Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Klarna Checkout (KCO) is the hosted checkout solution from Klarna Bank AB (Sweden), bundling card, instalment, pay later and direct debit options inside a single iframe that replaces the merchant's own checkout. It is one of the most widely used payment flows in the Nordics, DACH and increasingly the UK and France. Because Klarna is a licensed bank in the EU, the core processing happens in Sweden, but the integration still sets several cookies on the merchant domain and requires careful GDPR and ePrivacy handling.
Klarna Checkout (KCO) is the all in one checkout solution from Klarna Bank AB, a Swedish licensed bank. It replaces the merchant''s native checkout with a hosted iframe served from klarna.com. Inside the iframe the consumer chooses between immediate card payment, direct debit, Pay in 3, Pay in 30 days or instalment financing, and Klarna handles identification, payment processing, fraud checks and (for credit products) the lending decision. Merchants integrate Klarna Checkout via a snippet plus a back end REST API for order capture, refunds and order updates. Klarna also offers a separate Klarna Payments solution for merchants that prefer to keep their own checkout shell.
At the page level, Klarna injects scripts and cookies (kp_session, klarna_eu_country, hp_session, datadome) for session management, geographic routing and fraud detection. Inside the iframe Klarna collects identity, address, contact details, payment method, basket contents, IP address, User Agent and a device fingerprint. For BNPL and instalment flows, Klarna queries internal scoring models and external credit bureaus or population registers, depending on the country. On site messaging widgets on product pages also set Klarna cookies before the user reaches checkout.
The Klarna On site messaging script and most analytics cookies set before the user enters checkout are not strictly necessary and require consent under Article 5(3) of the ePrivacy Directive. The core checkout cookies (kp_session, antifraude tokens) that fire only inside the active payment session are widely considered strictly necessary for the requested service. The processing of payment, identity and credit data is anchored on contract (Art. 6(1)(b) GDPR), AML obligations (Art. 6(1)(c)) and legitimate interest in fraud prevention (Art. 6(1)(f)). Automated credit scoring engages Article 22.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the On site messaging widget and the analytics scripts loaded on the catalogue, yes. They should be blocked until consent is given. Inside the actual checkout, when the user has entered the Klarna iframe, the strictly necessary cookies do not require consent, but you must still inform the user about the data flows. Many European DPAs (CNIL, BfDI, datatilsynet) consider that Klarna acts as an independent controller for AML and credit checks, which the merchant must mention in the privacy policy.
Klarna Bank AB processes most data in Sweden and Ireland. Some products (notably US facing) involve Klarna Inc. in the United States. Subprocessors include AWS, Sift, Sentilink and Schufa (for Germany). Klarna publishes a data sharing table in its Customer Privacy Notice. EU US transfers rely on Standard Contractual Clauses and Klarna Inc.''s DPF certification where in scope. Merchants must list Klarna Bank AB and the relevant subprocessors in their privacy policy and explain how the dual controller status works in practice.
Gate the On site messaging widget behind your consent manager, sign Klarna''s data sharing terms (controller to controller for the lending decision), update the privacy policy with the Klarna recipients and the transfer mechanisms, and add the kp_session, klarna_eu_country and datadome cookies to the cookie policy. When a customer is rejected for BNPL, expose Klarna''s contact for Article 22 review and ensure another payment method remains available.
Websites using Klarna Checkout must obtain user consent under GDPR regulations.
DPIA considerations
Klarna Checkout aggregates payment data, identity verification, instalment offers and fraud profiling. When deployed at scale (high transaction volume, mixed BNPL and card flows, on site messaging on every product page), a DPIA is recommended to document the lawful basis stack, the data shared with Klarna and its subprocessors, and the safeguards for any transfers to the US.
Sample consent text
We use Klarna Checkout to process your payment and offer pay later options. This sets cookies on klarna.com and shares your basket and contact information with Klarna Bank AB in Sweden, and may involve transfers to Klarna Inc. in the United States. Do you accept?
Third-party domains contacted
klarna.comx.klarnacdn.netjs.klarna.comcheckout.klarna.comapi.klarna.comosm.klarnaservices.comeu.klarnaevt.comklarnaservices.comdatadome.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kp_session | third party | Session | Maintains the Klarna payment session between the merchant page and the hosted iframe. |
| klarna_eu_country | third party | 30 days | Stores the user country to route the checkout to the correct Klarna market and language. |
| hp_session | third party | Session | Identifies the Klarna hosted page (HPP) session used during the checkout iframe rendering. |
| datadome | third party | 1 year | DataDome bot mitigation cookie set by Klarna to detect automated traffic on checkout pages. |
| klarna_osm_session | third party | Session | On Site Messaging session identifier set when the Klarna messaging widget renders on product pages. |
| kasid | third party | 1 year | Klarna persistent visitor identifier used for fraud signalling and analytics across merchant sessions. |
| klarna_first_party_session | first party | Session | Stored on the merchant domain to link the user session with the Klarna order during checkout. |
Klarna Checkout uses cookies for user preferences — inform visitors with a consent banner.
Klarna sets several cookies, including kp_session for the payment session, klarna_eu_country for geographic routing, hp_session for hosted page identification and datadome for bot mitigation. On Site Messaging widgets additionally drop analytics cookies (Mixpanel, Google Analytics). Only the checkout session cookies qualify as strictly necessary; the rest require consent.
For the On Site Messaging widget and any analytics cookies on category and product pages, yes. The hosted iframe itself can run on strictly necessary basis once the user has actively initiated checkout, but you must still inform them about Klarna processing. Marketing cookies always require explicit consent.
Contract (Art. 6(1)(b) GDPR) for the payment and order, legal obligation (Art. 6(1)(c)) for AML and PSD2, legitimate interest (Art. 6(1)(f)) for fraud prevention, and consent (Art. 6(1)(a)) for marketing widgets and analytics. For BNPL flows, automated credit decisions engage Article 22 GDPR.
Mostly no for the core EU checkout, but some processing flows involve Klarna Inc. in the US (especially North American customers) and subprocessors like Sift. Klarna relies on Standard Contractual Clauses and the EU US Data Privacy Framework where applicable. Document these in your privacy policy.
For small merchants on a single market, the DPIA risk is limited. For larger merchants with BNPL across many markets, on site messaging on every product page and high transaction volumes, a DPIA is advisable to cover automated credit decisions, AML processing and any cross border flows.
Gate the On Site Messaging script behind your CMP, sign Klarna's controller agreements, list Klarna Bank AB and its subprocessors as recipients, declare cookies in the cookie policy, and ensure alternative payment methods are available if the user refuses Klarna. Document the joint controller relationship for the lending product.
Stripe Checkout, Adyen, Mollie, Worldline and PayPal Checkout provide hosted checkouts with their own BNPL or instalment options. EU specific BNPL alternatives include Alma (France), Scalapay (Italy), Riverty (Germany) and Cofidis 4xCB. Each has different data flows and privacy postures.
List Klarna under Strictly Necessary (kp_session, datadome inside the iframe), Functional (klarna_eu_country) and Marketing (On Site Messaging analytics). Mention the provider (Klarna Bank AB, Sweden), purposes (payment, fraud, messaging), retention, and the transfer mechanism to Klarna Inc. where applicable.