Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Zendesk Chat (now part of Zendesk Web Widget) is a live chat and customer messaging platform that enables businesses to engage with website visitors in real time. It uses cookies and local storage to track visitor identity, conversation history, and browsing behaviour. Deploying Zendesk Chat on a European website requires prior user consent under the ePrivacy Directive and GDPR, as the widget collects personal data from the moment it loads.
Zendesk Chat, now integrated into the Zendesk Web Widget, is a live chat and customer messaging solution used by hundreds of thousands of businesses worldwide. It embeds a widget on your website that allows support agents to chat with visitors in real time, handle multiple conversations simultaneously, and route tickets to the right team. The Web Widget also supports chatbot automation via Zendesk Answer Bot and integrates with the broader Zendesk Support, Sell, and Sunshine platforms. When the widget script loads, it immediately sets cookies and begins collecting visitor data, including identity information if the visitor is a logged-in customer.
Zendesk Chat sets several cookies including __zlcmid (a persistent visitor identifier valid for 1 year used to recognise returning chat users), and session-level cookies for maintaining active conversations. Local storage entries store visitor preferences and conversation state. The platform collects IP addresses, browser type and version, device information, pages viewed before and during the chat, geolocation derived from IP, and the full content of all chat transcripts including any personal or sensitive data shared by the visitor during the conversation.
The Zendesk Chat widget loads automatically on page entry and sets persistent cookies before any interaction, triggering the ePrivacy Directive requirement for prior consent. Under GDPR, the collection of visitor identifiers, browsing behaviour, and conversation content constitutes personal data processing. Chat transcripts in particular may contain sensitive personal data shared voluntarily by users (health issues, financial details, complaints), raising the risk profile of the processing activity. A lawful basis and appropriate technical safeguards are required for all this data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be collected before the Zendesk Web Widget script loads. The widget must be suppressed entirely when consent is refused or has not yet been given. Consent banners must disclose that Zendesk Chat is used for live support, describe the cookies and data collected, and inform users of the potential transfer to US servers. Users who decline should still be able to access support through alternative channels such as email or a contact form. Consent must be revocable and the widget must be disabled immediately upon withdrawal.
Zendesk is a US company (subsidiary of Salesforce). By default, customer data is processed on US-based infrastructure. Enterprise customers can request EU data residency, with data hosted in Frankfurt on Zendesk Pod 15 or Pod 26. For organisations not on Enterprise plans, Standard Contractual Clauses are the applicable transfer mechanism. Zendesk is also certified under the EU-US Data Privacy Framework. All transfers must be disclosed in the privacy policy and documented in the Records of Processing Activities. A signed Data Processing Agreement with Zendesk is required.
To deploy Zendesk Chat compliantly: configure your consent management platform to block the Web Widget snippet until consent is granted; use Zendesk''s JavaScript API to conditionally initialise the widget post-consent; suppress the widget launcher icon until consent is obtained so it does not imply data collection is already running; categorise Zendesk Chat under functional or customer support cookies; update your privacy and cookie policy to disclose the __zlcmid cookie, its duration, and its purpose; document the US transfer and applicable safeguard in your RoPA; and evaluate EU data residency if you process large volumes of European personal data through support interactions.
Websites using Zendesk Chat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when Zendesk Chat is used to collect conversation data that may include sensitive information, when visitor tracking is combined with CRM profiling, or when the chat platform is integrated with other Zendesk products that process large volumes of personal data. The US data transfer and persistent visitor identification also contribute to elevated risk.
Sample consent text
We use Zendesk Chat to provide live customer support on our website. The chat widget sets cookies and collects data such as your IP address, browser information, and conversation history. This data may be transferred to and processed in the United States by Zendesk. Please accept to enable the live chat feature.
Third-party domains contacted
static.zdassets.comekr.zdassets.comzendesk.comchat.zendesk.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __zlcmid | persistent | 1 year | Persistent visitor identifier used to recognise returning chat users and maintain conversation continuity across sessions |
| ZD-suid | session | Session | Session-level user identifier used to maintain the active chat conversation state |
| ZD-store | persistent | 1 year | Stores visitor preferences and chat widget configuration across sessions |
| ZD-buid | persistent | 1 year | Browser-level unique identifier used to associate chat interactions with a specific browser instance |
Zendesk Chat uses cookies for user preferences — inform visitors with a consent banner.
Zendesk Chat sets the __zlcmid cookie, a persistent first-party identifier valid for 1 year that recognises returning chat users and links sessions. It also sets session-level cookies to maintain active conversation state and writes visitor preferences and conversation data into local storage. These are not strictly necessary cookies and require prior consent under the ePrivacy Directive.
Yes. The Zendesk Web Widget script loads on page entry and immediately sets persistent cookies and accesses local storage, regardless of whether the visitor starts a chat. Under the ePrivacy Directive, this requires prior consent. Under GDPR, the collection of visitor identifiers and behavioural data constitutes personal data processing requiring a lawful basis. The widget must be blocked by your CMP until valid consent is obtained.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis for Zendesk Chat's tracking and identification cookies. Legitimate interest under Article 6(1)(f) may be argued for maintaining the continuity of a chat session already explicitly initiated by the user, but only after consent has been obtained for loading the widget in the first place. This must be documented with a balancing test.
Yes by default. Zendesk is a US company (owned by Salesforce) and processes data on US infrastructure unless EU data residency is specifically configured. EU data residency is available for Enterprise customers on Zendesk Pod 15 and Pod 26, both hosted in Frankfurt. The transfer mechanism for other customers is Standard Contractual Clauses. Zendesk is also certified under the EU-US Data Privacy Framework.
A DPIA is recommended when Zendesk Chat is used to handle large volumes of support conversations that may include sensitive personal data, when visitor tracking is combined with CRM or other personal data systems, or when chat data feeds into automated profiling or decision-making. The combination of persistent visitor identification, potential processing of sensitive data in transcripts, and US data transfers creates a risk profile that warrants a formal assessment.
Block the Zendesk Web Widget snippet from loading until consent is obtained via your CMP. Use the Zendesk JavaScript API to conditionally initialise the widget post-consent and suppress the launcher icon in the meantime. Categorise Zendesk Chat under functional or customer support cookies. Update your privacy policy to name Zendesk as a data processor. Sign a Data Processing Agreement with Zendesk. Document the US transfer and applicable safeguard in your Records of Processing Activities. If your volume warrants it, evaluate EU data residency.
Yes. Crisp and Tidio offer EU-hosted live chat options with simpler data footprints. For full data sovereignty, self-hosted solutions such as Rocket.Chat or Chatwoot can be deployed on EU infrastructure, eliminating third-country transfer concerns entirely. If live chat is used primarily for support ticket creation, a GDPR-compliant contact form may be a lower-risk alternative that avoids persistent visitor tracking altogether.
Add an entry for the __zlcmid cookie in your cookie policy table, listing its name, category (functional or customer support), duration (1 year), and purpose (persistent visitor identification for live chat). Note any session cookies and local storage usage separately. Reference Zendesk as a third-party processor, link to their privacy policy at zendesk.com/company/agreements-and-terms/privacy-notice, and disclose the transfer of data to the United States with the applicable safeguard.