Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Salesforce Commerce Cloud (formerly Demandware) is one of the leading enterprise e-commerce platforms used by major European retailers including L'Oreal, Lacoste, Adidas, and Puma. It is fully server-side rendered but loads numerous first-party cookies, integrates with Salesforce Marketing Cloud and Einstein AI for personalisation, and frequently embeds third-party tags for analytics and advertising. Privacy implications include cross-border data transfers between Salesforce regions, AI-driven personalisation, and the need for granular consent management across a complex storefront ecosystem.
Salesforce Commerce Cloud, formerly Demandware, is an enterprise SaaS e-commerce platform widely used by European luxury, fashion, and beauty brands. It provides catalogue management, storefront rendering, checkout, order orchestration, and customer profiles, plus optional Einstein AI for personalisation. The platform is fully server-side, which limits client-side third-party calls but also means most data processing happens in Salesforce-controlled environments outside the merchant''s direct visibility.
Out of the box, Commerce Cloud sets dwsid (session), dwanonymous_<UUID> (anonymous customer identifier, 6 months), dwsecuretoken_<UUID>, dwpersonalization_<UUID> (Einstein), and BV_FORCED_HTTPS. Customer accounts add cqcid and dwcustomer_<UUID>. With Einstein active, additional cookies track viewed and recommended products. Merchant-added analytics or advertising tags (GA4, Meta Pixel, TikTok) add their own cookies on top. The platform also stores extensive server-side data: profile, order history, payment instruments (tokenised), and Einstein behavioural events.
Strictly necessary cookies (dwsid, BV_FORCED_HTTPS) can be set without consent. All Einstein, personalisation, and recommendation cookies require prior consent under Art. 5(3) ePrivacy. Salesforce is a data processor for storefront data and an independent or joint controller for product telemetry and Einstein model training. The recently updated Salesforce DPA includes the 2021 SCCs, EU-US Data Privacy Framework certification for applicable Salesforce entities, and pre-contractual transparency about sub-processors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
With Hyperforce, you can pin storefront data to Salesforce EU regions (Frankfurt, Paris). However, Marketing Cloud, Einstein, and Service Cloud may run in separate regions, and support tickets routinely route to global teams. A Transfer Impact Assessment is required to map where each personal data flow lands. For maximum data residency, request a written confirmation from Salesforce of the regions used per service and configure cross-region replication carefully.
Use a CMP (OneTrust, Didomi, Axeptio, Cookiebot) to gate non-essential cookies and Einstein. Salesforce provides a Privacy and Data Management toolkit (Privacy Center, DSR API) that complements the CMP for downstream cookie consent propagation. Map cookies into the standard categories (strictly necessary, functional, analytics, marketing) and ensure Einstein behavioural tracking is off by default until consent.
1. Sign the Salesforce DPA and confirm the Hyperforce region. 2. Conduct a DPIA covering Einstein recommendations and behaviour-based ranking. 3. Integrate a CMP and connect it to Einstein and any embedded marketing tags. 4. Document data flows between Commerce Cloud, Marketing Cloud, and any CRM. 5. Use Salesforce Privacy Center to automate DSR fulfilment. 6. Add specific Commerce Cloud entries to the cookie policy and privacy notice, including Einstein.
Websites using Salesforce Commerce Cloud must obtain user consent under GDPR regulations.
DPIA considerations
Salesforce Commerce Cloud handles high-volume retail data including customer accounts, order history, payment metadata, browsing behaviour, and (via Einstein) AI-driven personalisation profiles. Key DPIA considerations: (1) data flows between Commerce Cloud, Marketing Cloud, Service Cloud and Sales Cloud creating a complex controller / processor map; (2) Einstein Recommendations and Einstein Predictive Sort process detailed behavioural data to predict purchase intent, potentially triggering Art. 22 GDPR (automated decision-making) considerations; (3) US support and engineering access to EU data; (4) personal data captured in promotion codes, gift cards, and product custom attributes that may contain unstructured identifiers; (5) sub-processor sprawl as Salesforce relies on AWS, Hyperforce, and various global support teams. A full DPIA is generally required for enterprise deployments, ideally aligned with the CNIL DPIA template.
Sample consent text
Our store runs on Salesforce Commerce Cloud, which sets functional cookies necessary to maintain your basket, session and order. With your consent, we also use optional cookies and Salesforce Einstein AI to personalise product recommendations, measure marketing performance, and share anonymised usage data with Salesforce. Some processing may take place in the United States under Standard Contractual Clauses. You can manage your preferences at any time in our cookie settings.
Third-party domains contacted
salesforce.comdemandware.netdemandware.netdemandware.edgesuite.netsalesforce.comcommercecloud.salesforce.comeinstein.salesforce.comsalesforce-experience-cloud.comevergage.comforce.comeinstein.aiCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| dwsid | first_party | Session | Demandware session identifier set by Salesforce Commerce Cloud to bind the visitor to a server side storefront session that holds cart and customer state. |
| dwsid | Strictly necessary | Session | Demandware session identifier that maintains the shopper's basket, login state and storefront navigation. Cannot be disabled. |
| dwanonymous_* | first_party | 6 months | Persistent anonymous identifier for the visitor used to retain the shopping basket across visits before authentication. |
| BV_FORCED_HTTPS | Strictly necessary | 1 day | Forces secure connections to the storefront after the first request, preventing protocol downgrade attacks. |
| dwcustomer_* | first_party | 6 months | Identifies the authenticated customer once they sign in, so the storefront can recover the customer specific cart and preferences. |
| dwanonymous_<UUID> | Functional | 6 months | Anonymous customer identifier used to maintain personalisation and basket state across browser sessions for non-logged-in visitors. |
| dwpersonalization_* | first_party | 12 months | Holds personalisation rules and segment membership applied by SFCC Einstein and rule based personalisation. Considered non strictly necessary and requires consent. |
| dwsecuretoken_<UUID> | Strictly necessary | Session | Encrypted token tying the authenticated session to a verified login, used to protect against session hijacking. |
| cqcid | first_party | 12 months | Quote and basket identifier used by SFCC headless deployments through the Commerce API to recover the cart across requests. |
| dwpersonalization_<UUID> | Marketing / Personalization | 1 year | Identifier used by Einstein Recommendations to compute personalised product suggestions, viewed-recently widgets, and predictive sort orderings. |
| sf_ab | first_party | 90 days | Variant allocation cookie set by the SFCC A/B testing module to keep the visitor on the same experience variant. Requires consent. |
| cqcid | Functional | Persistent | Customer profile identifier linking the browser to a stored customer record, used after login for cross-device personalisation. |
| mc_personalization_* | first_party | 12 months | Identifier for Marketing Cloud Personalization (formerly Interaction Studio) used to compute real time personalisation. Requires consent. |
| dwcustomer_<UUID> | Functional | 1 year | Encrypted reference to the customer's stored Commerce Cloud profile, used to retrieve account data and saved baskets across sessions. |
Salesforce Commerce Cloud uses cookies for user preferences — inform visitors with a consent banner.
A default SFCC storefront sets a session cookie (dwsid or sid), an authentication cookie after sign in, a persistent basket cookie tied to a server side cart, plus optional cookies introduced by Einstein (visitor and recommendation identifiers), Marketing Cloud Personalization (visitor and segment cookies), the A/B testing module and any integrated marketing tags. The session and cart cookies are strictly necessary; all the personalisation, analytics and marketing identifiers are not.
Commerce Cloud (Demandware) sets dwsid (session, strictly necessary), BV_FORCED_HTTPS (security), dwanonymous_<UUID> (6-month anonymous customer identifier), dwsecuretoken_<UUID> (login session), dwpersonalization_<UUID> (Einstein), and cqcid/dwcustomer_<UUID> for authenticated shoppers. Only the strictly necessary ones can be set without consent; the personalisation and Einstein cookies require prior consent.
Consent is not required for strictly necessary cookies (session, login, cart). Consent is required for the Einstein recommendation tag, Marketing Cloud Personalization cookies, A/B testing identifiers and any marketing pixel integrated through SFCC. These tags must remain blocked in your CMP until the visitor accepts the corresponding category, otherwise the deployment is not GDPR compliant.
You do not need consent to load the storefront itself, since cart and checkout cookies are strictly necessary. However, Einstein recommendations, personalisation, behavioural tracking, and any embedded marketing tags require prior, granular consent under Art. 5(3) of the ePrivacy Directive. Block Einstein and marketing tags via your CMP until the user opts in.
Cart, login and order processing rely on contract performance (Article 6(1)(b) GDPR). Marketing emails, personalisation and behavioural analytics rely on consent (Article 6(1)(a) GDPR). Fraud prevention and security monitoring rely on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. Tax and invoicing retention relies on legal obligation (Article 6(1)(c) GDPR).
Order processing and account management rely on contract (Art. 6(1)(b) GDPR). Marketing cookies, Einstein personalisation, and behavioural analytics rely on consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy). Fraud prevention, security telemetry, and aggregated platform improvement may rely on Salesforce's legitimate interest, subject to a balancing test.
Yes. Even when SFCC is deployed on a Hyperforce EU region, Salesforce Inc. (US) sits in the controller chain, runs follow the sun support and engages US sub processors. Personal data is therefore likely to be transferred to the United States. Salesforce relies on Standard Contractual Clauses, on the EU US Data Privacy Framework certification of Salesforce, and on Salesforce Binding Corporate Rules as transfer mechanisms.
Potentially yes. Storefront data can be kept in EU Hyperforce regions (Frankfurt, Paris), but adjacent services (Marketing Cloud, Service Cloud, support) and Einstein training may involve transfers to the US. Transfers are covered by SCCs and, for Salesforce entities certified under the Data Privacy Framework, by the EU-US DPF adequacy decision. A Transfer Impact Assessment remains advisable.
Yes, in practice. SFCC deployments routinely combine large scale B2C customer data, Einstein profiling, Marketing Cloud personalisation, A/B testing and CDP integration. This combination meets several Article 35 GDPR triggers (systematic monitoring, profiling with significant effects in certain industries, large scale processing). A DPIA should be performed before go live and updated whenever new modules or sensitive product categories are added.
A full DPIA is recommended for enterprise deployments, especially those using Einstein recommendations. Multiple Art. 35(3) GDPR criteria apply: large-scale processing, profiling-based personalisation, automated decision-influencing systems, and cross-border transfers. The CNIL DPIA template and the EDPB guidelines on Art. 22 provide useful structures.
Sign the Salesforce DPA, select a Hyperforce EU region, integrate a CMP that can block Einstein, Marketing Cloud Personalization, A/B testing and marketing tags, and document the Salesforce sub processing chain. Run a DPIA, configure separate retention for customer accounts, behavioural profiles and order data, and provide a documented procedure for data subject rights that propagates to Salesforce systems through the GDPR APIs.
Sign the Salesforce DPA, choose an EU Hyperforce region, configure a CMP and integrate it with Einstein's consent API, conduct a DPIA covering all integrated services, document data flows in your Record of Processing Activities, use Salesforce Privacy Center for DSR automation, and ensure no Marketing Cloud tag fires before consent.
European alternatives include commercetools (Germany, EU hosting), Spryker (Germany), and Shopware. SAP Commerce Cloud is another enterprise option but raises similar cross-border issues. Shopify Plus offers EU hosting options but remains US-headquartered. Headless setups with Algolia, Stripe and EU-hosted CMS reduce platform lock-in and simplify compliance.
Direct alternatives for enterprise e-commerce include SAP Commerce Cloud, Adobe Commerce, Oracle Commerce, Spryker, commercetools, Shopware (Germany) and Shopify Plus. From a GDPR perspective, EU based platforms like commercetools, Shopware and Spryker offer a simpler transfer chain. For very large global retailers, the choice is often driven by IT footprint and feature coverage rather than data residency alone.
List the strictly necessary cookies (session, login, cart) with their names and durations. List each non strictly necessary cookie introduced by Einstein, Marketing Cloud Personalization, A/B testing and any marketing tag with purpose, duration and recipient. Mention Salesforce Inc. as processor in the privacy notice, describe the EU US transfer and reference the applicable mechanism (DPF certification, Standard Contractual Clauses, BCR).
Add a Commerce Cloud section to your cookie policy listing dwsid, BV_FORCED_HTTPS, dwanonymous_<UUID>, dwsecuretoken_<UUID>, dwpersonalization_<UUID>, and any Einstein-specific cookies. In your privacy notice, identify Salesforce as the processor, specify the Hyperforce region, mention Einstein and Marketing Cloud as joint or sub-processors, disclose the legal basis for each processing activity, and link to Salesforce's public trust documentation.