Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tawk.to is a free live chat platform that website owners embed via a JavaScript snippet to communicate with visitors in real time. Beyond session management, it tracks visitor behaviour including pages viewed, time on site, and geographic location, sending this data to Tawk.to servers in the United States. Under GDPR and the ePrivacy Directive, consent is required before loading the Tawk.to widget because it collects personal data and transfers it to a third-country processor even when no chat conversation takes place.
Tawk.to is a free live chat platform used by millions of websites worldwide to communicate with visitors in real time. Website owners embed a JavaScript snippet that loads the Tawk.to widget from tawk.to CDN servers. Beyond providing a chat interface, the widget collects visitor behavioural data including pages viewed, time on site, geographic location derived from IP address, and device information. This data is displayed to support agents in the Tawk.to dashboard and stored on Tawk.to servers in the United States. The service is operated by Tawk.to Inc., a company incorporated in Delaware.
Tawk.to sets several cookies including __tawkuuid (a persistent unique visitor identifier stored for up to 6 months), ss (a session identifier), and TawkConnectionTime (a connection timestamp). It collects the visitor IP address, browser type, operating system, referring page, pages browsed during the session, and chat transcript content. If a visitor initiates a chat and provides their name or email address, this personal data is stored in the Tawk.to contact database and may be used for follow-up communications. The visitor profiling visible to agents constitutes processing of personal data under GDPR.
Tawk.to sets cookies on the visitor device and collects personal data before any chat interaction. Under Article 5(3) of the ePrivacy Directive, storing cookies on a user device requires prior informed consent unless the cookies are strictly necessary for a service explicitly requested by the user. Because Tawk.to activates automatically on page load rather than in direct response to a visitor request, consent is required. Under GDPR, the processing of IP addresses, behavioural data, and chat transcripts also requires a valid legal basis, which in most cases must be consent given the advertising and profiling components.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Tawk.to is incorporated in Delaware and processes data on servers located in the United States and via a global CDN. EU website owners who embed Tawk.to are making a data transfer to a third country under GDPR Chapter V. Tawk.to relies on Standard Contractual Clauses (SCCs) for these transfers. Website owners must document this transfer in their privacy policy, name Tawk.to as a sub-processor, and verify that a valid Data Processing Agreement (DPA) is in place with Tawk.to.
Consent must be obtained before the Tawk.to script loads on any page targeting EU visitors. This means the JavaScript snippet must be blocked by default and injected into the page only after the visitor accepts the relevant cookie category in a CMP. A placeholder button or banner can be shown in place of the chat widget before consent. Some CMPs offer a feature to show a consent-gated chat launcher, which allows visitors to choose to activate the chat on demand, which may qualify as a consent event for the strictly necessary exemption in some interpretations.
To use Tawk.to in compliance with GDPR and ePrivacy: (1) Block the Tawk.to script by default using a CMP with script-blocking support. (2) List Tawk.to cookies in your cookie policy under the functional or analytics category. (3) Sign the Tawk.to Data Processing Agreement available in your account settings. (4) Disclose the US data transfer in your privacy policy and reference SCCs as the transfer mechanism. (5) Inform visitors in the chat window that the conversation is recorded and processed in accordance with your privacy policy. (6) Consider configuring Tawk.to to avoid storing personally identifiable visitor information if compliance is a concern.
Websites using Tawk.to must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA may be required for high-traffic websites using Tawk.to where visitor profiling, chat transcript storage, and third-country data transfers combine to create significant risks to the rights of EU data subjects. Assess whether the volume and sensitivity of chat data processed by Tawk.to warrants a formal DPIA under Art. 35 GDPR.
Sample consent text
We use Tawk.to to provide a live chat feature on this website. Tawk.to collects data about your visit including pages viewed and geographic location, and processes this data on servers in the United States. Please accept to enable live chat.
Third-party domains contacted
tawk.tova.tawk.toembed.tawk.toCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __tawkuuid | persistent | 6 months | Assigns a unique visitor identifier for live chat session continuity and visitor history |
| ss | session | session | Maintains the active live chat session state between page views |
| TawkConnectionTime | persistent | 1 day | Records the timestamp of the first connection to optimise reconnection logic |
| tawk_uuid | persistent | 6 months | Stores a unique identifier for the chat visitor to enable chat history retrieval |
Tawk.to uses cookies for user preferences — inform visitors with a consent banner.
Yes, in most cases. Tawk.to sets cookies and collects personal data including IP address and behavioural analytics as soon as the widget loads, before any chat interaction. Under the ePrivacy Directive, this requires prior consent. Legitimate interest may narrowly apply to strictly necessary session cookies when the chat is explicitly activated by the visitor, but the broader visitor tracking and analytics features of Tawk.to require consent.
Tawk.to sets __tawkuuid (a persistent unique visitor identifier, up to 6 months), ss (a session identifier, session duration), TawkConnectionTime (a connection timestamp, session duration), and tawk_uuid_<property_id> (a property-specific visitor identifier, up to 6 months). These cookies enable visitor identification across sessions, chat session management, and the visitor analytics displayed to support agents in the Tawk.to dashboard.
Consent under Article 6(1)(a) GDPR is required for Tawk.to visitor tracking and analytics features. Legitimate interest under Article 6(1)(f) may be argued for strictly necessary session cookies when the chat is visitor-initiated, but this requires a documented balancing test and cannot justify the full scope of data collection including IP-based geolocation and behavioural analytics. Most EU-focused legal advisers recommend obtaining consent before loading Tawk.to.
Yes. Tawk.to Inc. is incorporated in Delaware and processes data on US-based servers and via a global CDN. Data transfers from the EU to the US are subject to GDPR Chapter V. Tawk.to relies on Standard Contractual Clauses (SCCs) for these transfers. You must sign the Tawk.to Data Processing Agreement, disclose the US transfer in your privacy policy, and reference SCCs as the applicable transfer mechanism.
A DPIA may be required for high-traffic websites using Tawk.to, particularly where visitor profiling, chat transcript storage containing sensitive personal data, and US data transfers combine to create significant risks. If your website handles sensitive topics (health, finance, legal) or processes a large volume of EU visitor data through Tawk.to, a formal DPIA under Article 35 GDPR is recommended.
Block the Tawk.to JavaScript snippet by default using a CMP. Inject the snippet only after the visitor accepts the functional or analytics cookie category. Some CMPs allow showing a consent-gated chat button where the visitor activates the chat on demand, which may constitute valid consent for the functional exemption in narrow interpretations. Sign the Tawk.to DPA in your account settings and configure data retention settings to minimise personal data storage.
Yes. Crisp and Chatwoot both offer EU-hosted or self-hosted options with stronger GDPR compliance profiles. Chatwoot is open-source and can be self-hosted on EU infrastructure, eliminating third-country data transfers entirely. For businesses prioritising privacy compliance, these alternatives reduce compliance risk compared to Tawk.to while providing similar live chat functionality.
In your cookie policy, list each Tawk.to cookie (__tawkuuid, ss, TawkConnectionTime) with its name, category (functional or analytics), duration, and purpose. In your privacy notice, include Tawk.to as a data processor, describe the visitor data it collects (IP address, pages visited, chat transcripts), state the legal basis, disclose the US data transfer via SCCs, and reference your signed Data Processing Agreement.