Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Optimizely is a leading experimentation and A/B testing platform that allows businesses to run controlled tests on website content, features, and user flows. It uses cookies and local storage to assign visitors to experiment variants and track their behaviour. Because Optimizely profiles individual users to deliver personalised experiences, its use on European websites requires prior consent under GDPR and the ePrivacy Directive.
Optimizely is an enterprise-grade experimentation and digital experience platform. Its core product enables A/B testing, multivariate testing, and feature flag management, allowing teams to compare different versions of web pages, features, or user flows and measure which variant performs best. Optimizely also offers a Content Management System, a Commerce Cloud, and a Data Platform for customer data orchestration. When the Optimizely snippet is loaded on a website, it immediately begins assigning visitors to experiment buckets and tracking their interactions, making it a high-priority item for GDPR consent management.
Optimizely sets a first-party cookie named optimizelyEndUserId, a persistent identifier valid for 6 months that tracks which experiment variants a visitor has been assigned to. It also uses local storage entries to store experiment state and visitor data. The platform collects IP addresses, browser and device information, page URLs, click events, scroll depth, and conversion events. When integrated with the Optimizely Data Platform, user data can be enriched with CRM attributes and cross-channel behavioural history, significantly expanding the personal data footprint.
The ePrivacy Directive requires consent before storing or accessing information on a user's device via cookies or local storage, unless strictly necessary. Optimizely's experimentation cookies are not strictly necessary and therefore require prior consent. Under GDPR, Optimizely's collection of behavioural data and persistent visitor identifiers constitutes personal data processing requiring a lawful basis. The systematic profiling of users across experiment variants may also trigger obligations around automated decision-making under Article 22, depending on implementation.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before the Optimizely snippet loads. This means blocking the script at the consent management platform level and only injecting it after the user has accepted. The consent banner should clearly explain that Optimizely is used for website testing and improvement, describe the cookies and local storage data set, and disclose the potential transfer to US servers. Visitors who decline must receive the same website experience without being enrolled in any experiment. Consent must be refreshable and revocable at any time.
Optimizely is headquartered in San Francisco, California. By default, experiment data is processed on US infrastructure. Optimizely offers EU data residency for its Data Platform product, which organisations handling high volumes of European personal data should evaluate. The applicable transfer mechanism for EU customers is Standard Contractual Clauses under GDPR Article 46. Organisations must document this transfer in their Records of Processing Activities, verify that a Data Processing Agreement is signed, and list Optimizely in their sub-processor disclosure.
To run Optimizely compliantly in the EU: integrate your consent management platform with Optimizely so the snippet only fires post-consent; use Optimizely's built-in opt-out API to honour consent withdrawals; categorise Optimizely under a performance or analytics cookie category; update your privacy policy and cookie policy to list the optimizelyEndUserId cookie with its duration and purpose; sign a Data Processing Agreement with Optimizely; and document US transfers in your RoPA. For server-side experimentation via Optimizely's SDK, no browser cookies are set but IP addresses and user identifiers are still transmitted to Optimizely servers, so the same consent and transfer obligations apply.
Websites using Optimizely must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when Optimizely is used to profile users at scale for personalisation or targeted experimentation, particularly when combined with CRM or advertising data. Key risks include persistent user profiling across sessions, automated allocation of users to content variants, US data transfers, and integration with third-party data sources that may amplify the scope of personal data processing.
Sample consent text
We use Optimizely to run A/B tests and improve our website. Optimizely sets cookies and stores data in your browser to assign you to a test variant and measure how you interact with different versions of our pages. This may involve transferring data to servers in the United States. Please accept to participate in website experiments.
Third-party domains contacted
cdn.optimizely.comlogx.optimizely.comapi.optimizely.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| optimizelyEndUserId | persistent | 6 months | Unique visitor identifier used to consistently assign users to A/B test variants across sessions |
| optimizelyBuckets | persistent | 6 months | Stores the list of experiment buckets the visitor has been assigned to, used to ensure consistent variant delivery |
Optimizely collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Optimizely sets a first-party persistent cookie called optimizelyEndUserId, which is valid for 6 months. This cookie assigns each visitor a unique identifier used to consistently allocate them to the same experiment variants across sessions. Optimizely also writes experiment state data into local storage in the visitor's browser, which persists independently of cookie consent unless explicitly cleared.
Yes. Optimizely sets persistent cookies and accesses local storage before any user interaction, which requires prior informed consent under the ePrivacy Directive. Under GDPR, the profiling of visitors for experimentation purposes constitutes personal data processing. The Optimizely snippet must be blocked by your consent management platform until valid consent is obtained.
Consent under Article 6(1)(a) GDPR is the required legal basis for Optimizely's behavioural tracking and experimentation cookies. Legitimate interest under Article 6(1)(f) is sometimes claimed for server-side feature flags that do not involve personal data, but this requires a documented balancing test and cannot substitute for consent where cookies or identifiable user profiling are involved.
Yes. Optimizely is headquartered in the United States and processes experiment data on US infrastructure by default. The transfer mechanism for EU customers is Standard Contractual Clauses under GDPR Article 46. Optimizely offers EU data residency for its Data Platform product. All US transfers must be documented in your Records of Processing Activities with the applicable safeguard identified.
A DPIA is recommended when Optimizely is used to profile users at scale or when it is combined with CRM, advertising, or other personal data sources via the Optimizely Data Platform. The combination of persistent visitor identification, cross-session profiling, automated variant assignment, and US data transfer creates a processing activity with elevated risk that warrants a formal impact assessment.
Configure your consent management platform to block the Optimizely snippet until consent is granted. Use Optimizely's opt-out API or disable the snippet for opted-out users. Ensure local storage entries are cleared or not written for users without consent. Categorise Optimizely under performance or analytics cookies. Update your cookie policy to document the optimizelyEndUserId cookie. Sign a Data Processing Agreement with Optimizely and document the US transfer in your RoPA.
Yes. GrowthBook is an open-source A/B testing platform that can be self-hosted in the EU, eliminating third-country transfer concerns. Kameleoon and AB Tasty are European-headquartered alternatives that offer EU data residency. For server-side testing without client-side cookies, tools like Unleash or Flagsmith can be self-hosted and integrated with your own analytics stack.
Add an entry for the optimizelyEndUserId cookie in your cookie policy table, listing its name, category (performance or analytics), duration (6 months), and purpose (A/B testing variant assignment). Note any local storage usage separately. Reference Optimizely as a third-party processor, link to their privacy policy at optimizely.com/legal/privacy-policy, and disclose the transfer of data to the United States under Standard Contractual Clauses.