Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Drupal is an open source content management system powering enterprise sites, government portals and large publishers across Europe. It sets first party session and security cookies, plus any cookies added by contributed modules such as Google Analytics, reCAPTCHA or social embeds.
Drupal is a mature open source content management system written in PHP, maintained by the Drupal Association and a global community. It powers hundreds of thousands of European websites including national governments, universities, broadcasters and non profits. Drupal is self hosted, which means the operator controls the server, the database and the cookies the platform sets in visitors browsers.
A clean Drupal 9 or 10 install sets a small number of first party cookies: a PHP session cookie named SESS or SSESS prefixed with a hash, the has_js detection cookie, and Drupal.visitor.* cookies that remember preferences such as form drafts. Authenticated editors also receive Drupal.toolbar.collapsed and Drupal.tableDrag.showWeight cookies for the admin interface. All of these are first party and strictly necessary.
Core Drupal cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive, so they do not require consent. Drupal still processes personal data such as IP addresses in server logs and form submissions, which the operator must document under Article 30 GDPR. The risk profile changes dramatically when contributed modules such as Google Analytics, Matomo, Facebook Pixel, reCAPTCHA or Webform handlers are enabled.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Drupal core needs no consent banner because no profiling or marketing cookies are dropped by default. Once analytics, video or social embed modules are activated, the site operator must obtain prior, freely given, specific, informed and unambiguous consent before the third party scripts execute, in line with the CNIL, Datenschutzkonferenz, AEPD and Garante guidelines. A consent management platform should block the tags until the visitor accepts.
Self hosted Drupal does not transfer visitor data outside the EEA by itself. However, the update manager and the Composer based module repository contact drupal.org infrastructure (operated from the United States and Europe) for version checks. Choosing an EU based hosting provider and turning off automatic update checks is enough to keep visitor data inside the EEA. Any contributed module that loads scripts from US providers must be reviewed under Schrems II.
Host on EU infrastructure, document Drupal core cookies in the cookie policy as strictly necessary, and audit every contributed module before going live. Combine Drupal with a consent management platform that blocks Google Tag Manager, YouTube embeds and reCAPTCHA until consent is granted. Apply security updates promptly, restrict admin access by IP, and keep the Drupal database, backups and server logs inside the EEA to honour the principles of data minimisation and storage limitation.
Websites using Drupal must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for a vanilla Drupal install because only strictly necessary cookies are set. A DPIA becomes recommended once contributed modules introduce profiling, behavioural analytics, user tracking through Google Analytics or third country transfers via embedded services.
Sample consent text
Our website runs on Drupal and uses strictly necessary cookies to keep you signed in and protect forms against abuse. Optional analytics, video and social media modules are activated only with your consent.
Third-party domains contacted
updates.drupal.orgwww.drupal.orgpackages.drupal.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SESS{hash} / SSESS{hash} | first_party | 23 days (configurable) | PHP session identifier used by Drupal to maintain authenticated user sessions and CSRF protection. Set as Secure HttpOnly on HTTPS sites. |
| has_js | first_party | Session | Lightweight cookie set by Drupal to record that the visitor browser supports JavaScript and to serve a JS enhanced UI accordingly. |
| Drupal.visitor.* | first_party | 1 year | Stores visitor preferences such as form drafts, language or theme. Set only when contributed modules or custom code use the Drupal visitor cookie API. |
| Drupal.toolbar.collapsed | first_party | 1 year | Editor only cookie that remembers whether the administration toolbar is collapsed or expanded for authenticated users. |
| Drupal.tableDrag.showWeight | first_party | 1 year | Editor only cookie that remembers whether the row weight column is shown in draggable admin tables. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A fresh Drupal install sets a PHP session cookie (SESS or SSESS), the has_js detection cookie and Drupal.visitor.* preference cookies. Authenticated editors also receive Drupal.toolbar.collapsed and Drupal.tableDrag.showWeight. All are first party and strictly necessary; no marketing cookies are dropped without contributed modules.
No. Drupal core only sets strictly necessary cookies covered by the Article 5(3) ePrivacy exemption, so no consent is needed for a vanilla install. Consent is required as soon as you enable analytics, advertising or social media modules.
Strictly necessary session and security cookies rely on legitimate interest under Article 6(1)(f) GDPR. Personal data processed by forms or user accounts typically relies on consent or contract. Contributed analytics modules require explicit consent under ePrivacy.
Not by itself. Drupal is self hosted, so you choose the server location. The update manager and module repository contact drupal.org infrastructure (US and EU) for version checks, which can be disabled. Any third country transfer depends on the modules and embeds you install.
A DPIA is not required for a plain Drupal install limited to strictly necessary cookies. It becomes recommended once contributed modules introduce profiling, behavioural analytics, large scale public service portals or special category data such as health or biometrics.
Host inside the EEA, document the strictly necessary cookies in your cookie policy, disable unneeded modules, and audit every contributed module that loads third party scripts. Use a consent management platform to gate Google Analytics, reCAPTCHA, YouTube embeds and social widgets until consent is granted.
For self hosted CMS workloads, alternatives include WordPress with privacy hardened modules, Statamic, Craft CMS, ProcessWire or Strapi. All require the same diligence on contributed extensions, so the choice is mostly about ecosystem fit rather than baseline privacy.
Run a fresh cookie scan after each module change, list every cookie set by Drupal core and contributed modules with its name, purpose, duration and provider, and link to the privacy notices of any third party services such as Google Analytics or YouTube embedded through Drupal.