Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Apple Pay is the contactless and online payment service of Apple, integrated with Safari and the iOS Wallet to let users pay with the card stored on their device.
Apple Pay is the contactless and online payment service of Apple. On the web, merchants integrate Apple Pay through the Apple Pay JS API on Safari or through a payment service provider (Stripe, Adyen, Braintree, Worldline). The user authorises the payment with Face ID, Touch ID or a passcode, and the device generates a tokenised payment credential bound to the merchant. The card number is never shared with the merchant or the publisher. For European users, Apple Distribution International in Ireland is the customer facing entity.
Apple Pay on the web requires a domain verification file hosted on the merchant (well known apple-developer-merchantid-domain-association). The Apple Pay button does not drop tracking cookies on the publisher domain. A small number of strictly necessary cookies are set on apple.com when the user is signed in to their Apple account. The merchant receives the encrypted payment token, the billing address (if requested) and the shipping address (if requested), but not the underlying card details. Transaction signals like device location and Apple risk scores are processed inside Apple infrastructure to validate the payment.
Apple Pay is one of the most privacy friendly payment options for European publishers. The few cookies it sets are strictly necessary for the payment and fall under the article 5(3) ePrivacy exemption. The card data is tokenised on the device and never reaches the merchant in clear. Apple processes transaction signals as an independent controller under its own Apple privacy notice. The publisher acts as a controller for the order data it receives back from Apple Pay.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
You can display the Apple Pay button without a separate consent because it does not set non essential cookies. Inform users about Apple Pay in your privacy notice and identify Apple Distribution International (for EEA) and Apple Inc. (for global flows) as independent controllers. Provide a link to the Apple privacy notice and to the Apple Pay specific privacy section.
Apple Distribution International (Cork, Ireland) is the EEA customer facing entity. Apple Inc. (Cupertino, California) operates the broader Apple Pay infrastructure. Some flows can involve Apple Inc. infrastructure in the United States. Transfers rely on EU SCCs and the Apple Inc. DPF certification under the EU US Data Privacy Framework.
Register your domain with Apple and host the domain verification file. Sign the Apple Pay Merchant Agreement through your payment service provider. Display the button without a separate consent. Inform users in your privacy notice that Apple Pay is used. Identify Apple Distribution International and Apple Inc. as controllers. Document any data you receive back from Apple Pay (billing and shipping addresses) in your records of processing activities.
Websites using Apple Pay must obtain user consent under GDPR regulations.
DPIA considerations
Apple Pay is generally low risk because card data is tokenised on the device and never reaches the merchant or the publisher servers in clear. A DPIA may be appropriate when Apple Pay is paired with Apple Sign In, when the merchant runs subscriptions with stored Apple Pay tokens, or when the merchant aggregates transaction data with broader profiling.
Sample consent text
We use Apple Pay to let you check out with the card stored on your Apple device. Apple Pay does not share your card number with us, it generates a one time payment token signed by your device. Apple Pay sets only very limited technical cookies that are strictly necessary for the payment, so no separate consent is required for the button to display.
Third-party domains contacted
apple.comapple-pay-gateway.apple.comapple-pay-gateway-cert.apple.comsmp-device.apple.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| s_vi | Strictly Necessary | 2 years | Apple visitor identifier used by the Apple Pay backend on apple.com to maintain the merchant transaction context. |
| geo | Strictly Necessary | Session | Stores the user country and region for the Apple Pay availability check. |
| dssid | Strictly Necessary | Session | Apple session identifier used during the Apple Pay authentication and confirmation step. |
| dssf | Strictly Necessary | 1 year | Apple secure flag cookie used to protect the Apple Pay session against forged requests. |
Apple Pay uses cookies for user preferences — inform visitors with a consent banner.
Apple Pay sets very few cookies. A small number of strictly necessary cookies on apple.com (s_vi, geo, dssid, dssf) appear when the user is signed in to an Apple account. No tracking cookies are dropped on the publisher domain.
No. The Apple Pay button does not set non essential cookies on the publisher domain. The strictly necessary cookies set on apple.com fall under the article 5(3) ePrivacy exemption.
Performance of a contract (article 6(1)(b) GDPR) for the payment, and legitimate interest (article 6(1)(f) GDPR) for the Apple side fraud prevention.
Apple Distribution International is in Ireland but some flows involve Apple Inc. in the US. Transfers rely on EU SCCs and the Apple Inc. DPF certification.
Generally no. Apple Pay is low risk because card data never reaches the merchant. A DPIA may be appropriate when Apple Pay is paired with Apple Sign In, when subscriptions use Apple Pay tokens, or when transaction data feeds broader profiling.
Register your domain with Apple. Host the merchant ID domain association file. Sign the Apple Pay Merchant Agreement via your PSP. Display the button without separate consent. Inform users in your privacy notice.
Google Pay, Amazon Pay, PayPal Express, Shop Pay, Klarna Pay Now, GoCardless, Stripe Link, Adyen, Mollie or local methods (Bancontact, iDEAL, Sofort, Bizum).
Note that Apple Pay does not set tracking cookies on your domain. Identify Apple Distribution International and Apple Inc. as controllers in the privacy notice. Link to the Apple privacy notice and Apple Pay specific section.