Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bloomreach Discovery is the AI driven product discovery suite of Bloomreach Inc., combining search, merchandising and recommendations for e-commerce. The platform writes the persistent _br_uid_2 cookie to identify returning visitors and feed its personalisation engine. Because the cookie supports behavioural profiling and the data flows through US infrastructure, deployments in the European Economic Area must collect consent and address Schrems II obligations.
Bloomreach Discovery is the AI driven product discovery suite published by Bloomreach Inc., a software vendor with offices in Mountain View, California, and Bratislava, Slovakia. It combines search, merchandising and recommendations for e-commerce sites and exposes a JavaScript pixel and a server side API. When a visitor searches a catalogue, clicks a product or adds an item to the basket, the pixel sends the event to the Bloomreach Discovery API, where machine learning models combine the data with the merchant catalogue to rank, filter and personalise the results.
The signature cookie is _br_uid_2, a first party cookie that stores a stable visitor identifier with a lifetime of one year. Bloomreach Discovery also stores session metadata, the truncated IP address, the user agent, the page URL, the referrer and the full sequence of search queries and clicks. When the merchant pushes a logged in user identifier, Bloomreach can stitch the anonymous visitor profile to the customer record, which deepens the personalisation but also turns the data set into clearly identified personal data.
The _br_uid_2 cookie is not strictly necessary because behavioural profiling is not required to deliver a basic search service. Article 5(3) of the ePrivacy Directive therefore requires consent before the cookie is set. Articles 13 and 14 of GDPR require a transparent privacy notice that names Bloomreach, lists the data categories, the retention period and the data subject rights. Article 22 GDPR also applies when the recommendation engine produces decisions with legal or significant effects.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Bloomreach Inc. is a US controller subject to FISA 702 and Executive Order 14086. EU customers can request the EU pod, but US support staff retain access to the data. Transfers rely on the EU US Data Privacy Framework where Bloomreach Inc. is self certified, complemented by Standard Contractual Clauses for residual flows. European controllers must perform a Transfer Impact Assessment and document supplementary measures such as encryption with EU based keys and pseudonymisation of customer identifiers.
Block the Bloomreach Discovery pixel behind your Consent Management Platform until the visitor accepts the personalisation category. Request the EU pod assignment, sign a Data Processing Agreement and Standard Contractual Clauses, document supplementary measures, run a Transfer Impact Assessment and document the retention period of the _br_uid_2 cookie. List Bloomreach Inc. in the privacy notice and offer a clear opt out mechanism even after consent has been granted.
Websites using Bloomreach Discovery must obtain user consent under GDPR regulations.
DPIA considerations
Bloomreach Discovery profiles visitors through their search and click behaviour to drive merchandising. Combined with US transfers and a long lived visitor identifier, the processing meets several criteria of Article 35 GDPR. A DPIA should describe the consent flow, the categories of data, the retention period of the _br_uid_2 cookie, the access of US support staff and the supplementary measures applied for Schrems II compliance.
Sample consent text
We use Bloomreach Discovery to personalise the products and search results displayed on this site. With your consent, your searches, clicks and product views are sent to Bloomreach Inc. on infrastructure in the European Union or the United States to power AI driven recommendations. You can withdraw your consent at any time from the cookie preferences link.
Third-party domains contacted
bloomreach.combr-data.combltcdn.combloomreach.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _br_uid_2 | first_party | 1 year | Stores the persistent visitor identifier used by Bloomreach Discovery to deliver search relevance and AI personalisation. |
| _br_session | first_party | Session | Stores the session identifier used to correlate search queries, clicks and conversions during a single visit. |
| _br_consent | first_party | 1 year | Stores the visitor consent state for the Bloomreach Discovery analytics and personalisation cookies. |
Bloomreach Discovery collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The signature cookie is _br_uid_2, a first party cookie with a one year lifetime that stores a stable visitor identifier. Bloomreach Discovery also stores a session cookie and uses local storage to keep the search history and the personalisation context.
Yes. The _br_uid_2 cookie is not strictly necessary because behavioural profiling is not required to deliver a basic search service. Article 5(3) of the ePrivacy Directive requires a freely given, specific, informed and unambiguous consent before the pixel can load.
The legal basis is consent under Article 6(1)(a) GDPR for the personalisation engine. Article 22 GDPR also applies when the recommendations produce decisions with legal or significant effects, in which case the controller must put in place safeguards such as human review and the right to obtain an explanation.
Yes. Bloomreach Inc. is a US controller and even when the customer is provisioned on the EU pod, US support staff retain access to the data. Transfers rely on the EU US Data Privacy Framework where Bloomreach is self certified, complemented by Standard Contractual Clauses for residual flows.
A DPIA is recommended because the platform combines large scale behavioural profiling, US transfers and a long lived visitor identifier. Cover the consent flow, the categories of data, the retention period of the _br_uid_2 cookie, the access of US support staff and the supplementary measures applied for Schrems II compliance.
Block the pixel behind a Consent Management Platform such as FlowConsent until the visitor accepts the personalisation category. Request the EU pod assignment, sign a Data Processing Agreement and Standard Contractual Clauses, document supplementary measures, run a Transfer Impact Assessment and provide an opt out link in the privacy notice.
Common alternatives include Algolia, Klevu, Coveo, Lucidworks Fusion, Constructor.io, Searchspring, Doofinder, Sitecore Personalize and self hosted Elasticsearch with custom personalisation. Each has different feature sets, pricing and hosting regions, so map your use case before switching.
List _br_uid_2 with its purpose and one year duration, document Bloomreach Inc. as a processor with a US headquarters, reference the EU US Data Privacy Framework and Standard Contractual Clauses, link to the Bloomreach privacy notice and provide a clear consent management link with a working revocation flow.