Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Pay is the merchant payment service offered by Amazon Payments Europe S.C.A., allowing buyers to checkout with their Amazon account on third party websites.
Amazon Pay is the merchant payment service offered by Amazon Payments Europe S.C.A., a Luxembourg licensed Electronic Money Institution supervised by the CSSF. It lets buyers check out on third party websites using their existing Amazon account, with addresses and payment methods already stored on Amazon. Amazon Pay supports one off payments, subscriptions and Pay Later in some regions, and is positioned as a checkout accelerator that competes with PayPal Smart Buttons and Shop Pay.
Loading the Amazon Pay button drops several third party cookies on amazon.com and payments.amazon.com (session-id, ubid-acbeu, lc-acbeu for locale, x-acbeu for the Amazon directed identifier, at-main and sess-at-main for the Amazon authentication token, ad-id for Amazon advertising). The button SDK also fingerprints the device for fraud detection (user agent, screen resolution, IP, behavioural signals). When the buyer clicks the button, the flow continues on payments.amazon.com and returns the buyer details (shipping address, billing address, payment token) to the merchant via the Amazon Pay API.
The strict checkout cookies that maintain the Amazon Pay session are strictly necessary for the payment requested by the user and fall under the article 5(3) ePrivacy exemption. The ad-id and Amazon advertising cookies set on amazon.com are not strictly necessary and require consent if you display the button before consent is granted. CNIL has stressed that loading a payment button is acceptable without consent only if the third party cookies set are limited to what is strictly necessary for the transaction.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Render the Amazon Pay button on the checkout page only when needed. If you display it before consent on a product page or in a mini cart, wrap it in a CMP gate or use the Image button option (no Amazon cookies before click). When the user clicks, the Amazon Pay flow takes over on payments.amazon.com and operates under the Amazon privacy notice. Inform users in your privacy notice that Amazon Payments Europe S.C.A. and Amazon Inc. process the payment.
Amazon Payments Europe S.C.A. operates from Luxembourg under EU banking and payment regulation. Card processing, fraud detection and reconciliation flows can involve Amazon entities in the United States. Transfers rely on EU SCCs and Amazon Inc. DPF certification under the EU US Data Privacy Framework. Document the transfer mechanism in your records of processing activities.
Sign the Amazon Pay merchant agreement and the EU DPA. Display the button only when needed, or use the Image button option until the buyer clicks. Categorise checkout cookies as Strictly Necessary and Amazon advertising cookies as Marketing. Identify Amazon Payments Europe S.C.A. and Amazon Inc. as joint or independent controllers as relevant. Provide a privacy notice section explaining the EU and US data flows.
Websites using Amazon Pay must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Amazon Pay is used as the primary checkout, when the merchant relies on Amazon Fraud Service advanced signals, when recurring billing stores Amazon Pay tokens, or when the merchant integrates the One Time Password flow that processes phone identifiers.
Sample consent text
We use Amazon Pay to let you check out with your Amazon account. Amazon Pay drops cookies linked to your Amazon account and processes payment, fraud and billing data with Amazon Payments Europe S.C.A. in Luxembourg and Amazon Inc. in the United States. Payment cookies are strictly necessary, additional Amazon cookies for advertising or recommendations only load if you grant consent.
Third-party domains contacted
amazon.compayments.amazon.compayments-eu.amazon.comassets.loginwithamazon.comamazonpayments.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session-id | Strictly Necessary | 1 year | Amazon session identifier set on amazon.com that maintains the Amazon Pay checkout session. |
| ubid-acbeu | Strictly Necessary | 1 year | Amazon EU buyer identifier used to recognise the buyer for the Amazon Pay flow. |
| lc-acbeu | Functional | 1 year | Stores the buyer locale (language and country) for the Amazon Pay interface. |
| x-acbeu | Strictly Necessary | 1 year | Amazon Directed Identifier used by Amazon Pay to securely link the buyer Amazon account to the merchant transaction. |
| at-main | Strictly Necessary | 1 year | Amazon authentication token used for buyer login during the Amazon Pay flow. |
| sess-at-main | Strictly Necessary | Session | Session bound Amazon authentication token complementing at-main. |
| ad-id | Marketing | 5 months | Amazon advertising identifier used for ad targeting and measurement when the buyer is logged in. |
Amazon Pay uses cookies for user preferences — inform visitors with a consent banner.
Amazon Pay drops third party cookies on amazon.com and payments.amazon.com: session-id, ubid-acbeu (visitor), lc-acbeu (locale), x-acbeu (Amazon Directed ID), at-main and sess-at-main (Amazon auth token), ad-id (Amazon advertising). The exact set depends on whether the buyer is logged into Amazon.
Strictly necessary checkout cookies are exempt. However the ad-id and Amazon advertising cookies are not strictly necessary. Use the Image button option or block the button until consent if you want to avoid setting non essential cookies.
Performance of a contract for the payment, legitimate interest for essential fraud prevention, consent for Amazon advertising cookies.
Amazon Payments Europe S.C.A. is in Luxembourg but Amazon Inc. processes some flows in the US. Transfers rely on EU SCCs and the Amazon DPF certification.
A DPIA is recommended when Amazon Pay is the primary checkout, when advanced Amazon Fraud Service signals are used, when recurring billing tokens are stored, or when the OTP flow processes phone identifiers.
Use the Image button option or block the button behind a CMP if displayed before consent. Sign the Amazon Pay merchant agreement and the EU DPA. Inform users about Amazon Payments Europe S.C.A. and Amazon Inc. roles.
PayPal Express Checkout, Apple Pay, Google Pay, Shop Pay, Klarna Pay Now, GoCardless for SEPA, Stripe Link, Adyen, Mollie. EU based alternatives reduce transfer risk.
List the session-id, ubid-acbeu, lc-acbeu, x-acbeu, at-main, sess-at-main and ad-id cookies. Categorise checkout cookies as Strictly Necessary, ad-id as Marketing. Identify Amazon Payments Europe S.C.A. and Amazon Inc. as controllers.