Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Looker is a Google Cloud business intelligence platform that embeds dashboards, looks and explores via iframe and the Embed SDK.
Looker is a business intelligence and analytics platform acquired by Google in 2020 and integrated into Google Cloud. It models data through LookML, runs queries on warehouses such as BigQuery, Snowflake or Redshift, and exposes dashboards, looks and explores through a web interface and an Embed SDK.
An embedded Looker dashboard sets session cookies (LOOKER_SESSION, LOOKERAUTH) on the Looker domain (your_instance.looker.com or your_instance.cloud.looker.com), plus a CSRF token. Looker receives the viewer IP, user agent, dashboard identifier and every interaction (filter changes, drilldowns). Through Signed Embed URLs your application also passes user attributes used for row level security.
Embedding Looker on a public page writes cookies and processes personal data; Article 5(3) ePrivacy and Article 6 GDPR require consent. Behind authentication, in an internal application, the session cookies are strictly necessary and contract performance applies. The dashboards themselves often contain personal data (customer, employee or patient records) which must be governed by row level security and a clear sharing policy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent before loading Looker on a public site. Contract performance for internal BI behind SSO. Legitimate interest for internal usage analytics. Sensitive data requires an Art. 9 GDPR basis. When Looker is used to expose customer dashboards as part of a SaaS product, contract performance with the customer covers the processing.
Looker instances can be hosted in EU Google Cloud regions (europe west1 in Belgium, europe west3 in Frankfurt and others), keeping the dashboard and metadata in the EU. Google LLC remains the controller of the platform itself and operates support from the US, so the EU US Data Privacy Framework and Google Cloud Standard Contractual Clauses must cover the transfer.
Pick an EU Looker region, use Signed Embed URLs to pass user attributes for row level security, enforce LookML access_filters on sensitive fields, integrate with your SSO provider, audit who accesses which dashboard, and keep query history retention short. Block public Looker embeds until consent through your CMP.
Websites using Looker must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Looker dashboards expose personal data of customers, employees or patients to broad audiences, when public embeds are used without row level security, or when looks feed automated decisions.
Sample consent text
We use Looker dashboards to display interactive analytics. Looker writes session cookies on your device, may receive your IP address and processes data through Google Cloud infrastructure in the EU and the United States. We only load Looker if you accept.
Third-party domains contacted
looker.comcloud.looker.comlookercdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| LOOKER_SESSION | third_party | session | Session identifier for the Looker viewer |
| LOOKERAUTH | third_party | 30 days | Authentication state for the Looker user |
| CSRF TOKEN | third_party | session | Cross site request forgery protection token |
Looker collects user analytics data — you legally need a consent banner. Try FlowConsent free.
An embedded Looker view writes LOOKER_SESSION (session identifier), LOOKERAUTH (authentication state) and a CSRF token on the Looker domain. Self hosted Looker can be configured to use custom cookie names.
For public embeds, yes. Looker writes cookies and loads JavaScript on the visitor device, so Article 5(3) ePrivacy applies. For dashboards behind an authenticated portal, the cookies are strictly necessary and contract performance applies.
Consent for public dashboards. Contract performance for SaaS dashboards delivered to customers, and for employee facing analytics under an employment contract. Sensitive data requires Art. 9 GDPR coverage.
EU Looker regions keep the dashboards and metadata in the EU, but Google LLC operates support and the underlying platform from the US. Transfers are covered by the EU US Data Privacy Framework and Google Cloud Standard Contractual Clauses.
Recommended when dashboards expose personal data to broad audiences, when public embeds are used without row level security, or when looks feed automated decisions.
Choose an EU region, use Signed Embed URLs, enforce LookML access_filters and user_attributes, audit access through Looker activity logs, keep query history short, and add Looker to your records of processing activities.
Power BI, Tableau, Qlik, Metabase, Apache Superset, ToucanToco (France), Lightdash and Cube. EU based options reduce transfer complexity.
List Looker session cookies (LOOKER_SESSION, LOOKERAUTH, CSRF token) with purpose, duration and controller. Mention the EU US Data Privacy Framework and Google Cloud DPA in the transfers section.