GDPR & cookie consent

Updated May 30, 2026 Trust & Compliance

TitanCart’s built-in GDPR Compliance extension gives you the privacy tools most stores need out of the box: a cookie consent banner, a consent checkbox at checkout, customer data export (“download my data”), and self-service account deletion with a sensible retention hold. It’s a core feature — no separate purchase or external service required.

Note: This extension helps you collect consent and honour data-subject requests, but it isn’t a complete legal solution — you’re still responsible for a genuine privacy policy. If you operate under GDPR, CCPA, or similar rules, get the specifics reviewed by someone qualified.

1. Enable the GDPR Compliance extension

In wp-admin, go to TitanCart → Extensions → Installed Extensions.
Find GDPR Compliance in the Built-in Extensions card and set its Status toggle to Active.
Click the gear icon on that row to open the GDPR Compliance settings page.

The settings page has two sections: Cookie Consent and Data Privacy.

2. Set up the cookie consent banner

In the Cookie Consent section, choose a Cookie consent mode:

Disabled — no banner is shown at all.
Implicit (browsing = consent) — the banner is informational, with a single “Accept & Close” button; continuing to browse counts as consent.
Explicit (must click Accept) — the default. The banner shows both Decline and Accept buttons so the visitor makes an active choice.

Then set the Banner text and the Banner position — Bottom bar (default), Top bar, or Center popup (the popup adds a dimmed overlay).

Note: The visitor’s choice is saved in a cookie for one year, so the banner only shows again after that or if they clear cookies. A “Privacy Policy” link appears in the banner automatically once you set a Privacy Policy page URL (step 3).

3. Link your privacy policy

In the Data Privacy section, set the Privacy Policy page URL (defaults to /privacy-policy). It’s used for the “Privacy Policy” link in both the cookie banner and the checkout consent checkbox, so point it at your published policy page.

4. Add a consent checkbox at checkout

Require consent checkbox at checkout — on by default. Adds a required checkbox before the Place Order button; customers must tick it to complete their order.
Consent checkbox label — the text shown (default: “I agree to the processing of my personal data”). Your Privacy Policy link is appended automatically when a URL is set.

5. Let customers download their data

Turn on Allow customers to export their data in the Data Privacy section. A Your Data card with a Download my data button then appears on the customer’s My Account → Profile page.

When the customer clicks it, TitanCart compiles everything it holds about them — profile, saved addresses, order history (including line items), any custom field values, and wishlist — into a single JSON file they can download. This satisfies the GDPR data-portability expectation with a machine-readable copy.

6. Let customers delete their account

Turn on Allow customers to request data deletion. A Delete My Account card then appears on the customer’s My Account → Profile page. (If you’d rather gate it through the older General Settings option, “Show delete account” there also surfaces the same card.)

When a customer confirms deletion, TitanCart does not do a blunt instant wipe. It splits the data by what’s safe to remove now versus what you may still need:

Immediately: the account is deactivated, the login is removed, and the customer’s profile, saved addresses, wishlist, active cart, and newsletter/marketing data are erased.
Held, then erased: the personal details attached to their past orders (name, email, billing/shipping address) are kept for a retention window — see step 7 — then automatically anonymized by a daily background job. The order’s amounts, dates, and line items are always retained for your tax records.

If the customer has no orders, or their last order is already older than the retention window, everything is erased immediately. The customer is told when their order data will be erased (e.g. “permanently erased on [date]”). Administrator accounts can’t be deleted through the storefront.

Note: Holding order-linked personal data for a defined window is deliberate. It lets you defend chargebacks and meet legal record-keeping obligations — which GDPR explicitly permits (Article 17(3) allows retention to establish or defend legal claims and to meet legal obligations) — while still honouring the erasure request for everything else right away.

7. Set the data retention hold

The Data retention hold (days) setting controls how long order-linked personal data is kept after a customer’s most recent order before it’s anonymized. The default is 180 days (6 months), which comfortably covers typical chargeback windows plus a buffer. Lower it if your risk profile is shorter, or raise it if you sell things with longer dispute exposure (subscriptions, pre-orders). Set it to 0 to erase order data immediately along with everything else.

8. Test it

Open your storefront logged in as a test customer and go to My Account → Profile.
Confirm the Your Data card appears (if export is on) and that Download my data produces a JSON file.
Confirm the Delete My Account card appears (if deletion is on) with the retention notice.
For the cookie banner, open the storefront in a private window, confirm it appears in your chosen mode/position, accept it, and confirm it doesn’t reappear on the next page.

What the cookie banner does — and doesn’t do

The banner records the visitor’s consent choice and makes it available to TitanCart, so other integrations can check it before setting non-essential cookies or loading tracking scripts. The banner itself does not block or remove third-party tracking — if you add analytics or marketing pixels, you (or that integration) are responsible for honouring the recorded consent. Choose Explicit mode if your jurisdiction requires an active opt-in before any non-essential cookies are set.

Troubleshooting

The “Your Data” or “Delete My Account” card doesn’t appear — the matching toggle is off, or the GDPR extension isn’t active. Check “Allow customers to export their data” / “Allow customers to request data deletion” in the Data Privacy section.
A deleted customer still shows on their old orders — that’s expected during the retention hold. The order-linked name/email/address are anonymized automatically once the hold (last order + retention days) elapses; the order’s financial record stays for tax purposes.
The cookie banner doesn’t appear — the consent mode is set to Disabled, the extension isn’t active, or you’ve already accepted/declined in this browser (clear the tc_cookie_consent cookie or use a private window).
No “Privacy Policy” link in the banner or at checkout — the Privacy Policy page URL is blank. Set it in the Data Privacy section.
The checkout consent checkbox isn’t showing — “Require consent checkbox at checkout” is off, or the extension isn’t active.
An admin can’t delete their own account from the storefront — intended. Administrator accounts are blocked from self-deletion through the storefront for safety.