Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tableau is a Salesforce owned business intelligence platform that embeds dashboards and visualisations via JavaScript and iframes.
Tableau is a leading business intelligence (BI) and data visualisation platform acquired by Salesforce in 2019. It exists in three flavours: Tableau Cloud (the SaaS option, formerly Tableau Online), Tableau Server (self hosted) and Tableau Public (the free public showcase). Dashboards are typically embedded via the Tableau Embedding API or an iframe.
An embedded Tableau view typically writes session cookies such as workgroup_session_id, hid, tab.workgroup.preferences, an XSRF TOKEN cookie and tableau locale and accessibility preferences. Tableau receives the visitor IP address, the user agent, the embedded dashboard identifier and any interaction (filter changes, tooltip hovers). When trusted authentication is used, your application also pushes the authenticated user identity.
Embedding Tableau Public or Tableau Cloud on a public page writes cookies on the visitor device, so Article 5(3) of the ePrivacy Directive requires consent. The data shown in dashboards is often personal data of customers, employees or patients; any leak through poorly filtered views constitutes a personal data breach. Behind authentication, in an internal application, contract performance applies and the cookies are strictly necessary.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Public dashboards on a marketing site require consent before loading. Internal BI dashboards behind SSO rely on contract performance and legitimate interest, with employee information and works council involvement where applicable. Tableau Public dashboards are inherently public and you must therefore strip every personal data field before publishing.
Tableau Cloud is operated by Salesforce. The EU pods host data in Frankfurt and Dublin, but Salesforce Inc. is US headquartered and its support teams may access the platform from the US. Tableau Server self hosted on EU infrastructure avoids all transfers. Use the EU US Data Privacy Framework and Standard Contractual Clauses to cover cloud transfers, and sign the Salesforce data processing addendum.
Block embedded dashboards behind consent on public pages. Use row level security on personal data, pseudonymise customer IDs, restrict published Tableau Public dashboards to aggregated metrics, set retention on logs, and use the Tableau audit log to track who accesses which view. For Tableau Server on premises, deploy in EU datacenters and harden the configuration following the Tableau security hardening checklist.
Websites using Tableau must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Tableau dashboards expose personal data of customers, employees or patients to broad audiences, when public Tableau Public dashboards expose granular records, or when row level security is not in place.
Sample consent text
We use Tableau to display interactive dashboards. Tableau writes cookies on your device, may receive your IP address and the dashboard interactions, and processes data through Salesforce infrastructure in the EU and the United States. We only load the dashboard if you accept.
Third-party domains contacted
public.tableau.comonline.tableau.comtableau.comtableausoftware.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| workgroup_session_id | third_party | session | Session identifier for the Tableau viewer |
| hid | third_party | 30 days | Persistent visitor identifier used by Tableau Public |
| XSRF TOKEN | third_party | session | CSRF protection token for Tableau requests |
| tableau_locale | third_party | 1 year | Stores the chosen interface language |
Tableau collects user analytics data — you legally need a consent banner. Try FlowConsent free.
An embedded Tableau view typically writes workgroup_session_id, hid, tab.workgroup.preferences, XSRF TOKEN, tableau_locale and accessibility related cookies on its own domain (public.tableau.com or 10ax.online.tableau.com for Tableau Cloud).
For public pages, yes. The embed loads JavaScript and writes cookies, which is governed by Article 5(3) of the ePrivacy Directive. Inside an authenticated internal application, the cookies are strictly necessary and contract performance applies.
Consent for public embeds. Contract performance for BI dashboards behind SSO. Legitimate interest for analytics on internal product usage. Sensitive personal data (health, employee performance) needs Art. 9 GDPR coverage.
Tableau Cloud EU pods host data in Frankfurt and Dublin, but Salesforce Inc. is US headquartered. Rely on the EU US Data Privacy Framework and Standard Contractual Clauses, sign the Salesforce data processing addendum, and consider Tableau Server on premises for highest sensitivity workloads.
Recommended when dashboards expose personal data to broad audiences, when Tableau Public dashboards reveal granular records, or when row level security is not enforced.
Block public embeds until consent, enforce row level security and least privilege, pseudonymise identifiers, retain audit logs, and review every Tableau Public publication for personal data leakage.
Power BI (Microsoft), Looker (Google), Qlik (Sweden), Metabase (EU friendly), Apache Superset, ToucanToco (France) and Lightdash. EU based options reduce transfer complexity.
List Tableau session and preference cookies in the cookie policy, with purpose and lifetime. Add a transfer paragraph for Tableau Cloud users with the EU US Data Privacy Framework reference.