Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DigiCert is a major US-based Certificate Authority that issues the SSL/TLS, code-signing, document-signing and qualified eIDAS certificates many European websites rely on. The certificates themselves are entirely server-side and raise no consent issues. However, browsers contact DigiCert's OCSP and CRL responders to verify revocation status, and websites that display the optional DigiCert Smart Seal embed a JavaScript widget that sets tracking cookies and pings DigiCert servers, which does trigger ePrivacy and transfer obligations.
DigiCert is one of the largest Certificate Authorities in the world, issuing SSL/TLS certificates, EV (Extended Validation) certificates, code signing certificates, document signing certificates and qualified eIDAS certificates used by enterprises across Europe. It also operates the Smart Seal trust badge that some websites display to communicate their security posture.
DigiCert processes certificate purchase data (organisation name, contact details, billing), and on issuance the certificate''s subject information becomes public via Certificate Transparency logs. At runtime, the browser performs OCSP or CRL revocation checks against DigiCert''s servers; these requests reveal the visitor''s IP address and the certificate serial number. If the Smart Seal is embedded, it loads JavaScript that pings DigiCert, sets cookies and transmits referrer information.
OCSP and CRL checks are part of the TLS protocol and are necessary for secure HTTPS connections; they rely on legitimate interest and the legal obligation to maintain communications security. The Smart Seal is non-essential and requires prior consent under Art. 5(3) ePrivacy. DigiCert is a data processor for certificate orders and a controller for product analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OCSP requests reveal browsing destinations to DigiCert, which sits in the US. Enabling OCSP stapling on your web server (Nginx, Apache, IIS) ensures that the OCSP response is fetched by the server and stapled into the TLS handshake, so the visitor''s browser does not need to contact DigiCert directly. This is a simple privacy-enhancing measure that does not require user consent.
The DigiCert Smart Seal is a JavaScript widget that displays a trust badge and validates the certificate in real time. It loads from seal.digicert.com, sets cookies and transmits visit data to DigiCert. Treat it as a non-essential marketing element and gate it behind your CMP. If you want a trust badge without the tracking, use a static image instead.
1. Enable OCSP stapling on your web server. 2. If you display the Smart Seal, block it behind your CMP. 3. Sign the DigiCert subscriber agreement and DPA. 4. Document DigiCert in your privacy notice as a sub-processor or processor (depending on the product). 5. For qualified eIDAS certificates, prefer EU-based Qualified Trust Service Providers (QTSPs) to keep processing in the EU. 6. Monitor Certificate Transparency logs for issued certificates referencing your domain.
Websites using DigiCert must obtain user consent under GDPR regulations.
DPIA considerations
The core certificate issuance and revocation use of DigiCert raises minimal DPIA concerns: OCSP requests transmit the visitor's IP address and certificate serial number, which DigiCert processes for legitimate security purposes. However, the optional Smart Seal widget loads a JavaScript that sets cookies and transmits referrer and IP to DigiCert in the US for impression counting. Key considerations: (1) OCSP requests reveal browsing destinations to DigiCert; OCSP stapling can mitigate this; (2) the Smart Seal is non-essential and requires consent; (3) qualified certificates under eIDAS may involve EU-based qualified trust service providers (QTSPs) with different processing terms; (4) US transfer for Smart Seal data. A streamlined DPIA is sufficient unless the certificate is used in a high-sensitivity context like financial signing or healthcare.
Sample consent text
This site uses DigiCert SSL certificates to encrypt your connection. To verify that the certificate has not been revoked, your browser may contact DigiCert's servers. If you see the DigiCert Smart Seal trust badge on this page, it sets a cookie and shares your visit data with DigiCert in the United States; we load it only after your consent.
Third-party domains contacted
digicert.comseal.digicert.comocsp.digicert.comcrl.digicert.comcacerts.digicert.comts-ocsp.ws.symantec.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| DC_VISITOR | Marketing / Analytics | 1 year | Set by the optional DigiCert Smart Seal trust badge to count widget impressions and recognise returning visitors. |
| seal_session | Functional | Session | Maintains the Smart Seal validation session during a visit. |
| _dc_consent | Strictly necessary | 1 year | Stores the visitor's consent status for the DigiCert Smart Seal widget on this site. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Not directly from the certificate. Only the optional DigiCert Smart Seal widget, when embedded on the page, sets cookies such as DC_VISITOR and seal_session, and pings DigiCert servers from the visitor's browser.
No for the certificate itself: HTTPS encryption is a strictly necessary security measure. OCSP/CRL revocation checks rely on legitimate interest or legal obligation. The optional Smart Seal trust widget is non-essential and requires prior consent under ePrivacy.
Legitimate interest (Art. 6(1)(f) GDPR) and the legal obligation under Art. 32 GDPR to ensure the security of processing, combined with the CA/Browser Forum baseline requirements. OCSP stapling reduces the personal data flow.
Yes for OCSP, certificate orders and Smart Seal widget. DigiCert is headquartered in the United States. Transfers rely on the 2021 SCCs and EU-US Data Privacy Framework certification.
A streamlined DPIA is sufficient for standard certificate use. A more detailed assessment is recommended when DigiCert qualified eIDAS certificates are used for high-trust signing (financial advice, public administration). For Smart Seal use, document the cookie placement and US transfer.
Enable OCSP stapling, sign the subscriber agreement and DPA, mention DigiCert in your privacy notice as a processor, prefer EU-based QTSPs for eIDAS qualified certificates, gate the Smart Seal behind your CMP, and monitor Certificate Transparency logs for certificates referencing your domain.
EU-based or EU-friendly Certificate Authorities include Sectigo (UK / Romania), GlobalSign (originally Belgium, now Japan), Atos (France) for qualified eIDAS certificates, Buypass (Norway) and SwissSign (Switzerland with adequacy decision). Let's Encrypt (US non-profit) is free and the default for most low-trust deployments.
In your privacy notice, name DigiCert as a processor for certificate orders and a recipient for OCSP/CRL traffic; mention the US transfer and the legal basis. If the Smart Seal is embedded, add an entry in the cookie policy for DC_VISITOR / seal_session, describe the purpose and duration, and link to DigiCert's privacy statement.