Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
BigCommerce B2B Edition is the wholesale tier of the BigCommerce hosted commerce platform, with custom price lists, account hierarchies, quote management and a buyer portal. It runs on US infrastructure (Google Cloud) and sets first party cookies for cart, session and customer authentication, alongside optional analytics and marketing pixels that require consent under GDPR and ePrivacy.
BigCommerce B2B Edition is the wholesale tier of the BigCommerce hosted commerce platform. It layers a B2B specific feature set, customer specific price lists, multi-level account hierarchies, quote management, sales rep dashboards and a self service buyer portal, on top of the standard BigCommerce storefront. The platform is delivered as software as a service: BigCommerce, Inc. operates the application, the database and the storefront CDN, while the merchant retains control over catalog, branding and the buyer experience. All storefront traffic, admin sessions and API calls terminate on BigCommerce infrastructure hosted on Google Cloud Platform in the United States.
The storefront writes several first party cookies: SHOP_SESSION_TOKEN to maintain the shopping cart, fornax_anonymousId to identify the visitor across pages, CART_URL for cart recovery, XSRF-TOKEN for CSRF protection and an authentication cookie for logged in buyers. These cookies are strictly necessary for the contract performance covered by Article 6(1)(b) GDPR. In parallel the merchant may enable analytics (Google Analytics, BigCommerce Insights), marketing pixels (Meta, TikTok, LinkedIn) and personalisation engines, each of which sets its own cookies and requires prior consent under ePrivacy Article 5(3).
BigCommerce, Inc. acts as a data processor for the merchant under Article 28 GDPR. The Data Processing Addendum (DPA) bundled with the platform contract reflects the processor obligations and lists sub processors. Strictly necessary commerce cookies (session, cart, authentication) do not require consent because they are essential to deliver the service the buyer has explicitly requested. Analytics and marketing cookies always do. Merchants must therefore wire a CMP into the storefront and block non essential vendors until consent is captured. B2B portals that target named buyers may also rely on contract or legitimate interest for first party behavioural analytics, but a documented balancing test is then required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because BigCommerce processes buyer accounts, orders and storefront analytics in the United States, every European merchant must rely on a Chapter V transfer mechanism. BigCommerce maintains an EU US and UK extension Data Privacy Framework certification, considered adequate by the Commission and recognised by the UK ICO. The DPA also offers the 2021 EU Standard Contractual Clauses for merchants that prefer not to depend on the DPF. A Transfer Impact Assessment should review the impact of FISA Section 702 and Executive Order 12333 on buyer account data, particularly when the catalog contains sensitive procurement information.
For B2B portals that store extensive buyer profiles or expose pricing intelligence, a DPIA is advisable. The assessment should cover the categories of buyers and procurement contacts, the retention of order history, the use of behavioural analytics inside the B2B portal and the impact of the US transfer. BigCommerce holds PCI DSS Level 1 certification and SOC 2 Type II reports that can be referenced in the DPIA. Single sign on, IP allowlists and two factor authentication on the admin should be enabled as technical safeguards.
Wire a CMP such as Didomi, Cookiebot or OneTrust into the storefront and use BigCommerce Script Manager to conditionally fire analytics and marketing scripts only after consent. Document the DPF certification number and the SCCs in the cookie policy. Refresh the cookie scan after every storefront theme update. EU based alternatives include Shopware (Germany), Spryker (Germany), commercetools (Germany) and Centra (Sweden) for merchants who must keep all processing inside the EU/EEA.
Websites using BigCommerce B2B Edition must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for B2B merchants that process large volumes of buyer account data, payment metadata or behavioural analytics through BigCommerce. Map the data flow from storefront to BigCommerce US infrastructure, assess the impact of FISA Section 702 on hosted customer records, and verify that the BigCommerce Data Processing Addendum covers all sub processors. The DPIA should distinguish between strictly necessary commerce cookies (contract basis) and consent based marketing tags injected via the storefront.
Sample consent text
This wholesale storefront runs on BigCommerce B2B Edition. Cookies used to keep you signed in, hold your cart and process orders are strictly necessary and do not require your consent. We also set optional analytics and marketing cookies to measure storefront performance and to deliver relevant offers. You can accept, refuse or change these choices at any time using our preference center.
Third-party domains contacted
bigcommerce.commybigcommerce.comcdn11.bigcommerce.comb2b-edition.bigcommerce.comapi.bigcommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SHOP_SESSION_TOKEN | functional | Session | Maintains the buyer session and links the cart to the visitor across page loads. Strictly necessary for contract performance. |
| fornax_anonymousId | functional | 12 months | Anonymous identifier that ties storefront pageviews to a single visitor so the cart and personalisation features work. Strictly necessary. |
| CART_URL | functional | 30 days | Stores the URL of an abandoned cart so the buyer can be redirected back to it. Strictly necessary for the cart recovery feature. |
| XSRF-TOKEN | strictly-necessary | Session | CSRF protection token used to validate requests sent to the BigCommerce storefront and admin. |
| _bc_customer_login | functional | 12 months | Authentication cookie for logged in B2B buyers, used by the buyer portal and quote management. Strictly necessary while logged in. |
| bc_visitorId | analytics | 12 months | Optional identifier used by BigCommerce Insights to measure storefront performance. Requires consent. |
BigCommerce B2B Edition uses cookies for user preferences — inform visitors with a consent banner.
The storefront writes session cookies (SHOP_SESSION_TOKEN, _bc_customer_login), an anonymous visitor identifier (fornax_anonymousId), a cart recovery cookie (CART_URL) and a CSRF token (XSRF-TOKEN). All of these are strictly necessary. If the merchant turns on BigCommerce Insights, a Google Analytics integration or a marketing pixel, additional consent based cookies are set.
Consent is not required for the strictly necessary cookies that power the cart, the session and the buyer authentication, because they are essential to the commerce service the buyer has explicitly requested. Consent is required for every analytics, marketing or personalisation cookie added on top, including the BigCommerce Insights cookies if you activate them.
Performance of a contract (Art. 6(1)(b) GDPR) covers cart, checkout, account and order processing. Legal obligation (Art. 6(1)(c)) covers invoicing and tax reporting. Consent (Art. 6(1)(a) GDPR and ePrivacy Article 5(3)) covers analytics, marketing and personalisation cookies. Legitimate interest (Art. 6(1)(f)) may justify fraud prevention and security telemetry with a documented balancing test.
Yes. BigCommerce, Inc. is based in Texas and processes storefront, account and order data on Google Cloud infrastructure in the United States. The platform is certified under the EU US Data Privacy Framework (and its UK extension). The DPA also offers the 2021 EU Standard Contractual Clauses as an alternative. A Transfer Impact Assessment is recommended for any B2B catalog that holds sensitive procurement data.
A DPIA is recommended when the B2B portal stores detailed buyer profiles, payment metadata, or behavioural analytics, or when the storefront targets sectors with sensitive purchases (defence, healthcare, energy). The assessment must address the US transfer mechanism, the retention of order history, the categories of buyer contacts, and the sub processor list provided in the BigCommerce DPA.
Integrate a CMP via the BigCommerce Script Manager so analytics and marketing scripts only run after consent. Sign the BigCommerce DPA and verify the DPF certification number. Enable two factor authentication and IP allowlists on the admin. Disclose strictly necessary cookies in the cookie policy and provide a preference center. Document retention rules for order history and for any abandoned cart recovery feature.
Yes. Shopware B2B Suite (Germany), Spryker (Germany), commercetools (Germany), Sana Commerce (Netherlands) and Centra (Sweden) all offer wholesale features comparable to BigCommerce B2B Edition with hosting inside the EU/EEE. They remove the US transfer question and often integrate more tightly with European ERP systems such as SAP or Microsoft Dynamics.
List BigCommerce, Inc. as the platform processor, mention that the storefront is hosted in the United States on Google Cloud, and reference the DPF certification and the SCCs in the DPA. Group strictly necessary cookies (session, cart, authentication, CSRF) separately from optional analytics and marketing cookies. Provide a link to the preference center and to the BigCommerce trust center where buyers can read the sub processor list.