Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CFML (ColdFusion Markup Language) is a server side scripting language and application platform used to build dynamic web applications, intranets and APIs. The two main implementations are Adobe ColdFusion and the open source Lucee engine. CFML itself is not a tracker: it runs entirely on the operator infrastructure and only sets technical session cookies (CFID, CFTOKEN, JSESSIONID) that the ePrivacy Directive classifies as strictly necessary, so prior consent is not required for those specific cookies. Privacy obligations apply to whatever data the application built on top of CFML chooses to collect.
CFML (ColdFusion Markup Language) is a tag and script based language that runs on a Java Virtual Machine. The two leading implementations are Adobe ColdFusion (commercial) and Lucee (open source). The engine takes incoming HTTP requests, executes the CFML page or component, queries databases through ORM or cfquery, and returns HTML, JSON or XML to the browser. Because every CFML execution happens on the operator side, no third party endpoint is contacted by default and no behavioural data is shared outside the operator network.
By default a CFML application sets two first party cookies, CFID and CFTOKEN, used to identify the server side session, plus the standard servlet container cookie JSESSIONID when J2EE sessions are enabled. These cookies hold opaque identifiers, are HttpOnly, and are required to keep authenticated users logged in and to protect forms against CSRF. They fall under the strictly necessary exemption of Article 5(3) ePrivacy. Any additional cookie set by application code (analytics ID, A/B testing bucket, marketing flag) is the responsibility of the operator and must be classified separately.
The CNIL, AEPD, ICO and EDPB consider authentication and session management cookies as strictly necessary, which means they can be set without prior consent so long as their lifetime is limited to the session and they are not reused for behavioural purposes. The legal basis for the underlying processing is the performance of the contract (Article 6(1)(b) GDPR) when the user is logged in, and legitimate interest (Article 6(1)(f)) for technical robustness on public pages. The application must still be transparent about these cookies in its privacy policy and cookie inventory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
CFML runs wherever the operator deploys the CFML engine: an on premises data centre, an EU cloud region, or a US cloud region. International transfer obligations therefore depend on the chosen hosting topology. Operators that need to keep European personal data inside the EEA should pick an EU region for both the application server and the database backing CFML, and should disable Adobe Server Auto Lockdown telemetry or Lucee usage statistics if those features are enabled by default in their installation profile.
To respect the GDPR principles of integrity, confidentiality and data minimisation, CFML applications should set HttpOnly, Secure and SameSite=Lax (or Strict) on all session cookies, rotate CFID and CFTOKEN on login and logout, scope cookies to the application domain, disable directory browsing, restrict CFADMIN to internal networks, apply the latest Adobe security bulletins or Lucee patches, and enable application logging with personal data scrubbed.
Document CFID, CFTOKEN and JSESSIONID in your cookie policy as strictly necessary technical cookies. Verify that no third party tag is loaded by the CFML page itself before consent. Review every cfhttp, cfldap, cfmail or REST integration to map outbound data flows and add them to your record of processing activities. Keep CFML server and JVM patched, separate the production database from CFML using least privilege credentials, and pseudonymise any personal data persisted in the application scope or session scope when possible.
Websites using CFML must obtain user consent under GDPR regulations.
DPIA considerations
A standalone DPIA on CFML itself is not required because the engine does not perform automated decision making or large scale profiling. A DPIA may still be required for the application built on CFML if that application processes special categories of data, performs scoring of individuals, monitors employees or visitors, or uses CFML in combination with external trackers. The assessment should focus on the application logic, the data stores reached from CFML (CF query, ORM, file uploads), the hosting region of the CFML server and the access controls protecting CFADMIN and the underlying servlet container.
Sample consent text
Our website is built with CFML and uses strictly necessary technical cookies (CFID, CFTOKEN, JSESSIONID) to keep you logged in and to protect forms against cross site request forgery. These cookies do not require consent under European cookie rules. Any optional analytics, marketing or personalisation cookies that we add on top are listed separately in the cookie banner and only loaded after your explicit choice.
Third-party domains contacted
www.adobe.comhelpx.adobe.comlucee.orgcfunited.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CFID | first_party | Session (or up to 30 days when persistence is enabled) | Identifies the server side ColdFusion or Lucee session that holds variables, login state and shopping cart. Strictly necessary for the application to function. |
| CFTOKEN | first_party | Session (or up to 30 days when persistence is enabled) | Companion of CFID, validates the session integrity to prevent session hijacking. Strictly necessary technical cookie. |
| JSESSIONID | first_party | Session | Java servlet container session identifier issued when J2EE sessions are enabled in CFML. Strictly necessary for keeping authenticated users logged in. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By default a CFML application sets two first party cookies, CFID and CFTOKEN, and the standard Java cookie JSESSIONID when J2EE sessions are enabled. They store opaque identifiers used to match an HTTP request to a server side session. Lucee installations using LuceeSession reuse the same model under cfid and cftoken names. Application code may add other cookies, which must be classified separately.
No. These are session and authentication cookies considered strictly necessary under Article 5(3) of the ePrivacy Directive and the EDPB Guidelines 2/2023 on technical cookies. They can be set without prior consent provided their lifetime is limited to the session or to the legitimate persistence of authentication and they are not reused for analytics or advertising.
The legal basis depends on the application use case: Article 6(1)(b) GDPR (performance of the contract) when the user is logged in, Article 6(1)(f) (legitimate interest) for security and integrity, and Article 6(1)(c) (legal obligation) for accounting or audit logs. Special category data require an Article 9 condition such as explicit consent or substantial public interest.
Not by itself. CFML runs on the operator infrastructure, so transfers only occur if the operator chooses a US cloud region or integrates external services. Adobe ColdFusion may contact Adobe servers for licensing and update checks; this telemetry should be reviewed and SCCs requested when applicable. Lucee is fully self contained and does not call back home unless usage statistics are explicitly enabled.
A DPIA on the language itself is not required. A DPIA on the application built with CFML may be required when the application performs systematic monitoring of individuals on a large scale, processes special category data, scores users automatically, or combines tracking from multiple sources, in line with Article 35 GDPR and the local DPA list of mandatory DPIA cases.
Set HttpOnly, Secure and SameSite on session cookies, rotate session IDs on login, host the CFML server in an EU region when handling European personal data, patch Adobe ColdFusion or Lucee promptly, restrict CFADMIN to internal networks, document CFID and CFTOKEN as strictly necessary, and gate any optional analytics or marketing tag through a Consent Management Platform.
Equivalent server side stacks include Java with Spring Boot, .NET (C#) with ASP.NET Core, Python with Django or FastAPI, PHP with Laravel and Node.js with NestJS. From a privacy and compliance standpoint, every server side language behaves similarly: the privacy posture depends mostly on the application design, the hosting region and the cookie strategy, not on the language.
List CFID, CFTOKEN and JSESSIONID as strictly necessary technical cookies in the cookie policy, with their purpose (session management, authentication), retention (session or browser lifetime) and first party scope. Add any application level cookie separately. Include a transparent statement that these strictly necessary cookies do not require consent, and refresh the policy whenever the application is upgraded.