Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akamai is one of the oldest and largest content delivery networks in the world, with a vast edge network used for content acceleration, web application firewall, bot mitigation and real user monitoring. From a GDPR perspective Akamai acts as a processor handling IP addresses, request metadata, security signals and, when mPulse is enabled, performance telemetry on behalf of website operators.
Akamai operates the Intelligent Edge Platform, the largest commercial content delivery network and a global security platform. The CDN caches static and dynamic content on more than 4,300 edge points of presence in over 130 countries, accelerates pages, video and APIs and offloads traffic from origin servers. The security stack adds a Web Application Firewall (Kona Site Defender, App and API Protector), DDoS mitigation (Prolexic), bot management (Bot Manager and Bot Manager Premier), Edge Auth, Audience Insights and the Linode (Akamai Connected Cloud) compute platform.
For every request Akamai processes the visitor IP, the user agent, the URL, the referer header, optional TLS fingerprint data and the HTTP body when WAF inspection is enabled. Bot Manager adds a browser challenge and writes the _abck and bm_sz cookies to track the challenge state. Edge Server may write ak_bmsc to maintain session affinity and akacd_* to remember the cache directive. None of these cookies are marketing trackers; they are strictly necessary for the security and routing decision. Logs are retained for 7 to 90 days depending on the product and feed Akamai Cloud Security Intelligence.
As a CDN, Akamai is a processor (GDPR art. 28) for its customers. The IP address and bot cookies fall under the strictly necessary exemption of ePrivacy art. 5(3) and the legitimate interest basis of GDPR art. 6(1)(f) when used purely for security and delivery. The CNIL explicitly lists security cookies as exempt. When Akamai Audience Insights, Predictive Personalization or any product that builds a behavioural identifier is activated, consent under GDPR art. 6(1)(a) is required because the use case goes beyond pure security.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU customer traffic is normally served from European points of presence (Frankfurt, Amsterdam, Paris, London, Madrid, Stockholm) but Akamai SOC engineers in the US, India and Costa Rica access security logs centrally. Akamai is certified under the EU US Data Privacy Framework and uses the 2021 Standard Contractual Clauses as fallback. The Akamai Connected Cloud (Linode) offers explicit region pinning for compute workloads, with EU regions in Frankfurt, Amsterdam, London, Paris, Milan, Madrid and Stockholm.
Sign the Akamai Data Processing Addendum, document the EU residency commitment, enable IP anonymisation where Akamai exposes it, list the strictly necessary cookies in the privacy notice without putting them behind the CMP, gate Audience Insights or Bot Manager Premier behind consent if you activate them, document the WAF processing in your record of processing under GDPR art. 30, and align with NIS 2 if Akamai is part of your critical service supply chain.
Websites using Akamai must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Akamai is deployed with Bot Manager Premier, Account Protector, EdgeWorkers running custom personalization logic, mPulse Real User Monitoring or Identity Cloud, or when sensitive resources (financial services, public sector, healthcare) are protected. Routine static content delivery from Ion or Adaptive Media Delivery does not normally require a DPIA.
Sample consent text
This website is delivered and protected by Akamai, a US content delivery and security provider operated by Akamai Technologies Inc. Akamai processes your IP address, security signals and request metadata. When mPulse or fingerprinting features are active, additional performance data is collected. By accepting, you allow this processing on Akamai servers, including in the United States, under EU Standard Contractual Clauses.
Third-party domains contacted
akamai.netakamai.netakamaihd.netakamaihd.netakamaiedge.netakamaiedge.netakamaized.netakamaized.netedgekey.netakamaitechnologies.comedgesuite.netedgekey.netedgesuite.netmpulse.netgo-mpulse.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _abck | First party (Akamai Bot Manager) | 1 year | Stores the bot detection state for the visitor, used by Bot Manager to remember whether the browser has passed the challenge |
| _abck | Strictly necessary (security) | 12 months | Akamai Bot Manager cookie. Stores a signed token used to evaluate whether the visitor is a legitimate user or an automated bot during subsequent requests. |
| bm_sz | First party (Akamai Bot Manager) | 4 hours | Session token used during the Bot Manager challenge to associate the proof of work with the right session |
| bm_sz | Strictly necessary (security) | 4 hours | Akamai Bot Manager session cookie. Stores short lived risk signals and ensures that repeated requests within a session can be correlated for bot scoring. |
| ak_bmsc | Strictly necessary (security) | 2 hours | Bot Manager session token used to track whether a session has passed Bot Manager checks. Helps avoid challenging the same legitimate session multiple times. |
| ak_bmsc | First party (Akamai Edge Server) | 12 hours | Edge session affinity cookie that keeps the visitor on the same Akamai edge cluster for the session |
| akacd_* | First party (Akamai Edge Server) | Configurable (seconds to days) | Cache directive marker used internally by the Akamai edge to coordinate cache invalidation and surrogate keys |
| ak_bmsc_ssn | Strictly necessary (security) | Session | Bot Manager session continuation cookie used together with ak_bmsc to maintain session integrity during navigation. |
| bm_mi | First party (Akamai Bot Manager Premier) | 2 hours | Mobile intelligence cookie used by Bot Manager Premier when device based bot detection is enabled |
| bm_lso | Strictly necessary (security) | 2 hours | Bot Manager local storage observer cookie. Used to detect tampering with browser storage that could indicate automated behaviour. |
| RT | Analytics (mPulse, after consent) | 7 days | Akamai mPulse Real User Monitoring cookie. Stores a session identifier used to correlate page navigations, Core Web Vitals and error reports. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Akamai cookies are primarily set by Bot Manager and Edge Server: _abck (1 year, bot detection state), bm_sz (4 hours, session token for the bot challenge), ak_bmsc (12 hours, edge session affinity) and akacd_* (configurable, cache directive). None of these are marketing cookies. They are written automatically when Bot Manager or Edge Server is active for the domain.
Akamai Bot Manager and App and API Protector set strictly necessary security cookies such as _abck, bm_sz, ak_bmsc, ak_bmsc_ssn and bm_lso that store bot risk signals and session integrity tokens. mPulse adds analytics cookies (RT, mp_rid) that store Real User Monitoring identifiers. Akamai itself does not set marketing or advertising cookies.
For the standard CDN and security stack (caching, WAF, DDoS, Bot Manager), no. These cookies are strictly necessary under ePrivacy art. 5(3) and the CNIL exempts them. Consent is required for Akamai products that profile visitors (Audience Insights, Predictive Personalization, Bot Manager Premier device intelligence beyond pure security).
No consent is required for content delivery and for strictly necessary security cookies (_abck, bm_sz, ak_bmsc), which fall under legitimate interest and the ePrivacy strictly necessary exemption. Consent is required for mPulse, Identity Cloud and any optional advanced fingerprinting feature that goes beyond what is strictly necessary to operate the service.
Article 6(1)(b) GDPR (performance of contract, the visitor requested the page) and art. 6(1)(f) (legitimate interest in security and delivery) for the CDN and security stack. Article 6(1)(a) consent for profiling products. Article 28 GDPR governs the processor relationship between the publisher and Akamai.
Content delivery, denial of service mitigation, web application firewall, basic bot management and account protection rely on legitimate interest under Article 6(1)(f) GDPR. mPulse Real User Monitoring, behavioural analytics, identity management and any optional personalization rely on consent under Article 6(1)(a) GDPR collected via a consent management platform.
Yes. EU traffic is normally served from European points of presence, but Akamai SOC operations and security intelligence access logs centrally from the US, India and Costa Rica. Akamai is certified under the EU US Data Privacy Framework with 2021 SCCs as a fallback. A Transfer Impact Assessment under EDPB Recommendation 01/2020 is required.
Akamai signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR with customers through its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3, encryption at rest, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, SOC 2 Type II and the option to keep Datastream logs in regional data stores.
Not for the standard CDN alone. Required for Akamai Bot Manager Premier with device fingerprinting, Akamai Audience Insights, Predictive Personalization or Edge Auth. The DPIA should describe data flows, the SOC access from non EU countries and the retention of WAF logs.
A DPIA is recommended whenever Akamai is deployed with Bot Manager Premier, Account Protector, mPulse Real User Monitoring, Identity Cloud or EdgeWorkers running personalization logic, and whenever it protects high risk resources such as financial services, public sector portals or healthcare applications. Basic content delivery via Ion does not generally require a DPIA.
Sign the Data Processing Addendum with the EU residency commitment, list strictly necessary cookies in the privacy notice without gating, gate Audience Insights and similar profiling products behind consent, configure WAF log retention to the shortest needed, train teams on the Akamai DSAR portal and document the chain in your record of processing.
Sign the Akamai Data Processing Addendum, list Akamai in your record of processing activities, document security cookies in the cookie policy and explicitly mention the United States destination. Integrate mPulse and other optional features with a consent management platform so that they only collect data after consent, limit Datastream log retention and confirm that Bot Manager rules do not capture sensitive request bodies (passwords, payment data).
EU based alternatives include OVHcloud Edge (France), Gcore (Luxembourg), Bunny.net (Slovenia) and StackPath (with EU data centres) for CDN needs, plus Cloudflare for the EU Data Residency add on. For Bot Management specifically, Imperva and Radware offer European deployments. The right choice depends on edge coverage, security features and contractual data residency commitments.
Cloudflare (US with EU regional services), Fastly (US with Compute@Edge EU), Bunny.net (Slovenia, EU first), Gcore (Luxembourg), Stackpath, Edgio (formerly Limelight), CloudFront (US with EU regions) and Microsoft Azure Front Door. None are fully EU only at the corporate level; Bunny.net and Gcore are the most EU centric.
List the strictly necessary cookies (_abck, bm_sz, ak_bmsc, akacd_*) in the security section of the privacy notice, declare Akamai as a sub processor with EU residency, mention the EU US Data Privacy Framework certification, link to the Akamai Trust Center and explain why these cookies cannot be refused without breaking the service.
List Akamai Technologies Inc. as the processor of the CDN and security services, describe the strictly necessary security cookies (_abck, bm_sz, ak_bmsc, ak_bmsc_ssn, bm_lso), explain that mPulse cookies (RT, mp_rid) only load after consent, mention the United States destination under SCCs and the EU US Data Privacy Framework, and link to the Akamai Privacy Statement.