Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Enterprise e commerce platform from HCL Software (formerly IBM WebSphere Commerce) used by large B2B and B2C retailers for catalog, cart, checkout, and personalization.
HCL Commerce is an enterprise grade e commerce platform formerly developed by IBM as WebSphere Commerce and acquired by HCL Software in 2019. It powers catalog, search, cart, checkout, order management, contracts, and B2B account hierarchies for large retailers, manufacturers, and distributors. It can be deployed on premise, in customer managed cloud environments, or on HCL Cloud, and is regularly paired with HCL Marketing Platform, HCL Unica, and HCL DX for content and engagement.
HCL Commerce sets first party cookies such as WC_SESSION_ESTABLISHED, WC_AUTHENTICATION, WC_ACTIVEPOINTER, WC_USERACTIVITY, and JSESSIONID to maintain authenticated sessions, persistent carts, current store, and personalization context. The platform also stores account details, order history, addresses, payment tokens (delegated to the payment service provider), and behavioral signals used for segmentation. When integrated with HCL Marketing Platform or Unica, additional cookies and identifiers are written to track campaigns and offers.
Session, cart, and checkout cookies are strictly necessary and rest on Article 6(1)(b) GDPR. Personalization, behavioral segmentation, and marketing analytics require explicit consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. Operators must surface a compliant consent banner before any non essential script loads, including HCL Marketing tags. Records of consent need to satisfy Article 7 GDPR. Profiling that produces legal or significant effects also engages Article 22 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
HCL Software Inc. is headquartered in the United States and HCL Technologies Ltd. is based in India. Personal data processed in support agreements, HCL Cloud hosting, or managed services may therefore leave the EEA. Controllers should rely on the EU US Data Privacy Framework when the receiving HCL entity is certified, or on Standard Contractual Clauses combined with a transfer impact assessment as recommended by the EDPB. The exact data flows must be documented in the records of processing.
Configure the consent management platform to block personalization, marketing, and analytics scripts until consent is captured. Map every cookie category in the cookie policy, set retention windows for orders and abandoned carts, restrict access to PII tables, enable encryption at rest, and use tokenization for payment data. Sign a data processing agreement with HCL and any subprocessors, and run vendor audits at least annually.
Given the volume of customer data and the frequent use of profiling for promotions, a DPIA is strongly recommended before launch and after any major integration (loyalty program, recommendation engine, cross border data export). The assessment should describe the lawful basis for each processing purpose, the safeguards for transfers, and the rights workflows (access, deletion, portability) the merchant exposes to its customers.
Websites using HCL Commerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended. HCL Commerce centralizes large volumes of customer, order, and behavioral data, and is often paired with HCL Marketing Platform, Unica, or third party personalization engines that score and segment users. Assess data minimization at registration, the lawful basis for personalization, retention of order data, profiling impacts, and any transfer of personal data to HCL entities in the US or India.
Sample consent text
This site is powered by HCL Commerce. Strictly necessary cookies are used to keep your shopping cart, session, and checkout secure and cannot be turned off. Personalization and analytics cookies, including those used by HCL Marketing Platform and connected third party tools, are loaded only after you accept them. Some processing may involve HCL entities outside the European Economic Area under appropriate safeguards such as Standard Contractual Clauses or the EU US Data Privacy Framework.
Third-party domains contacted
hcl-software.comhcltechsw.comcommerce.hcltechsw.comhelp.hcltechsw.comunica.hcltechsw.commy.hcltechsw.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| WC_SESSION_ESTABLISHED | first_party | Session | Marks an established guest or registered shopper session in HCL Commerce |
| WC_AUTHENTICATION_[user] | first_party | Session | Authenticates the registered shopper for the storefront and REST APIs |
| WC_ACTIVEPOINTER | first_party | Session | Identifies the active store and language for catalog and content rendering |
| WC_USERACTIVITY_[user] | first_party | Session | Tracks ongoing shopper activity within HCL Commerce for cart and order continuity |
| JSESSIONID | first_party | Session | Java application server session identifier used by the HCL Commerce runtime |
| WC_CartOrderId_[storeId] | first_party | Up to 30 days | Persists the shopping cart and last viewed order across visits |
| UnicaID | first_party | 1 year | Identifier used by HCL Unica or HCL Marketing Platform for campaign and offer tracking |
HCL Commerce uses cookies for user preferences — inform visitors with a consent banner.
HCL Commerce sets first party cookies such as WC_SESSION_ESTABLISHED, WC_AUTHENTICATION, WC_ACTIVEPOINTER, WC_USERACTIVITY, JSESSIONID, and WC_CartOrderId for session, authentication, store context, and persistent cart. When HCL Marketing Platform or Unica are integrated, additional identifiers like UnicaID are added for campaign tracking.
Strictly necessary cookies for session, cart, and checkout do not need prior consent. Personalization, marketing, and analytics cookies (including HCL Marketing and Unica tags) require explicit opt in consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR before they load.
Article 6(1)(b) GDPR supports contract execution (orders, cart, account, delivery), Article 6(1)(f) GDPR covers fraud prevention and platform security, Article 6(1)(a) GDPR applies to marketing personalization and email opt ins, and Article 6(1)(c) GDPR backs accounting and tax retention obligations.
Yes when the platform is operated on HCL Cloud or supported by HCL Software Inc. (US) or HCL Technologies Ltd. (India). Cover those flows with the EU US Data Privacy Framework where applicable, otherwise rely on Standard Contractual Clauses and document a transfer impact assessment.
Yes. Given the volume of customer data, profiling, and likely transfers outside the EEA, a DPIA is strongly recommended before go live and at every major change (loyalty program, recommendation engine, new sub processor, cross border deployment).
Deploy a consent management platform that blocks non essential scripts pre consent, document every cookie in the policy, configure data retention for orders and abandoned carts, restrict access to PII, encrypt at rest, tokenize payments, sign a DPA with HCL and sub processors, and audit annually.
Major alternatives in the enterprise space include SAP Commerce Cloud, Salesforce Commerce Cloud, Adobe Commerce (Magento), Commercetools, BigCommerce Enterprise, and Shopify Plus. Each has different hosting models, data processing footprints, and transfer profiles.
List every cookie category (strictly necessary, functional, personalization, analytics, marketing) with names, providers, retention, and purpose. Disclose HCL entities involved, the legal basis for each, and the safeguards used for transfers outside the EEA. Review the policy whenever a new module or third party tag is enabled.