Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Loqate is an address verification, geocoding and contact data quality service from GBG plc (United Kingdom). It powers real time address autocomplete, phone and email validation on checkout and registration forms. Loqate processes IP, partial address strings and lookup history through global data centres including the EU and the United States, so European deployments must address consent, legal basis and Schrems II transfers.
Loqate is the address capture and contact data quality product of GBG plc, a public company headquartered in Chester, United Kingdom. It is embedded in checkout, registration and lead forms across e-commerce, financial services and logistics platforms. When a visitor begins typing an address, Loqate streams partial strings to its API and returns ranked address candidates drawn from official postal files in more than 240 territories. The same platform offers phone validation, email verification and geocoding through a single JavaScript widget or REST endpoint.
For most European merchants Loqate replaces a manual address field with a typeahead component. That single design choice shortens checkout, reduces failed deliveries and improves data quality, but it also creates an outbound flow of personal data to a third party processor that requires precise documentation under the GDPR.
Each keystroke sent to Loqate carries the partial address string, the visitor IP address, a session identifier, the referring page, browser user agent and the API key of the merchant. When verification or geocoding endpoints are called, Loqate also receives the full validated address, latitude and longitude. Phone and email validation endpoints receive the phone number or email address along with metadata used to score deliverability. GBG retains lookup logs to monitor usage, bill customers and improve match rates.
In standard configuration Loqate does not set persistent advertising cookies. It may use short lived session storage or a first party cookie for rate limiting and abuse prevention. Optional analytics, recommendation or replay add ons sold separately do introduce tracking cookies that must be treated as non essential.
GBG plc acts as a processor for the merchant when it returns address suggestions and as a joint or independent controller for fraud and identity scoring products. The merchant remains controller for the order data. Under Article 28 GDPR a written data processing agreement is mandatory, and the merchant must list Loqate in its record of processing activities and in its privacy notice. Where Loqate stores any information on the user terminal beyond what is strictly necessary, Article 5(3) of the ePrivacy Directive and its national transpositions (CNIL guidelines, TDDDG section 25, AEPD Guía Cookies) require prior consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Address autocomplete that runs during the order flow is normally based on contract performance under Article 6(1)(b) GDPR, because the visitor cannot complete the purchase without a valid delivery address. The CNIL accepts that strictly necessary technical features fall outside the consent obligation. Any additional layer (behavioural analytics, lookup history reuse for marketing, fraud profiling, session replay) needs either explicit consent under Article 6(1)(a) GDPR or a documented legitimate interest balancing test. The widget should therefore load on the order page unconditionally but only enable analytics when the consent banner records an opt in.
GBG operates data centres in the United Kingdom, Ireland and Germany, and uses US infrastructure for some global products and customer support. Transfers from the EEA to the United Kingdom rely on the 2021 adequacy decision adopted by the European Commission. Onward transfers to the United States must rely on EU Standard Contractual Clauses, on the EU US Data Privacy Framework where GBG affiliates are certified, and on a transfer impact assessment that addresses FISA 702 and Executive Order 12333 in line with the Schrems II ruling. EU merchants should request from GBG the regional pinning option that keeps queries inside the EEA whenever it is available.
Sign the GBG data processing addendum, choose an EEA or UK data centre, list Loqate in the privacy notice with the contract legal basis, disclose any optional analytics behind a consent gate, and document retention of lookup logs (GBG typically holds them 12 to 24 months). Configure the widget with the minimum necessary fields, disable lookup history features that you do not use, restrict referrers and API keys per environment, and add Loqate to the CMP vendor list so that consent state can be read by the page before optional features run.
Websites using Loqate must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not mandatory for plain address autocomplete used during checkout because the processing is contractually necessary and limited to typed address fragments. A DPIA is recommended when Loqate is combined with profiling, fraud scoring, geolocation enrichment, large scale storage of lookup logs, or when used outside the order flow (for example on contact or quote forms with marketing reuse). Document the categories of data collected (IP, typed strings, browser metadata), the retention of lookup logs at GBG, the legal basis for each use, the transfer mechanism to non EEA data centres, and the technical and organisational measures applied by the merchant and by GBG.
Sample consent text
We use Loqate (GBG plc) to suggest and verify your postal address while you type. Loqate receives the characters you enter, your IP address and basic browser information to return matching addresses. Address completion at checkout is processed on the legal basis of contract performance. If you also consent to analytics, your lookup history may be used to improve service quality. You can decline analytics without losing access to address completion.
Third-party domains contacted
loqate.comapi.addressy.comservices.postcodeanywhere.co.ukjs.loqate.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| loqate_session | Session | Session | Short lived first party session identifier used by the Loqate widget to correlate keystrokes belonging to the same address lookup attempt and to apply rate limiting and abuse prevention. |
| loqate_rate | HTTP | 1 hour | First party HTTP cookie or local storage entry used by the Loqate API for client side throttling and quota enforcement on the merchant API key. |
Loqate places tracking cookies for advertising — comply with GDPR using FlowConsent.
In standard configuration Loqate does not set persistent advertising cookies. The address autocomplete widget sends each keystroke to the Loqate API along with the visitor IP address, a session identifier, the referring page URL, the browser user agent and your merchant API key. Verification endpoints additionally receive the full validated postal address and geographic coordinates. Phone and email validation endpoints receive the value being validated and deliverability metadata. Loqate may use short lived first party cookies or session storage for rate limiting and abuse prevention. Optional analytics, recommendation or session replay modules sold alongside the core product introduce tracking cookies that must be treated as non essential under the GDPR and the ePrivacy Directive.
For address autocomplete inside a checkout, registration or shipping flow, prior consent is not required because the processing is necessary to perform the contract requested by the visitor. The widget can therefore load unconditionally. Consent is required as soon as Loqate is used for purposes that are not strictly necessary: storing the visitor lookup history for marketing reuse, behavioural analytics, fraud profiling, or any session replay or recommendation add on. Consent is also required wherever Loqate places a non essential identifier on the device under Article 5(3) of the ePrivacy Directive. In practice you should split the widget into a always on core and a consent gated analytics layer.
Address autocomplete during checkout relies on Article 6(1)(b) GDPR (contract performance), because a valid delivery address is necessary to fulfil the order. The CNIL, the DSK and the AEPD all accept that strictly technical aids to the contract do not require consent. Phone and email validation used to register a customer account or to deliver a service rely on the same basis. Fraud and identity scoring products typically rely on Article 6(1)(f) GDPR (legitimate interest) with a documented balancing test, or on a legal obligation when used for AML or KYC. Any reuse of lookup data for marketing requires Article 6(1)(a) GDPR consent.
Yes. Loqate is operated by GBG plc, a UK company, and runs production traffic through data centres in the United Kingdom, Ireland and Germany, with additional US infrastructure for some global products and customer support. Transfers from the EEA to the United Kingdom rely on the European Commission UK adequacy decision of June 2021. Any onward transfer to the United States must rely on the EU Standard Contractual Clauses with a transfer impact assessment that addresses FISA 702 and Executive Order 12333, in line with the Schrems II judgment (CJEU C 311/18), and where available on the EU US Data Privacy Framework certification of the receiving entity.
A formal Data Protection Impact Assessment is generally not mandatory for plain address autocomplete used within an order flow, because the processing is contractually necessary and limited in scope. A DPIA becomes advisable when Loqate is combined with profiling, fraud or identity scoring, geographic enrichment, large scale persistent storage of lookup history or use outside the order flow with marketing reuse. The DPIA should describe the categories of data (typed strings, IP, browser metadata), the retention at GBG, the legal basis per purpose, the transfer mechanism to non EEA centres, and the technical and organisational measures applied by both the merchant and GBG plc.
Sign the GBG data processing addendum, request an EEA or UK data centre as primary region, and list Loqate in the privacy notice with the contract legal basis. Load the autocomplete widget unconditionally on the order page but disable any optional analytics, session replay or recommendation modules until the consent management platform records an opt in. Restrict the API key by referrer, environment and IP allow list. Configure the minimum set of fields needed for delivery, disable lookup history features that you do not use, and document the retention of lookup logs (GBG typically retains them for 12 to 24 months). Add Loqate to the CMP vendor list.
Several address verification providers with strong EEA presence can be evaluated: Postcode.eu (Netherlands), Fadi, Egon, Melissa, Smarty (with EU residency option), Google Address Validation API (with the same Schrems II constraints as any Google product), and national postal authority APIs such as La Poste, Royal Mail Datafile, Deutsche Post Direkt and Correos. Open data approaches based on OpenAddresses or the BAN dataset can fit simpler use cases. The right choice depends on coverage in your target countries, latency, completeness of the postal file and contractual terms (DPA, sub processors, transfer mechanisms, data residency, retention of lookup logs).
In the privacy notice, name GBG plc and Loqate as a processor used for address verification at checkout, state the legal basis of contract performance, list categories of data (typed input, IP, browser metadata, validated address), name the data centres used (UK, EU, US fallback), describe the transfer mechanism (UK adequacy plus SCCs for any US route), and give the retention period of lookup logs. In the cookie notice, mention any short lived first party identifier set by the widget, and list separately any optional analytics or replay modules. Provide the link to the GBG privacy policy and to the rights mechanism for data subject requests.