Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yotpo Reviews is one of the world's largest customer review and user-generated content platforms, used by e-commerce brands to collect, moderate, and display product reviews, ratings, photos, and videos. It loads a JavaScript widget on storefront pages, sets persistent cookies, and transmits behavioural and personal data (email addresses, IP, browser fingerprint, review submissions) to Yotpo servers hosted in the United States. Use on European stores requires prior consent under the GDPR and the ePrivacy Directive.
Yotpo Reviews is a user-generated content platform that lets e-commerce merchants collect product reviews, star ratings, customer photos, and videos directly from buyers. It integrates with Shopify, Magento, Salesforce Commerce Cloud, BigCommerce, and most major commerce platforms, and is widely used in the EU by direct-to-consumer brands. Yotpo sends automated post-purchase email requests to ask shoppers to review their purchases, then displays the resulting content on product pages, search results, paid ads, and social channels.
On every page where the widget loads, Yotpo sets a session cookie (_yo_session), a tracking pixel cookie (yotpo_pixel), and stores review state in localStorage. It records IP address, User-Agent, page URL, referrer, product identifiers, and time-on-page metrics. When a customer submits a review, Yotpo collects name, email address, photo or video uploads, and the review text itself. Email addresses are also imported from the merchant''s order data via a server-to-server integration, which is processed regardless of cookie consent.
Yotpo is a data processor for the review data it collects on behalf of the merchant, and an independent controller for usage analytics and product improvement. Under the ePrivacy Directive (transposed into national law via the French CNIL guidelines, the German TTDSG, and the Spanish LSSI), the storage of non-essential cookies on a visitor''s device requires informed prior consent. Because Yotpo''s widget sets analytics and pixel cookies, consent is required before the script loads. Server-side email requests rely on legitimate interest under Art. 6(1)(f) GDPR but require transparency in the privacy notice and an unconditional opt-out link in every email.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All review data, email addresses, and behavioural events are processed on Yotpo''s US infrastructure (Yotpo Ltd., subsidiary of Yotpo Inc., with AWS hosting in US East regions). This constitutes a Chapter V transfer under the GDPR. Yotpo offers a Data Processing Agreement incorporating the 2021 Standard Contractual Clauses, but customers must independently perform a Transfer Impact Assessment to evaluate the risk of US government access under FISA 702 and Executive Order 12333. Supplementary measures such as pseudonymisation of review submitter emails are recommended for sensitive product categories.
The Yotpo widget must be gated behind a granular consent option in your CMP (Consent Management Platform), typically in the marketing or analytics category. Yotpo provides a JavaScript API (yotpo.refreshWidgets()) that lets you load reviews only after the visitor has accepted the relevant category. For Google Consent Mode v2 deployments, Yotpo events should be linked to ad_storage and analytics_storage signals. Email collection for review requests must be disclosed at checkout, with an opt-out checkbox or a clear post-purchase email preference centre.
1. Sign Yotpo''s Data Processing Addendum with SCCs and perform a Transfer Impact Assessment. 2. Block the Yotpo script in your CMP and load it conditionally on consent. 3. Document the legal basis for review request emails in your Record of Processing Activities (Art. 30 GDPR). 4. Include Yotpo in your privacy notice with explicit mention of US transfer. 5. Configure the review submission form to ask for the minimum necessary data, and avoid pre-ticked checkboxes for marketing communications. 6. Set up a DSR workflow for review deletion requests, since Yotpo retains review content indefinitely by default.
Websites using Yotpo Reviews must obtain user consent under GDPR regulations.
DPIA considerations
Yotpo Reviews processes substantial personal data: customer email addresses (used to trigger post-purchase review requests), full names, review text and photos, IP addresses, device and browser fingerprint, and behavioural data such as time on page and product interactions. Persistent cookies (including _yo_session and the yotpo_pixel) enable cross-session tracking. All data is transferred to Yotpo's US infrastructure and AWS US regions, triggering Chapter V GDPR scrutiny. Key DPIA considerations: (1) cross-border transfer to a non-adequate jurisdiction, mitigated by SCCs and a Transfer Impact Assessment; (2) processing of user-generated content that may inadvertently contain special category data (health, religion) shared by reviewers; (3) email-based identification linking review activity to customer accounts; (4) risk of secondary use for product analytics and AI training without separate legal basis; (5) integration with Meta, Google, and TikTok pixels for syndicated reviews increases attack surface. A DPIA is recommended under Art. 35 GDPR for any deployment processing more than a few thousand customers per year.
Sample consent text
We use Yotpo to collect, display, and moderate product reviews and customer photos. Yotpo places cookies on your device and processes personal data (including your email address, IP address, browsing activity, and review submissions) to enable review collection and display. This data is transferred to Yotpo Ltd. in the United States. You may withdraw your consent at any time via our cookie settings.
Third-party domains contacted
staticw2.yotpo.comapi.yotpo.comp.yotpo.comcdn-loyalty.yotpo.comcdn-widgetsrepository.yotpo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _yo_session | Functional / Analytics | Session | Maintains Yotpo widget state and tracks the visitor across the current browsing session for review attribution and impression counting. |
| yotpo_pixel | Marketing / Tracking | 1 year | Persistent identifier used to attribute reviews and ad-clicks across Yotpo's syndication network (Meta, Google Shopping, TikTok) and to deduplicate impressions. |
| _yo_csrf | Strictly necessary | Session | CSRF protection token used when submitting reviews and uploading media. Required for the review submission form to function securely. |
| yotpo-session-<APP_KEY> | Functional | 30 days | Stores anonymous user identifier used to remember which reviews the visitor has already seen, voted on, or written. |
Yotpo Reviews uses cookies for user preferences — inform visitors with a consent banner.
Yotpo sets at minimum a session cookie (_yo_session) and a tracking pixel cookie (yotpo_pixel) on every page where the widget loads. It also writes review draft data and widget state to localStorage. Pixel data is shared with Yotpo's syndication partners (Meta, Google Shopping, TikTok) when those integrations are enabled. None of these are strictly necessary, so all of them require prior consent under the ePrivacy Directive.
Yes. The Yotpo widget sets non-essential cookies and a tracking pixel from the moment it loads, so under Article 5(3) of the ePrivacy Directive and the EDPB Cookie Guidelines, you must obtain prior, freely given, specific and informed consent. The script should be blocked by your CMP and only injected after the visitor accepts the marketing or analytics category.
The lawful basis depends on the activity. Cookie placement relies on consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy). Sending post-purchase review request emails to existing customers can rely on legitimate interest (Art. 6(1)(f) GDPR) provided you include an opt-out and meet the soft opt-in rules of national law. Displaying submitted reviews on the storefront relies on the reviewer's consent given at submission and on the merchant's legitimate interest in publishing user content.
Yes. Yotpo Ltd. and Yotpo Inc. host all customer data in the United States, using AWS US East regions. The transfer is covered by the 2021 Standard Contractual Clauses included in Yotpo's Data Processing Addendum. You must perform a Transfer Impact Assessment because US laws (FISA 702, EO 12333) can in principle compel disclosure to US intelligence services. Supplementary measures such as encryption in transit and at rest are already implemented by Yotpo, but additional pseudonymisation may be required for sensitive product verticals.
A DPIA is recommended whenever you collect reviews and email addresses from more than a few thousand EU customers per year, because the processing involves systematic monitoring of customer behaviour, automated triggering of email contact, and a cross-border transfer to a non-adequate jurisdiction. The EDPB list of processing activities likely to require a DPIA includes large-scale processing of personal data combined with cross-border transfers, both of which apply here.
Sign the Yotpo DPA with SCCs, complete a Transfer Impact Assessment, block the widget in your CMP, load it only after consent for the relevant category, document the legitimate interest balancing for review request emails, link Yotpo events to Google Consent Mode signals where applicable, and update your privacy notice to disclose the US transfer and the categories of data processed.
European or EU-hosted alternatives include Trustpilot (with EU data residency options), Loox (Shopify-only, EU servers), Reviews.io (UK-based with EU options), Avis Verifies (France, NF Service certified), and Trusted Shops (Germany). All of them still require consent for non-essential cookies, but they reduce cross-border transfer risk and offer simpler GDPR documentation.
Add a dedicated entry in your cookie policy listing _yo_session, yotpo_pixel and any syndication cookies (e.g. Meta Pixel via Yotpo). Document each cookie's purpose, duration, and category. In your privacy notice, add a section disclosing Yotpo Ltd. as a sub-processor, the categories of personal data shared (email, name, review content, IP, browsing data), the US transfer, and the lawful basis (consent for marketing cookies, legitimate interest for review request emails).