prior blocking up properly?
As you can see in the CodePen example, the YouTube and Twitter scripts do not load if you do not consent. (You can test this again by opening this link in incognito mode in your browser.)
After you have saved your changes and cleared the Magento cache, open your store in incognito mode and check if the scripts you have blocked via manual tagging stay blocked until you consent.
For other blocking options, see Google Consent Mode as an alternative to prior blocking, Google Tag Manager to simplify the blocking of cookies, or the IAB Transparency & Consent Framework and how to enable it.
Good to know: Magento-specific considerations
Keep these points in mind when using Privacy Controls and Cookie Solution on Magento:
- Clear the cache after every change. Magento aggressively caches configuration and content. After updating the iubenda snippet, editing a template, or tagging a script, run
php bin/magento cache:clean(or use System > Cache Management > Flush Cache) so that your changes appear on the storefront. - Automatic vs. dynamic scripts. The extension automatically blocks server-side scripts rendered by Magento (via PHP). Scripts injected into the page via JavaScript after page load aren’t blocked automatically. Use the Custom scripts / Custom iframes fields, or the manual tagging method, to cover those.
- Production mode. If your store runs in production mode, remember to run
php bin/magento setup:di:compileafter enabling the extension, and to redeploy static content when required. - Google Tag Manager on Magento. If you manage marketing pixels and analytics through GTM, you can load the iubenda snippet through GTM instead. This gives you centralized control over all your tags and works well with Google Consent Mode.
- Magento 1.9 isn’t supported. Magento 1.9 reached end-of-life on June 30, 2020. Running a live store on an unsupported version poses security and compliance risks. If you’re still on Magento 1.9, we recommend upgrading to Magento 2 before installing the extension.