GDPR-compliant age verification for vape shops on PrestaShop (2026)
A practical compliance checklist for PrestaShop stores in age-restricted verticals: vape, alcohol, CBD. What auditors actually check, and how to satisfy them without a SaaS.
Selling vape, e-liquid, or other age-restricted products from a PrestaShop store in the EU means you have to satisfy two overlapping regulators:
- The age-restriction regulator in each country you ship to — typically the health ministry or a tobacco-products authority. They care about whether minors can buy.
- The data protection authority (under GDPR + your national implementation). They care about how you collect the information you used to verify age.
These two regulators sometimes contradict each other (one wants more verification, the other wants less data). This post walks through what each actually checks and how to satisfy both without bolting on a third-party SaaS for verification.
1. What "age verification" actually means in 2026 EU practice
For vape products, the dominant compliance posture in 2026 EU practice is self-declaration plus a hard storefront block:
- Storefront cannot be browsed until the visitor clicks "I am ≥ X" where X is the country-specific minimum age (18 in most of EU, 21 in some countries, lower threshold for beer/wine in DE).
- The verification answer is stored in a cookie / localStorage so the user isn't re-prompted every page load (re-prompt cadence configurable, typically 30 days).
- For paid orders, the carrier validates ID on delivery (in some jurisdictions). Your storefront is not the last line of defence.
- Search engine bots bypass the modal — search results need to be indexable.
This is what a typical regulator audit covers. They don't usually ask you to do biometric ID matching at the storefront step (that's for DigitalID / Yoti integrations, which are more data-collection than the regulator actually requires for most vape products).
2. GDPR side: what's the lawful basis?
The lawful basis for storing the "yes, ≥18" answer in a cookie is either:
- Legal obligation (GDPR Art. 6.1.c) where you're compelled by national law to verify age before showing tobacco/vape content;
- Legitimate interest (GDPR Art. 6.1.f) elsewhere.
Either way: data minimisation applies. Store only the boolean answer and a timestamp. Don't capture birthdate, ID number, or anything else unless you actually need it for the carrier's downstream check (most carriers don't ask).
The audit-friendly rule of thumb: if you can't justify storing a field by pointing at a specific obligation, don't store it.
3. The actual checklist auditors run through
I'm consolidating from three audits we've helped PrestaShop merchants through in 2024–2026 (one Belgian, one French, one Spanish vape retailer):
| # | Check | How to satisfy |
|---|---|---|
| 1 | Storefront is hard-blocked before age confirmation | Modal renders on first visit, opacity:1, no skip path |
| 2 | Per-country minimum age applied | Geo-IP or shipping-country override, 18 EU default, 21 US, 16 DE beer/wine |
| 3 | No catalogue browse before confirmation | Modal blocks all routes except /age-confirm + legal pages |
| 4 | Confirmation persistence within reasonable window | 30-day cookie, re-prompt on expiry, no permanent cookie |
| 5 | Bot-friendly indexing | Bypass modal for known good bots (Googlebot, Bingbot, etc.) |
| 6 | GDPR data minimisation | No birthdate / ID number capture, just boolean + timestamp |
| 7 | Cookie classified correctly in cookie banner | Functional / strictly-necessary, no consent prompt for the modal itself |
| 8 | Documented retention | 30 days, evicted on expiry, not persisted server-side |
4. Common audit failures (don't be these)
The three most common failures we've seen, in order of frequency:
- Skip-able modal. The modal renders, but clicking outside dismisses it. Auditor opens devtools, dismisses, browses freely. Fail. Solution: hard overlay with no outside click, backdrop click does nothing.
- Cookie outlives the data minimisation rationale.Some modules set a 1-year or even permanent cookie. That goes beyond data minimisation. Stick to 30 days.
- Search engines blocked. The modal renders for Googlebot too, so the storefront isn't indexed and the shop's organic traffic dies. Fix: detect user-agent for known good bots and bypass the modal for them. Indexation is unaffected.
5. Implementation options
Three paths for PrestaShop:
- Custom code in your theme. Cheapest, most fragile. Breaks on theme updates. Not recommended unless your theme is also custom and you have a developer on staff.
- Third-party SaaS verifier (Yoti, OneID, etc.). Heavy. Useful for high-risk verticals (gambling, adult). Overkill for vape, and adds a data processor that's hard to justify under minimisation.
- PrestaShop module. Right size for vape / alcohol / CBD. NP AgeVerify is our take on this — per-country thresholds, GDPR-friendly cookie, bot bypass, no external SaaS.
6. After audit: keep the documentation
Auditors typically want:
- A one-page note describing the modal flow, the cookie name, the retention period, and the lawful basis (cite the local implementation of the tobacco directive).
- A screenshot of the modal as the customer sees it.
- A screenshot of the admin settings showing per-country age thresholds, if applicable.
- A statement about indexing (bots bypass, organic traffic preserved).
We provide a templated version of this documentation to NP AgeVerify customers. Reach out via contact if you need it.
Bottom line
Age verification for vape on PrestaShop is a solved problem if you don't over-engineer it. Self-declaration + per-country threshold + 30-day cookie + bot bypass + nothing-else-stored covers regulator and DPO at the same time.
If you want a focused module that does exactly this, see NP AgeVerify. €49 one-time, no SaaS dependency, audit-ready.