E-commerce compliance
WooCommerce: your cookies are overcooked
You dropped in a banner, mentally ticked the "compliant" box, and went back to selling. The trouble is that in most of the stores we audit, that banner is about as useful as a fire extinguisher painted on a wall: it reassures, it saves nothing.
You did what everyone does. The problem is that "everyone" is getting it wrong. The good news, though: it's almost never WooCommerce's fault. And it's fixable.
The truth in two sentences
Vanilla WooCommerce is not breaking the law with its cookies: cart and session are generally defensible as "strictly necessary." The mess starts when you stack analytics, ad pixels, retargeting, heatmaps and cart recovery on top — and all that hardware fires before the visitor has said yes.
Translation: the culprit isn't the cash register, it's the trackers you taped onto it.
What goes wrong in a "dressed-up" WooCommerce cart
The "honest" WooCommerce cookies
WooCommerce sets functional cookies — woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_ — to track the cart and recover it server-side. They don't directly contain personal data.
And that's where you get caught: "no personal data in the cookie" doesn't mean "outside GDPR." A unique identifier tied behind the scenes to a cart, an account or an order helps identify a person. GDPR, in fact, ranks online identifiers — cookies included — among the things that make someone identifiable. The cookie plays innocent; the server knows exactly who you are.
In plain terms:
cart_hash,items_in_cart,wp_woocommerce_session_→ strictly necessary, no opt-in, as long as they aren't quietly feeding marketing.woocommerce_recently_viewed→ suspect by default. If it feeds recommendations, retargeting or a third-party tool, treat it as non-essential.
On the WordPress side, same logic: authentication cookies (necessary), but comment cookies (comment_author_*) kept for nearly a year and utterly useless to a purchase. To be declared, or shown the door.
The European rulebook: two locks, one key isn't enough
In Europe, you don't control one door but two:
- Setting or reading the tracker falls under ePrivacy (in France, Article 82 of the Data Protection Act) — even if the cookie contains no personal data at all.
- What you do with the data collected falls under GDPR.
The foundation hasn't moved, and it's merciless toward the clever ones: continuing to browse is not consent; you need a clear affirmative act; and any maneuver short of a plain "yes" — closing the banner, say — counts as a refusal. Above all, refusing must be as easy as accepting. The old trick of a neon-green "Accept" button and a "Reject" buried three submenus down is over.
Some trackers are exempt (cart, authentication, security, and a tightly framed audience measurement). But — a detail many forget — exempt does not mean invisible: you still have to tell users about them.
The CNIL put out an FAQ on April 29, 2026 and is working on "multi-device" then "multi-property" consent (the same consent valid across several sites in one group). These are clarifications and works in progress, not a new law that would make your store illegal overnight. When an article sells you "THE new 2026 cookie regulation" in block capitals, keep one hand on your wallet: the basis is still GDPR + ePrivacy + CNIL guidelines.
And the new ePrivacy? The famous regulation that was supposed to replace the directive has been dropped — buried after years of negotiation. Simplification proposals are circulating (the "Digital Omnibus"), but a proposal is not a law. Don't legislate your site on the conditional tense.
The 7 plagues of non-compliant WooCommerce
- Labeling everything "necessary." The cart, fine. Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Criteo, Google Ads and affiliate tracking, absolutely not. "Necessary" is not a synonym for "handy for my marketing."
- The sneaky banner. "Accept all" in large type, refusal in tiny print, pre-ticked boxes, and no proof of consent. The kind of design politely called a dark pattern, and impolitely a con.
- Firing before the starting gun. The all-time classic: Tag Manager, Meta Pixel and analytics go off before the click. The banner then shows up like the fire brigade after the blaze.
- Retargeting. Abandoned cart, behavioral re-engagement, ad audiences, conversion pixels → consent required. Chasing a customer across the web with the shoes they looked at yesterday is something you ask for politely.
- "Grey" analytics. Audience measurement can be exempt, but under tight conditions (limited purpose, no cross-site tracking, no cross-referencing, no resale). Plenty of GA4 setups miss this and know it.
- The greedy CAPTCHA. Necessary for security, it can be exempt; but if the provider helps itself along the way for its own business, consent is back on the table.
- Fake "first-party." Routing a third-party tracker through your own subdomain doesn't make it honest — it disguises the tracker, it doesn't absolve it, and it adds a security risk for good measure.
Beyond the banner: privacy for real
Three blind spots that cost dearly:
- Session security: HTTPS, properly set
Secure,HttpOnly,SameSiteattributes, plugins kept up to date. A poorly protected session cookie is a key under the doormat. - Caching: Cart, My Account and Checkout out of cache, period. Otherwise you risk serving one customer's cart — or worse, their details — to another. WooCommerce says this loudly enough.
- Plugins: payment, shipping, CRM, newsletter, reviews, anti-fraud… each can hose down third parties with data. To be audited one by one.
Selling abroad? Welcome to the regulatory Tower of Babel
The moment you cross a border, you're no longer playing by one rule but four — and they don't ask for the same thing at the same moment. The painful nuance: being compliant in Paris protects you neither in Sacramento nor in Montreal.
Before the first click, who's allowed to fire?
🇪🇺 European Union — the strictest sheriff
Opt-in model: nothing non-essential before clear consent, and a refusal as easy as a "yes." It's the reference regime, the one others look to — often copying the copy. If you're squared away here, you've already done the hard part.
🇩🇪 Germany — Europe, the double-lock perfectionist edition
Opt-in too, but Germany never does anything by halves: two laws in parallel, the TDDDG (formerly TTDSG, § 25, for setting the cookie) and the DSGVO (the local GDPR, for using the data). A legal basis in duplicate, then.
The banner must show Accept and Reject as equals on the very first screen (DSK guidance). And the bill stings: up to €300,000 per breach under the TDDDG, on top of the GDPR ceilings.
A local novelty, the EinwV (in force since April 1, 2025) creates recognized consent services — the user sets their preferences once, participating sites respect them. The idea is to stem the banner deluge. It's optional: nobody is forced to plug into it.
Several vendors are waving around a June 19, 2026 deadline imposing a "withdrawal button" on stores serving German consumers. With no primary legal source to confirm it — and because it smells more of consumer law (cancellation/withdrawal) than of cookies — we flag it for you without guaranteeing it. Before you believe it, ask a German lawyer. The conditional tense has never set case law.
🇺🇸 California (CCPA/CPRA) — the odd one out: opt-out
A complete change of logic. California does not demand prior opt-in: it runs on "we tell you, you object." In concrete terms:
- a "Do Not Sell or Share My Personal Information" link;
- honoring the Global Privacy Control (GPC) browser signal as an objection.
New in 2026: new CPPA rules took effect on January 1. Objecting must not take more steps than accepting (the dark pattern hunt has crossed the Atlantic), and the business must confirm that the objection was indeed taken into account, GPC included. All of it targets businesses above ~$26.6M in revenue, or processing 100,000+ Californians, or deriving 50%+ of their revenue from selling data.
🇨🇦 Quebec (Law 25) — Europe speaks French too
Law 25 demands express, clear and informed consent before any non-essential cookie — analytics, pixels, third-party scripts included. The purely informational banner and the "by continuing, you accept" line are rejected. On top of that you need privacy by default (non-essential tracking off out of the box) and to keep proof of consent. A salty note if you slip up: up to CA$25M or 4% of worldwide turnover.
The memo to tape above your screen
| Jurisdiction | Model | Before the click | The detail that changes everything |
|---|---|---|---|
| European Union | Opt-in | Nothing non-essential | Reject = as easy as accept |
| Germany | Opt-in | Nothing non-essential | TDDDG + DSGVO; EinwV (optional) |
| California | Opt-out | Cookies tolerated by default | "Do Not Sell" link + GPC + 2026 confirmation |
| Quebec | Opt-in | Nothing non-essential | Privacy by default + proof kept |
Moral: a "Europe only" CMP leaves you exposed in California, and an "American-style opt-out" approach puts you offside in Europe and Quebec alike. You need a geo-adaptive CMP: opt-in for the EU, Germany and Quebec; opt-out + GPC for California. A regulation with variable geometry deserves a banner with variable geometry.
The checklist you verify in the browser (not on trust)
Compliance isn't read in the cookie policy — it's observed in the console (F12 → Application → Cookies, and the Network tab). The rest is literature.
The three-scenario test, in the browser
Before any click:
- Only strictly necessary cookies are set (cart, session, security).
- No GA4, Meta Pixel, Tag Manager, Hotjar or ad pixel has started.
After "Reject all":
- No non-exempt marketing/analytics tracker fires. The refusal blocks the scripts; it doesn't just sweep the banner under the rug.
After "Accept all":
- Only the announced trackers activate. No stowaways.
CMP settings:
- "Accept all" and "Reject all" as equals, granular choices, blocking before consent, proof kept, withdrawal as easy as acceptance.
- Geo-adaptation: opt-in (EU / Germany / Quebec) vs opt-out + GPC (California).
- Google Consent Mode v2 active if you use GA4.
- WordPress Consent API leveraged by your plugins (useful — but it doesn't do the job on its own).
Honest paperwork:
- Cookie policy = your real cookies (name, domain, purpose, lifetime, category, controller, third parties, legal basis, transfer outside the EU, withdrawal) — not a generator copy-paste.
- Privacy policy covering the actual WooCommerce processing (account, order, shipping, payment, invoicing, support, reviews, marketing, anti-fraud, retention periods).
- Cart / My Account / Checkout excluded from cache.
- Up-to-date list of processors and transfers outside the EU.
The reigning mistake of 2026 is still the generic privacy policy churned out by a generator, which knows neither your processors, nor your transfers outside the EU, nor your real retention periods. In case of a complaint, it's the first document that gets turned over — and the most damning.
At the checkout
Bare WooCommerce handles cookies just fine. Dressed-up WooCommerce — premium theme, Tag Manager, pixels, analytics, CAPTCHA, reviews, chat, cart recovery — tips quickly into illegality if nothing is audited or blocked before consent. And the moment you cross borders, you're juggling several regimes that politely contradict each other.
No one can certify a site without inspecting its real cookies, its real network requests, its plugins and its CMP. That's precisely what a privacy-respecting analytics tool should let you do: count your visitors without counting you among the offenders.
Does WooCommerce set cookies without consent?
Yes, but only functional cookies — cart (woocommerce_cart_hash, woocommerce_items_in_cart) and session (wp_woocommerce_session_) — generally defensible as "strictly necessary" and therefore exempt from consent. Everything you add on top (Google Analytics, Meta Pixel, TikTok, Hotjar, retargeting) does require prior consent.
Is a cookie banner enough to make WooCommerce compliant?
No. A banner that merely shows a message without blocking the scripts before the click is useless. Compliance is observed in the browser: before any click and after a refusal, only strictly necessary cookies should be present.
Is WooCommerce GDPR-compliant by default?
WooCommerce's core (cart, session) is defensible. GDPR comes into play the moment an identifier is tied to a person or you stack analytics and pixels. Compliance therefore depends on your configuration, your plugins and your CMP, not on WooCommerce alone.
Are the cookie rules the same in the EU, Germany, California and Quebec?
No. The EU, Germany and Quebec run on opt-in (nothing non-essential before clear consent). California runs on opt-out (cookies tolerated by default, with a "Do Not Sell" link and honoring the GPC signal). An international store needs a geo-adaptive CMP.
Is there a new cookie law in 2026?
No. The CNIL published an FAQ on April 29, 2026 and is working on multi-device consent, but these are clarifications, not a new law. The ePrivacy regulation meant to replace the directive has been dropped. The basis remains GDPR + ePrivacy + CNIL guidelines.
Updated June 2026. This article informs; it replaces neither an audit nor a lawyer — two things no cookie banner has ever replaced. Primary sources: CNIL (cookie guidelines and recommendation, April 2026 FAQ), WooCommerce documentation, TDDDG / DSGVO and EinwV (Germany), CCPA/CPRA and 2026 CPPA rules (California), Law 25 (Quebec). Points flagged with a caveat must be validated by a lawyer in the relevant jurisdiction before any decision.