Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Afterpay is a buy now pay later (BNPL) provider owned by Block, Inc. (also operator of Clearpay in the UK and EU). It lets shoppers split purchases into four interest free instalments. Merchants embed an Afterpay JavaScript SDK and price widget on product and checkout pages. Even before checkout, the widget loads scripts, sets cookies and transmits visitor and product data to Afterpay servers, which raises specific GDPR and ePrivacy obligations.
Afterpay is a buy now pay later (BNPL) service operated by Afterpay Pty Ltd, a wholly owned subsidiary of Block, Inc. (the parent company of Square and Cash App). In the United Kingdom and most of Europe the same service runs under the Clearpay brand. Shoppers split a purchase into four equal instalments paid every two weeks, with no interest and limited fees. Merchants integrate Afterpay through a JavaScript SDK that renders price widgets on product pages, a checkout button and a redirect flow to portal.afterpay.com or portal.clearpay.com where the consumer is identified and the credit decision is made.
The Afterpay widget sets first party and third party cookies for cart state, anti fraud signalling and analytics. It collects IP address, User Agent, viewed product pages, basket value, currency, merchant ID and a device fingerprint used by the fraud engine. At checkout, Afterpay collects name, address, email, phone, date of birth, payment method and, depending on the country, partial identifiers used for soft credit checks. Block, Inc. and its underwriting partners may consult external credit bureaus and fraud databases as part of the decision.
The Afterpay SDK loaded on product and category pages places cookies before checkout, which triggers Article 5(3) of the ePrivacy Directive. Those cookies are not strictly necessary for the user to access the merchant site, so consent is required before they are set. The processing of payment, identity and credit data during checkout itself can be based on the performance of a contract under Article 6(1)(b) GDPR, with fraud prevention typically grounded on legitimate interest under Article 6(1)(f). Automated decisions for credit scoring are subject to Article 22 GDPR safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Yes, for the widget, the price calculator and any analytics or marketing cookies set on category and product pages. The merchant should block the Afterpay SDK behind a consent gate and only load it once the user has accepted at least the functional or marketing category, depending on the cookies set. Inside the actual checkout, where the user has chosen Afterpay as the payment method, the strictly necessary processing of the order can proceed under contract, but transparency notices about the data shared with Block must still be provided.
Block, Inc. is headquartered in the United States and operates global infrastructure on AWS. The Australian entity also processes some data in Australia. Block self certified under the EU US Data Privacy Framework, which provides an adequacy decision for transfers to certified Block entities. For categories of data outside the DPF scope, Block relies on the new Standard Contractual Clauses with the related Transfer Impact Assessment. Merchants must list Block, Inc. and Afterpay Pty Ltd as recipients in their privacy policy and explain the transfer mechanism.
Gate the Afterpay SDK behind the consent manager so the script only loads after the relevant categories are accepted. Sign a data processing or controller to controller agreement with Block, depending on the contractual setup in your country. Update the privacy policy with the categories of data shared, the transfer mechanism (DPF and SCCs) and the user rights regarding automated decisions. List the afterpay.com and clearpay.com domains and cookies in the cookie policy. Implement an opt out path that does not block the rest of the checkout when Afterpay is refused.
Websites using Afterpay must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA may be required when Afterpay is combined with credit scoring, fraud profiling or cross border data flows at scale. The processing involves financial data, automated decision making for credit assessment and transfers to the US and Australia, all of which are factors highlighted by EU DPAs as triggers for a formal DPIA under Art. 35 GDPR.
Sample consent text
We use Afterpay (Clearpay) to display payment options and process buy now pay later orders. This sets cookies and shares your IP address and purchase data with Block, Inc. in the United States. Do you accept?
Third-party domains contacted
afterpay.comstatic.afterpay.comjs.afterpay.comportal.afterpay.comapi.afterpay.comclearpay.comportal.clearpay.comjs.clearpay.comstatic.clearpay.co.ukCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ap_sso_session | third party | Session | Maintains the authenticated session between portal.afterpay.com and the merchant site during a BNPL transaction. |
| ap_segment_id | third party | 13 months | Anonymous segmentation identifier used by Afterpay analytics and fraud engine to recognise repeat devices across merchants. |
| afterpay_device_id | third party | 1 year | Device fingerprint identifier used by Afterpay risk and credit decisioning to detect fraud and duplicate accounts. |
| _ap_session | third party | Session | Short lived session cookie for the widget rendering and checkout redirect flow. |
| cf_clearance | third party | 30 days | Cloudflare bot mitigation cookie set on Afterpay domains to validate that the request comes from a real browser. |
| OptanonConsent | third party | 1 year | OneTrust consent state cookie set on afterpay.com when the user visits Afterpay owned pages, recording the cookie preferences. |
Afterpay uses cookies for user preferences — inform visitors with a consent banner.
The widget sets cookies such as ap_sso_session for portal authentication, ap_segment_id for fraud and analytics segmentation, and a fraud device fingerprint id used for risk scoring. Additional measurement cookies (Google Analytics, internal counters) may be loaded depending on the merchant integration. All non strictly necessary cookies must be gated behind consent.
For the product page widget, the price calculator and any marketing cookies the answer is yes: these are set before payment and are not strictly necessary. Inside checkout, after the user has chosen Afterpay, the strictly necessary processing can proceed under contract, but the consent banner should still surface the data sharing in a transparent way.
Three bases coexist: contract (Art. 6(1)(b) GDPR) for completing the BNPL order, legitimate interest (Art. 6(1)(f)) for fraud prevention and credit risk, and consent (Art. 6(1)(a)) for non essential cookies, marketing and combined profiling. Where automated credit decisions are taken, Article 22 GDPR safeguards (human review, contestability) apply.
Yes. Block, Inc. is a US controller and operates infrastructure on AWS globally. Block is self certified under the EU US Data Privacy Framework. Where data falls outside the DPF, transfers rely on Standard Contractual Clauses plus a Transfer Impact Assessment. Some processing also occurs in Australia at Afterpay Pty Ltd.
Often yes. The combination of credit scoring, automated decisions, large scale processing of payment data and international transfers ticks several factors on the EDPB criteria. A DPIA is the safest path even for medium sized merchants, especially when Afterpay is combined with other tracking on the same checkout funnel.
Load the Afterpay SDK only after consent for the relevant category, sign the appropriate data processing or controller agreement with Block, update the privacy policy with recipient and transfer information, and add Afterpay cookies and domains to your cookie policy. Make sure the BNPL choice is one option among others and that the user can complete the checkout without it.
EU based BNPL providers (Klarna, Alma, Scalapay, Cofidis 4xCB) offer comparable services with EU data processing in many cases. They still require care, but the transfer risk is typically lower. Traditional payment methods (cards, SEPA Direct Debit, PayPal) remain available for users who refuse BNPL or related tracking.
Add Afterpay (Clearpay) under the Marketing or Functional category as appropriate. List the cookies (ap_sso_session, ap_segment_id, device fingerprint identifiers), the provider (Afterpay Pty Ltd and Block, Inc.), the purpose (order processing, fraud prevention, analytics) and the transfer mechanism (DPF or SCC). Update the policy whenever Afterpay changes its cookie list.