How do you handle UK GDPR cookie consent in Magento?

Two layers: (1) UK GDPR + DPA 2018 for personal data — lawful basis, DSAR automation, retention rules in customer + sales_order. (2) PECR (Privacy and Electronic Communications Regulations) for cookies & marketing — ICO requires opt-in consent for non-essential cookies before they fire (no “continued use = consent” banners, no pre-ticked checkboxes). We ship a Cookiebot / Usercentrics / Klaro setup wired into Google Tag Manager & Magento’s native cookie API so analytics, ads, and chat widgets only load after consent. Banner copy reviewed against ICO guidance.