DocumentationCommerceGetting Started

Cookie law compliance

Last update: Fri Jan 30 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Beginner
  • Intermediate
  • Admin
  • Leader
  • User

Cookies are small files that are saved to the computer of each visitor to your site, and used as temporary holding places for information. Information that is saved in cookies is used to personalize the shopping experience, link visitors to their shopping carts, measure traffic patterns, and improve the effectiveness of promotions. To keep pace with legislation in many countries regarding the use of cookies, Adobe Commerce and Magento Open Source offer merchants a choice of methods to obtain customer consent. For a list of the default cookies in Adobe Commerce and Magento Open Source, the Cookie Reference.

NOTE
If you modify the default Google privacy settings to comply with the General Data Protection Regulation, it is not necessary to obtain user consent for the use of Google Analytics cookies.

When cookie restriction mode is enabled, visitors to your store are notified that cookies are required for full-featured operations. Depending on your theme, the message might appear above the header, below the footer, or somewhere else on the page. The message links to your privacy policy for more information, and encourages visitors to click the Allow button to grant consent. After consent is granted, the message disappears.

Your privacy policy should include the name of your store and contact information, and explain the purpose of each cookie that is used by your store. To learn more, see Cookie Reference.

NOTE
If you change the URL key of the privacy policy, you must also create a custom URL rewrite to redirect traffic to the new URL key. Otherwise, the link in the Cookie Restriction Mode message returns 404 Page Not Found.

Example storefront - cookie restriction notice {width="600"}

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left navigation panel under General, choose Web.

  3. Expand the Default Cookie Settings section and do the following:

    Web configuration - default cookie settings {width="600"}

    • Enter the Cookie Lifetime in seconds.

    • If you want to make cookies available to other folders, enter the Cookie Path. To make the cookies available anywhere in the site, enter a forward slash (/). This value can contain only the cookie path, and cannot contain any other cookie parameters.

    • To make the cookies available to a subdomain, enter the subdomain name in the Cookie Domain field (subdomain.yourdomain.com). To make cookies available to all subdomains, enter the domain name preceded by a period (.yourdomain.com). This value can contain only the cookie domain, and cannot contain any other cookie parameters.

    • To prevent scripting languages, such as JavaScript, from gaining access to cookies, make sure that Use HTTP Only is set to Yes.

    • Set Cookie Restriction Mode to Yes.

      If necessary, clear the checkbox and click OK to confirm scope switching.

  4. When complete, click Save Config.

  5. When prompted to update the cache, click the Cache Management link in the system message and refresh each invalid cache.

Step 2: Update your privacy policy

Update your privacy policy so that it reflects the information that your company collects and how it is used.

Default cookies

The default cookies in Adobe Commerce and Magento Open Source are classified as Exempt/Non-Exempt to help merchants meet the requirements of privacy regulations such as the GDPR. Merchants should use this information as a guide, and consult with legal advisors to update their Privacy and Cookie Policies as part of a comprehensive privacy regulation compliance strategy.

The following cookies are used by Commerce “out of the box” for on-premise and cloud installations. These cookies may be required by functionality that is explicitly requested by the customer. To learn more about the lifetime of session cookies, see Session Lifetime.

Some of these cookies may provide configuration options, including enable/disable, as needed.

Requested functionality cookies (exempt)

Name
Type
Description
add_to_cart
Cookie
Adobe Commerce (Adobe Commerce only) Captures the product SKU, name, price, and quantity removed from the cart. Allows Google Analytics to know when a product has been added to a cart.
guest-view
Cookie
Links a guest order to a guest (because there is no account for guest). To maintain system stability, do not disable this cookie.
login_redirect
Cookie
Saves redirect URL to route user if successful login and user registration. Saves the page that a user was on prior to log in (to determine the location they will go back to after they log in).
mage-banners-cache-storage
Local storage
Adobe Commerce (Adobe Commerce only) Local storage for Banner functionality. Stores banner content locally to improve performance. Banner content includes general website assets that display information to a shopper. To maintain system stability, do not disable this cookie.
mage-messages
Cookie
Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages. The message is deleted from the cookie after it is shown to the shopper. There is not an option to disable this cookie. This is how one-time information is communicated to the user, such as error messages. To maintain system stability, do not disable this cookie.
product_data_storage
Local storage
Stores configuration for product data used to use “Recently Viewed” and “Compare Products” functions. Stores a user’s specific settings (for example, if they have recently viewed a product or compared products). To maintain system stability, do not disable this cookie.
recently_compared_product
Local storage
Stores product IDs of recently compared products. To maintain system stability, do not disable this cookie.
recently_compared_product_previous
Local storage
Stores product IDs of previously compared products for easy navigation. To maintain system stability, do not disable this cookie.
recently_viewed_product
Local storage
Stores product IDs of recently viewed products for easy navigation. To maintain system stability, do not disable this cookie.
recently_viewed_product_previous
Local storage
Stores product IDs of recently viewed products for easy navigation. To maintain system stability, do not disable this cookie.
remove_from_cart
Cookie
Adobe Commerce (Adobe Commerce only) Allows Google Analytics to know when a product has been removed from a cart.
stf
Cookie
Records the time messages are sent by the SendFriend (Email a Friend) module. When a shopper sends a link to a product, this cookie records a time-stamp and maintains a count.
X-Magento-Vary
Cookie
Indicates when a new version of a page needs to be served from the cache. Supports website performance. To maintain system stability, do not disable this cookie.
form_key
Cookie
A security mechanism that holds a randomly generated value to prevent Cross Site Request Forgery attacks (CSRF) by helping determine whether a request came from a genuine source or a bad actor. This is an industry-standard practice to prevent CSRF attacks. To maintain system stability, do not disable this cookie.
mage-cache-sessid
Cookie
Useful in determining when to clean local storage in the browser after session expiry. This is used to determine if local storage has to be cleaned. The absence of this cookie triggers local storage cleanup. To maintain system stability, do not disable this cookie.
mage-cache-storage
Local storage
Local storage of visitor-specific content that enables e-commerce functions. Unused by default, but when it is used, it’s used to expedite checkout so that basic user information is available when someone leaves and returns. To maintain system stability, do not disable this cookie.
mage-cache-storage-section-invalidation
Local storage
Stores information related to which sections of the page need to be invalidated and removed. To maintain system stability, do not disable this cookie.
mage-cache-timeout
Local storage
Controls how long customer-related data is cached in the browser. When the timeout expires, Magento clears and reloads cached customer sections, such as the cart, wishlist, and customer data. This behavior helps maintain data accuracy and privacy while balancing client-side performance. The timeout value aligns with the configured Cookie Lifetime to maintain consistency with server-side session management.
persistent_shopping_cart
Cookie
Stores the key ID of a persistent cart to make it possible to restore the cart for an anonymous shopper. To maintain system stability, do not disable this cookie.
private_content_version
Cookie
Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server. It is set in multiple places: in PHP, in JavaScript as a cookie, and in JavaScript to local storage. To maintain system stability, do not disable this cookie.
section_data_ids
Cookie
Stores customer-specific information related to shopper-initiated actions, such as wish list display and checkout information. To maintain system stability, do not disable this cookie.
store
Cookie
Tracks the specific store view/locale selected by the shopper. To maintain system stability, do not disable this cookie.
PHPSESSID
Cookie
Tracks user sessions on the storefront. This is the shoppers who use the end-products. To maintain system stability, do not disable this cookie.
admin
Cookie
Tracks user sessions on the Admin side. To maintain system stability, do not disable this cookie.
loggedOutReasonCode
Cookie
Set when an Admin user is locked out after a certain number of unsuccessful password attempts.
section_data_clean
Cookie
Set when a user switches store view. The presence of this cookie triggers JavaScript to reload certain sections on the page to reflect the correct store view. To maintain system stability, do not disable this cookie.
lang
Cookie
Set indirectly by the Admin Analytics module. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
s_fid
Cookie
Set indirectly by the Admin Analytics module. Fallback unique visitor ID time/date stamp. It is used to identify a unique visitor if the standard s_vi cookie is unavailable due to third-party cookie restrictions. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
s_cc
Cookie
Set indirectly by the Admin Analytics module. It is set and read by the JavaScript code to determine if cookies are enabled. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
apt.sid
Cookie
Set by the Gainsight PX library indirectly used by the Admin Analytics module. The purpose of this cookie is to allow persistent session ID tracking under the top-level domain of the product and is used as a reference ID to the active session. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
apt.uid
Cookie
Set by the Gainsight PX library indirectly used by the Admin Analytics module. The purpose of this cookie is to allow persistent ID tracking under the top-level domain of the product and is used as a reference ID to the user entity. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
s_sq
Cookie
Set indirectly by the Admin Analytics module. Used by the ClickMap feature that collects data on where visitors click and what they click. Stores information from each click. Being used only in an administrative area of a store. Not applicable to shoppers. To maintain system stability, do not disable this cookie.
pagebuilder_modal_dismissed
Cookie
Set by the Page Builder Module. Contains a flag that prevents subsequent prompts asking an admin to confirm a certain action from opening if the admin explicitly dismissed them before. Being used only in an administrative area of a store. Not applicable to shoppers.
pagebuilder_template_apply_confirm
Cookie
Set by the Page Builder Module. Contains a flag that prevents subsequent prompts asking an admin to confirm a certain action from opening if the admin explicitly dismissed them before. Being used only in an administrative area of a store. Not applicable to shoppers.
accordion-{VARIABLE}-{VARIABLE}
Cookie
Being used as a part of tabs functionality implementation only in an administrative area of a store. Not applicable to shoppers.

Product Recommendations cookies

Adobe Commerce (Adobe Commerce only) The following cookies are used by Product Recommendations for Adobe Commerce customers. These cookies are installed with the DataServices module.

  • mg_dnt: Allows you to restrict Adobe Commerce data collection if you have custom code to manage cookie consent on your site.
  • user_allowed_save_cookie: Used for cookie restriction mode.
  • authentication_flag: Indicates if a shopper has signed in or signed out. This cookie is updated at the same time as the dataservices_customer_id cookie.
  • dataservices_customer_id: Indicates if a shopper has signed in or signed out. This cookie contains the customer’s unique ID in the system.
  • dataservices_customer_group: Indicates a customer’s group. This cookie is stored as sha1 checksum of the customer’s group ID.
  • dataservices_cart_id: Identifies a shopper’s cart actions. This cookie contains the customer’s unique cart ID in the system.
  • dataservices_product_context: Identifies a shopper’s product interactions. This cookie contains the customer’s unique quote ID in the system.

Product Recommendations local storage data

The following data is saved to local storage for stores using the Luma theme when Live Search or Product Recommendations is installed:

  • ds-cart: Stores cart information for Luma-specific functionality
  • ds-cart-order: Stores order information for cart functionality
  • ds-purchase-history: Tracks customer purchase history
  • ds-view-history-time-decay: Stores product view history with time-based decay
  • ds-logged-in: Indicates customer login status. This data only exists when the customer is logged in and is stored even when cookie restriction mode is enabled. This is the only data that Commerce stores in local storage when cookie restriction mode is enabled, regardless of user consent status.

Additional cookies

Adobe Commerce (Adobe Commerce only) The following cookies are set for Adobe Commerce customers. These cookies are installed with the DataServices module.

  • mg: Set by Snowplow JavaScript tracker. More information can be found in the Snowplow documentation.
  • com.adobe.alloy.getTld: Given the current web page’s hostname, this is the top-most domain that is not a “public suffix” as outlined in https://publicsuffix.org. Essentially, this is the top-most domain that can accept cookies. This cookie is part of the Alloy Web SDK.
  • aep-segments-membership: Contains audience information, such as which segment a shopper belongs to.
recommendation-more-help
31746fd0-1ead-45b5-9192-1aaf582c5f66