Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Jetpack is a multi feature WordPress plugin from Automattic (the company behind WordPress.com) that bundles backups, security scanning, CDN, related posts, social sharing, comments and Jetpack Stats. Several modules drop first party cookies on visitor browsers and require consent under European cookie law.
Jetpack is a flagship WordPress plugin developed by Automattic Inc., the same company that operates WordPress.com and WooCommerce. It bundles dozens of modules: VaultPress backups, Jetpack Protect security scanning, Jetpack Boost performance optimisation, Image CDN, Related Posts, Comments via WordPress.com, Social sharing, Subscriptions and Jetpack Stats. European publishers use Jetpack as an all in one productivity layer.
Jetpack Stats sets the tk_ai (visitor identifier, 2 years) and tk_lr (last view reference, 2 years) cookies as first party under the WordPress site domain. The Image CDN and Jetpack Boost modules do not set cookies. Jetpack Social and Comments rely on third party cookies from WordPress.com, Twitter, LinkedIn and Facebook for share buttons and login.
Jetpack Stats and Jetpack Social require consent under Article 5(3) ePrivacy. Server side modules (Backups, Protect, Boost, Image CDN) operate on the publisher backend and rely on legitimate interest under Article 6(1)(f) GDPR for performance and security purposes. Automattic acts as a processor under Article 28 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Prior, freely given, specific, informed and unambiguous consent is required for the Stats and Social modules. A consent management platform should disable Jetpack Stats and Social before consent. Jetpack offers a Privacy submodule and a consent toggle that integrates with most CMPs to keep the Stats tracker off by default.
Automattic Inc. processes Jetpack data on US infrastructure with global edge nodes. Automattic self certifies under the EU US Data Privacy Framework, providing an adequacy basis for transfers from the EEA. Standard Contractual Clauses are included in the Automattic DPA as a fallback for any non DPF subprocessor.
Sign the Automattic DPA, gate Jetpack Stats and Social behind your consent management platform, document the US transfer under the EU US Data Privacy Framework, document each enabled module in your record of processing activities, configure long term retention only where necessary, and consider Jetpack Boost (no cookies, performance only) as a privacy friendly default for new sites.
Websites using Jetpack must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Jetpack Stats is deployed across a large WordPress audience, when Jetpack Comments collects user data via WordPress.com login, or when Jetpack Social shares attribution data with Twitter, LinkedIn and Facebook APIs. Document module by module legal basis.
Sample consent text
Our WordPress site uses Jetpack (Automattic Inc., USA) for security, performance and analytics. The Jetpack Stats module drops tk_ai and tk_lr cookies on your browser to count unique visitors. Other Jetpack modules run server side. Stats and Social modules are activated only with your consent.
Third-party domains contacted
stats.wp.compixel.wp.comi0.wp.comi1.wp.comi2.wp.comjetpack.wordpress.compublic-api.wordpress.comwp.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tk_ai | first_party | 2 years | Jetpack Stats first party visitor identifier cookie used to count unique visitors and aggregate page views in the Jetpack Stats dashboard. Set only when the Stats module is enabled. |
| tk_lr | first_party | 2 years | Jetpack Stats last view reference cookie used to attribute the previous referrer to a page view. Set together with tk_ai when the Stats module is enabled. |
| tk_qs | first_party | Session | Jetpack Stats session level cookie used during page tracking to deduplicate events within a single browsing session. |
| wp-settings-* | first_party | 1 year | WordPress user settings cookie that Jetpack reads to apply preferences for authenticated editors using the Jetpack admin interface. |
Jetpack collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Jetpack Stats sets tk_ai and tk_lr (first party, WordPress site domain, 2 years) for visitor counting. Image CDN and Jetpack Boost do not set cookies. Jetpack Social and Comments load third party cookies from WordPress.com, Twitter, LinkedIn and Facebook for share buttons and login.
Yes for the Stats and Social modules. Server side modules (Backups, Protect, Boost, Image CDN) do not require consent. The Comments module via WordPress.com login may require consent depending on configuration.
Stats and Social rely on consent under Article 6(1)(a) GDPR. Server side modules rely on legitimate interest under Article 6(1)(f) GDPR for performance and security. Automattic is a processor under Article 28 GDPR.
Yes. Automattic Inc. processes Jetpack data on US infrastructure. Automattic self certifies under the EU US Data Privacy Framework. Standard Contractual Clauses are included in the Automattic DPA.
A DPIA is recommended when Jetpack Stats is deployed on large WordPress audiences, when Jetpack Comments collects WordPress.com identifiers or when Jetpack Social shares attribution data with Twitter, LinkedIn and Facebook APIs.
Sign the Automattic DPA, gate Jetpack Stats and Social behind a consent management platform, document each enabled module module by module, configure retention only where needed, and consider Jetpack Boost (no cookies) as a privacy friendly default for performance.
Privacy friendly alternatives by module: backups via UpdraftPlus or BlogVault, security via Wordfence or iThemes Security, performance via WP Rocket or LiteSpeed Cache, analytics via Matomo Analytics or Plausible (both have WordPress plugins), comments via Replyable or native WordPress comments.
List tk_ai and tk_lr in the analytics category with name, domain, duration and purpose. Disclose the US transfer and the EU US Data Privacy Framework certification. Document the third party cookies from Jetpack Social and Comments separately, and link to the Automattic privacy policy.