GDPR cookie compliance sounds simple until you try to do it properly on Odoo.
Most websites show a banner, maybe link to a cookie policy, and call it a day. From the outside it looks compliant. From a legal and technical point of view, it usually isn’t.
We recently implemented full GDPR-compliant cookie consent on gecko.si using Klaro!, fully integrated with Odoo. This article explains what was broken, why common approaches fail, and what “compliance” really means in practice.
The Gap Between GDPR Theory and Odoo Reality
GDPR and the ePrivacy directive are very clear on one thing: non-essential cookies must not be set before a user explicitly consents. That includes analytics tools, marketing pixels, and most third-party embeds.
Odoo, out of the box, doesn’t meet this requirement. It loads frontend assets aggressively and assumes tracking is acceptable by default. As a result, many Odoo websites quietly start tracking users the moment the page loads — long before any consent is given.
A cookie banner alone doesn’t change that behavior. If scripts are already running, the damage is already done.
Why Cookie “Solutions” Often Don’t Work on Odoo
The most common mistake we see is treating cookie consent as a visual problem instead of a system problem.
Teams add a banner through JavaScript, hide cookies in the UI, or rely on third-party snippets that were never designed with Odoo’s asset system in mind. The website looks compliant, but technically nothing has changed. Tracking still fires. Consent is assumed, not enforced.
This is why many sites fail audits even though they appear to “do GDPR”.
What We Did Differently
For gecko.si, we used Klaro! as the consent manager, but the key wasn’t the tool itself. The key was how it was integrated into Odoo.
We didn’t allow tracking scripts to load at all until the user made a choice. Analytics and marketing tools are completely blocked by default and only activated after explicit consent. If the user declines, they stay blocked. No exceptions, no workarounds.
We also made sure users can clearly understand what they’re accepting, change their decision later, and that their consent is handled in a way that actually stands up in an audit. Consent isn’t just shown, it’s enforced.
At the same time, the website remains fast, stable, and fully editable in Odoo. Compliance shouldn’t break your site or your workflow.
What “GDPR-Compliant” Really Means
This is the uncomfortable truth: a banner, a policy page, or a plugin does not equal compliance.
Real compliance means that nothing non-essential happens before consent, that refusing cookies doesn’t punish the user, and that consent can be withdrawn just as easily as it was given. Most importantly, it means you can prove this behavior if someone asks.
If your site tracks first and asks later, it’s not compliant — even if it looks professional.
The Outcome on gecko.si
On gecko.si, tracking only starts when users explicitly allow it. If they don’t, the site respects that decision fully. There is no hidden tracking and no “best effort” logic in the background.
This isn’t a theoretical setup. It’s running in production, under real conditions, and behaves exactly as GDPR requires.
Why This Matters for Odoo Businesses
If you’re running an Odoo website in the EU or targeting EU users, cookie compliance isn’t optional. Regulators don’t care which platform you use. They care about behavior.
Fines are one risk, but the bigger issue is trust. Users and partners increasingly expect transparency and control. Getting this wrong signals carelessness, not innovation.
Our Take
At Gecko IT, we don’t install cookie banners and hope for the best. We design systems that behave correctly by default.
If your Odoo website “probably complies” or “has something in place”, that’s usually a warning sign. GDPR doesn’t reward assumptions.
Compliance isn’t about looking right. It’s about acting right.