Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
LiteSpeed Web Server is a high performance commercial web server developed by LiteSpeed Technologies Inc. (Houston, Texas), with an open source variant called OpenLiteSpeed. It is widely used in WordPress, WooCommerce and shared hosting environments because of its built in LSCache, drop in Apache compatibility and lower memory footprint. From a privacy perspective, LiteSpeed is server side software: it does not set client side cookies of its own but writes access logs containing IP addresses and request metadata.
LiteSpeed Web Server is a commercial web server developed by LiteSpeed Technologies Inc., headquartered in Houston, Texas. It is sold under a licence model with different tiers based on workload size, and an open source companion called OpenLiteSpeed provides a free version with a slightly reduced feature set. The product is widely used in WordPress, WooCommerce and shared hosting environments because of its drop in compatibility with Apache configuration files, its built in HTTP cache called LSCache, and its lower memory footprint than Apache. LiteSpeed runs on the operator''s own infrastructure and does not phone home to LiteSpeed servers during normal operation.
LiteSpeed does not set client side cookies by default. The cookies a visitor sees come from application backends (PHP, WordPress, etc.) running behind LiteSpeed, or from third party tags loaded by the HTML. LiteSpeed itself produces access logs in Combined Log Format by default, containing client IP, timestamp, request, status, bytes sent, referer and user agent. The LSCache plugin for WordPress and OpenLiteSpeed Cache can be configured to write cache control cookies such as lscache_vary, used to serve different cache variants to logged in versus anonymous users.
Because LiteSpeed itself does not store information on the visitor''s terminal, ePrivacy Art. 5(3) does not apply to LiteSpeed. The server logs are governed by the GDPR and rest on legitimate interest under Art. 6(1)(f), justified by security, performance and operations. If the LSCache plugin sets cache vary cookies, those cookies are generally considered strictly necessary for the caching functionality (and therefore exempt from consent), but they must still be listed in the cookie policy for transparency.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
LiteSpeed Web Server runs on the operator''s infrastructure and does not transfer visitor data to third countries by itself. Commercial relationships with LiteSpeed Technologies Inc. (Houston, Texas) involve some data exchange, governed by the licence agreement and any commercial support contract. For European operators, the licence cost and contact details are processed in the US under LiteSpeed''s privacy notice with SCCs. OpenLiteSpeed (open source) does not involve any commercial relationship.
Document LiteSpeed in the record of processing as a web server under legitimate interest. Configure a custom access log format that anonymises IP addresses where the use case allows. Set a short retention period (30 to 90 days) for access logs. If LSCache or OpenLiteSpeed Cache is used, list the lscache_vary cookie in the cookie policy as strictly necessary for caching. For commercial LiteSpeed licences, sign the LiteSpeed DPA and document the US transfer mechanism. LiteSpeed itself does not appear on the cookie banner.
Websites using LiteSpeed must obtain user consent under GDPR regulations.
DPIA considerations
LiteSpeed does not require a DPIA on its own because it is server infrastructure software. The access logs it writes do require attention: (1) default log format includes the full IP address, which is personal data under the GDPR; (2) retention should be limited to what is needed for security and operations; (3) IP anonymisation can be configured at the LiteSpeed level through custom log formats; (4) the LSCache plugin for WordPress and OpenLiteSpeed Cache can write cache control cookies if explicitly configured (such as the lscache_vary cookie used to vary the cache per logged in user), which the operator must list in the cookie policy when used; (5) commercial LiteSpeed support involves data exchange with LiteSpeed Technologies Inc. in the US, governed by the licence agreement.
Sample consent text
We use LiteSpeed Web Server as our web server and HTTP cache on our infrastructure. LiteSpeed itself does not set cookies on your device. Like any web server it writes access logs containing your IP address, the page you requested, your browser type and the referring page. These logs are used to operate the site, investigate security incidents and meet legal retention obligations under our legitimate interest.
Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lscache_vary | Strictly Necessary / Functional | Session | Set by the LiteSpeed Cache plugin for WordPress (and OpenLiteSpeed Cache). Stores a vary key used by the LSCache server module to serve different cache variants to logged in users versus anonymous users, and to support per role or per language caching. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
LiteSpeed Web Server itself does not set cookies. The LSCache plugin for WordPress and OpenLiteSpeed Cache can be configured to write cache control cookies like lscache_vary, used to serve different cache variants to logged in versus anonymous users. Those cookies are generally treated as strictly necessary for the caching functionality.
No for LiteSpeed itself. The LSCache cache variation cookies are considered strictly necessary under ePrivacy Art. 5(3) and do not require consent, but they must be listed in the cookie policy for transparency. Other cookies set by the application backends behind LiteSpeed must be assessed on their own merits.
Legitimate interest under GDPR Art. 6(1)(f) for the access logs and cache operations, justified by security, performance and operational stability.
LiteSpeed itself does not transfer visitor data. The commercial relationship with LiteSpeed Technologies Inc. (Houston, Texas) involves processing of licence and support contact data in the US, governed by SCCs.
A DPIA is not required for LiteSpeed itself. The broader logging and caching architecture may need a DPIA if logs are processed for advanced security analytics or shipped to non EU systems.
Use a custom access log format that anonymises IP addresses where the use case allows. Set a short retention period. Document the LSCache lscache_vary cookie in the cookie policy if used. Avoid logging request bodies. Tighten error log levels in production.
Other web servers include Nginx, Apache HTTP Server, Caddy and OpenLiteSpeed (the free LiteSpeed variant). OpenLiteSpeed is a privacy friendly choice because it removes the commercial relationship with LiteSpeed Technologies Inc.
LiteSpeed does not belong on the cookie banner. List the lscache_vary cookie under strictly necessary cookies if LSCache is used. In the privacy policy, mention that the site is served by a web server (LiteSpeed) for performance, the legal basis (legitimate interest), the log categories, retention and recipients.