Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
BigCommerce is a hosted enterprise ecommerce platform competing with Shopify. Provides a storefront, checkout, native analytics, marketing tools and a Stencil theme engine. Strictly necessary cookies, plus consent for analytics and marketing apps and for the BigCommerce native analytics module.
BigCommerce is a hosted ecommerce platform competing with Shopify and Adobe Commerce. It provides a storefront, a checkout, a Stencil theme engine, native analytics, abandoned cart recovery, email marketing, multi storefront, a headless API and a marketplace of apps. The platform serves the storefront pages, hosts product and order data, and exposes a Storefront API, a GraphQL Catalog API and a webhook system used by integrations.
The strictly necessary cookies are BIGipServer* (load balancer affinity, session), _bigcommerce_session (session cookie that keeps the basket and the login), fornax_anonymousId (1 year, anonymous visitor identifier for the BigCommerce native analytics and abandoned cart recovery), XSRF-TOKEN (session, anti CSRF) and checkout_csrf_token (session, checkout CSRF). The native analytics module also sets _bcsi-c_external_account and conversion_visitor when active. Installed apps from the Marketplace add their own cookies (Facebook Pixel, Google Analytics, Klaviyo, etc.).
For the checkout and the order, GDPR art. 6(1)(b) (contract) and art. 6(1)(c) (accounting obligation) apply, and the strictly necessary cookies are exempt from consent under ePrivacy art. 5(3). The BigCommerce native analytics and the fornax_anonymousId cookie used for behavioural tracking require consent under GDPR art. 6(1)(a). Any app from the App Marketplace that loads tracking pixels, recommendations engines or live chat needs to be wired to your CMP, because BigCommerce does not gate apps automatically.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU storefronts are hosted on Google Cloud Platform regions eu-west-1 (Ireland) and europe-west4 (Eemshaven, Netherlands). The Stencil CDN runs on Fastly with European edges. The BigCommerce corporate analytics, support, fraud prevention and engineering tools are operated centrally from Austin, Texas. BigCommerce is certified under the EU US Data Privacy Framework. A Transfer Impact Assessment must accompany the deployment because US engineers retain contractual access to the EU databases.
Sign the BigCommerce Data Processing Addendum and pick the EU storage region, list strictly necessary cookies in the privacy notice without gating, gate the native analytics and every marketing app behind the relevant CMP categories, configure the BigCommerce GDPR consent capture for newsletter and account creation flows, train support on the BigCommerce DSAR process, document the apps as sub processors and minimise the order data retention.
Websites using BigCommerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when the BigCommerce native analytics, the marketing automation modules or the Customer Login B2B Edition are enabled because they build behavioural profiles of customers. The DPIA should document the EU storage region, the access from US, Mexico and Philippines support teams, the retention of order history, the integration with third party apps from the BigCommerce App Marketplace and the legal basis for each marketing flow.
Sample consent text
Our store runs on BigCommerce. We use strictly necessary cookies to keep your basket and your session working (BIGipServer, _bigcommerce_session, fornax_anonymousId). With your consent we activate BigCommerce native analytics, marketing automations and third party apps that may set additional cookies. Your data is stored in the European Union (Dublin and Eemshaven) and may be accessed by BigCommerce support in the United States under the EU US Data Privacy Framework. You can accept, refuse or withdraw at any time.
Third-party domains contacted
mybigcommerce.combigcommerce.combigcommerce.commybigcommerce.comcdn11.bigcommerce.combcapp.devbigcommerceapp.comapi.bigcommerce.comcdn.bigcommerce.comcdn11.bigcommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SHOP_SESSION_TOKEN | first_party | 1 year | BigCommerce shopping session token that links the visitor browser to the active cart, customer wishlist and recently viewed products. Strictly necessary for the checkout flow. |
| SHOP_SESSION_TOKEN | Strictly necessary | Session | Identifies the shopper's session on the storefront. Required to maintain a logged in state and a working cart between pages. |
| CART_URL | Strictly necessary | 7 days | Stores a reference to the current shopping cart so that the shopper can resume the cart on a later visit or another device after recovery. |
| SHOP_TOKEN | first_party | 30 days | Authenticated customer session token. Set after login to keep the customer signed in across the storefront and to enable saved payment methods and order history. |
| fornax_anonymousId | Strictly necessary | 12 months | Assigns an anonymous identifier to the visitor for cart recovery and order continuity, even before login or registration. |
| fornax_anonymousId | first_party | 1 year | Anonymous identifier used by BigCommerce Analytics to attribute pageviews, cart actions and conversions to a single visitor session before login. |
| XSRF-TOKEN | Strictly necessary | Session | Protects against Cross Site Request Forgery attacks on the BigCommerce storefront and checkout. Required for secure form submissions. |
| PHPSESSID | first_party | Session | Underlying PHP session cookie used by the BigCommerce backend during page rendering and form submissions. Strictly necessary. |
| CART_URL | first_party | Session | Stores the current cart URL so the customer can resume the basket later in the same session. Strictly necessary for the shopping flow. |
| _abck | Strictly necessary (security) | 12 months | Akamai Bot Manager cookie used by BigCommerce to distinguish legitimate shoppers from automated bots during checkout and login. |
| bc_visitorId | Analytics | 12 months | BigCommerce Analytics cookie that assigns a pseudonymous visitor ID for storefront usage analysis and conversion reporting. |
| _ga / _ga_* | third_party | 2 years | Google Analytics cookies dropped when the merchant connects Google Analytics through Channel Manager. Require consent under ePrivacy. |
| _fbp | third_party | 90 days | Meta Pixel browser identifier dropped when the merchant connects the Facebook channel. Used for ad measurement and retargeting; requires consent. |
| _ttp | third_party | 13 months | TikTok Pixel browser identifier dropped when the TikTok channel is connected. Used for conversion measurement and audience building; requires consent. |
BigCommerce uses cookies for user preferences — inform visitors with a consent banner.
The default Stencil storefront sets SHOP_SESSION_TOKEN for the shopping session, SHOP_TOKEN for authenticated customers, fornax_anonymousId for cart attribution and PHPSESSID for the underlying PHP session. Optional analytics and marketing pixels (BigCommerce Analytics, Google Analytics, Meta Pixel, TikTok Pixel) are added when the merchant connects them through Channel Manager.
Cart, checkout and authentication cookies are strictly necessary and exempt under Article 5(3) ePrivacy. All BigCommerce Analytics, connected ad pixels and any third party script loaded through Scripts Manager require prior, freely given, specific, informed and unambiguous consent under GDPR and ePrivacy.
Cart and checkout cookies rely on Article 6(1)(b) GDPR (contract). Order management, fraud prevention and security rely on Article 6(1)(f) GDPR (legitimate interest). Analytics, marketing and personalisation cookies require Article 6(1)(a) GDPR consent. BigCommerce processes data as a processor under Article 28 GDPR.
Yes. BigCommerce Inc. is established in the US and processes data on Google Cloud Platform with US primary regions. The company self certifies under the EU US Data Privacy Framework, providing an adequacy basis. Standard Contractual Clauses are included in its DPA as an additional safeguard.
A small DTC store using only cart and checkout cookies usually does not need a DPIA. It becomes recommended for large stores, B2B portals processing big customer datasets, behavioural personalisation, multi channel retargeting or programmes combining loyalty, CRM and offline data.
Sign the BigCommerce DPA, document the US transfer, list every cookie in your cookie policy, connect a consent management platform that intercepts tags injected through Scripts Manager and Channel Manager, enable IP anonymisation for connected analytics, and surface BigCommerce data subject request tools to your customers.
EU based hosted ecommerce alternatives include Shopware (Germany), Lightspeed eCom (Netherlands and Canada), PrestaShop Cloud (France) and Centra (Sweden). Self hosted alternatives include WooCommerce, Magento Open Source, PrestaShop and Sylius. All require their own cookie audit.
Run a fresh cookie scan after each Channel Manager or Scripts Manager change, list each storefront cookie with name, purpose, duration and provider, document analytics and marketing pixels, link to BigCommerce, Google, Meta and TikTok privacy notices, and update the EEA transfer information whenever the regional setup changes.
A default Stencil storefront sets strictly necessary cookies for the session and the cart (SHOP_SESSION_TOKEN, CART_URL, fornax_anonymousId, XSRF-TOKEN), security cookies for bot mitigation (_abck, bm_sz) and, if enabled, BigCommerce Analytics cookies plus any third party cookies from channels such as Google Analytics 4, Meta Pixel, TikTok Pixel or Klaviyo.
Consent is not required for cart and checkout cookies that are strictly necessary to fulfil the order, which fall under the ePrivacy exemption. Consent is required for BigCommerce Analytics, marketing pixels and any optional A/B testing or personalization scripts before they are loaded, in line with Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive.
Order processing and account management rely on the performance of a contract under Article 6(1)(b) GDPR. Fraud prevention and platform security rely on legitimate interest under Article 6(1)(f) GDPR. Analytics, marketing pixels, personalization and re marketing rely on consent under Article 6(1)(a) GDPR collected through a consent management platform.
BigCommerce signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR with merchants via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary technical measures include TLS 1.3, encryption at rest, AWS regional isolation, PCI DSS Level 1 certification and SOC 2 Type II audits.
A DPIA is recommended when BigCommerce is used to systematically profile EU shoppers (advanced segmentation, behavioural triggers, abandoned cart automation), when the storefront serves regulated sectors (financial services, health, alcohol) or when sensitive data is collected at checkout. A DPIA is generally not necessary for a small storefront limited to standard order and contact data.
Sign the BigCommerce Data Processing Addendum, list BigCommerce in your record of processing activities, configure a consent management platform integrated with the storefront, gate BigCommerce Analytics and channel pixels behind that consent, document retention rules for orders and customer accounts, and use the BigCommerce GDPR endpoints to handle access, rectification and deletion requests.
European merchants often consider Shopify (CA, US data residency), Shopware (Germany), Sylius and Sulu (open source, EU hosting), PrestaShop (France) and headless options like commercetools (Germany) or Saleor (Poland). The right choice depends on hosting requirements, B2B features, total cost of ownership and the depth of channels integrations needed.
List BigCommerce Holdings Inc. as the processor of the storefront, describe the categories of cookies set by Stencil (functional, security, analytics, marketing), mention the United States hosting and the SCC plus DPF safeguards, link to the BigCommerce Privacy Notice and explain how to withdraw consent through your consent management platform.