Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
New Relic is a US based observability platform combining server side APM agents and a JavaScript Browser Agent for real user monitoring. The Browser Agent collects page performance metrics, AJAX timings, JavaScript errors and Core Web Vitals. EU customers can choose the Frankfurt datacenter at account creation.
New Relic is an observability platform operated by New Relic Inc. (a Francisco Partners portfolio company since 2023, headquartered in San Francisco). The platform combines server side APM agents (Java, Node.js, Python, Ruby, .NET, Go, PHP), infrastructure monitoring, synthetic checks, logs, traces and a Browser Agent for real user monitoring. European banks, fintech, ecommerce platforms and SaaS scaleups use New Relic extensively.
The Browser Agent stores a NRBA_SESSION identifier in browser sessionStorage and may set the JSESSIONID style nr-data cookie on the publisher domain depending on the deployment. It also writes the New Relic licence key in inline JavaScript and posts beacons to bam.nr-data.net (US) or bam.eu01.nr-data.net (EU). The server side APM agent does not touch the visitor browser directly.
The Browser Agent processes visitor IP addresses, full URLs (including query strings that may carry identifiers) and a session identifier. The CNIL and DSK consider it a non strictly necessary telemetry tool that requires consent. The server side APM agent only processes operational telemetry inside the publisher infrastructure and relies on legitimate interest under Article 6(1)(f) GDPR for reliability and security.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Operators must obtain prior, freely given, specific, informed and unambiguous consent before the New Relic Browser Agent is initialised. The Agent exposes a JavaScript API (NREUM.init) that should be called only after the consent management platform fires the analytics accept event. Server side APM agents do not require consent because they do not access the visitor terminal.
New Relic offers two datacenters: US (Atlanta) and EU (Frankfurt). Customers choose at account creation and cannot easily change later. Selecting the EU datacenter keeps Browser Agent and APM telemetry within the EEA. US datacenter accounts transfer telemetry to AWS US regions, covered by the EU US Data Privacy Framework adequacy decision and the New Relic DPA Standard Contractual Clauses.
Choose the EU datacenter at account creation, sign the New Relic DPA, document the data processing in your record, gate the Browser Agent behind a consent management platform, scrub PII from URLs and request bodies before sending to New Relic (the Drop Filter and obfuscation features help), and keep retention periods short.
Websites using New Relic must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when New Relic Browser Agent is deployed at scale, when session traces are correlated with backend logs containing customer identifiers, or when New Relic is used for fraud detection. The DPIA should document the EU vs US datacenter choice, the retention period and the consent gate.
Sample consent text
We use New Relic to monitor the performance of our website. The New Relic Browser Agent stores a session identifier and reports page load times, AJAX calls and JavaScript errors. The Browser Agent runs only with your consent. Server side APM telemetry continues to run independently for fraud and reliability purposes.
Third-party domains contacted
bam.nr-data.netbam.eu01.nr-data.netjs-agent.newrelic.comnewrelic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NRBA_SESSION (sessionStorage) | first_party | Session | New Relic Browser Agent session identifier stored in browser sessionStorage. Used to correlate AJAX, page views, JavaScript errors and Core Web Vitals into a single session trace. |
| nr-data | first_party | Session | Optional New Relic cookie set on the publisher domain when the deployment uses cookie based session attribution rather than sessionStorage. |
| JSESSIONID | first_party | Session | Standard Java application server session cookie that New Relic uses to correlate browser traces with server side transactions when the publisher backend is Java based. |
New Relic collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The New Relic Browser Agent writes the NRBA_SESSION identifier in browser sessionStorage and may set a nr-data cookie on the publisher domain. Server side APM agents do not access the visitor browser. Optional Session Replay (if enabled) introduces additional storage.
Yes for the Browser Agent. Prior, freely given, specific, informed and unambiguous consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR is required because it stores a session identifier on the visitor terminal and collects IP and URL telemetry. The server side APM agent does not require consent.
The Browser Agent relies on Article 6(1)(a) GDPR consent. The server side APM agent relies on Article 6(1)(f) GDPR legitimate interest for reliability and security purposes. New Relic Inc. is a processor under Article 28 GDPR for both products.
Only if you chose the US datacenter at account creation. The EU datacenter (Frankfurt) keeps Browser Agent and APM telemetry inside the EEA. US accounts are covered by the EU US Data Privacy Framework and the New Relic DPA Standard Contractual Clauses.
A DPIA is recommended whenever the Browser Agent is used at scale, when traces are correlated with backend customer logs, or when fraud detection is built on top. Document the datacenter choice, the data minimisation settings (URL scrubbing, custom attributes filtering) and the consent flow.
Choose the EU datacenter, sign the New Relic DPA, gate the Browser Agent behind your consent management platform, scrub PII from URLs using Drop Filters and obfuscation rules, keep short retention periods, and leave the server side APM agent enabled under legitimate interest for reliability.
European observability alternatives include Datadog (US, but offers EU residency), Dynatrace (Austria), Instana (now IBM, EU options), Grafana Cloud (Sweden region), Sematext (EU region) and self hosted stacks based on Prometheus, Loki and Tempo. APM only alternatives include Elastic APM, Inspector and Scout APM.
List the Browser Agent and its NRBA_SESSION identifier in the analytics or performance category of your cookie policy. State the purpose (real user monitoring), the datacenter region (EU or US), the retention period, and link to the New Relic privacy notice. Mention that server side APM telemetry runs under legitimate interest.