Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akamai Bot Manager is an enterprise bot management product running at the edge of the Akamai CDN. It classifies and mitigates bots through device fingerprinting, behaviour analysis and JavaScript challenges.
Akamai Bot Manager is a bot detection and mitigation product that runs on the Akamai Intelligent Platform, the world''s largest content delivery network. It analyses every request reaching your site, scores it against bot signatures and machine learning models, and applies the action you configured (allow, monitor, slow down, serve alternate content, challenge with a JavaScript test or a captcha, block).
Bot Manager Premier injects a JavaScript sensor that fingerprints the device, captures behavioural signals (mouse movements, scrolling, typing cadence), and posts the proof of work back to the Akamai edge. The edge stores a bot score in a signed cookie so subsequent requests do not require revalidation. Akamai threat intelligence updates the rules continuously from the global Akamai network.
The platform sets first party cookies on the protected domain (typically _abck for the score, bm_sz for the session, ak_bmsc for behaviour) and reads the IP, user agent, TLS fingerprint, the device sensor payload, and request headers. None of the cookies is used for marketing.
The bot scoring cookies can be considered strictly necessary for security under Article 5(3) ePrivacy, since they directly support the integrity of the service. The behavioural signals are personal data and rely on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. Akamai is a processor under your DPA. Inform users in your privacy notice that bot management is used.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Edge evaluation happens close to the visitor (including EU points of presence). Akamai Technologies is a US company and the central threat intelligence platform runs in the US. Transfers are covered by the EU-US Data Privacy Framework (Akamai is certified) and by Standard Contractual Clauses for non DPF flows.
Treat Bot Manager as a strictly necessary security tool, enabled by default. Restrict the sensor to pages where bot risk justifies it (login, checkout, search), keep the cookies on the first party domain, and document the deployment in your record of processing activities. Provide an accessible alternative for users blocked by false positives.
Websites using Akamai Bot Manager must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Bot Manager runs on consumer journeys (login, account creation, checkout) where false positives could exclude legitimate users. Document the signals captured by the sensor (device, behaviour), the retention by Akamai, the EU edge architecture, and the appeal path for users blocked by mistake.
Sample consent text
We use Akamai Bot Manager to protect this site against automated abuse, fraud and credential stuffing. It sets small bot scoring cookies and reads device signals on every request. These are strictly necessary for security and are active without prior consent.
Third-party domains contacted
akamaihd.netakamaized.netakamaiedge.netedge.akamai.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _abck | http_cookie | 1 year | Stores the signed Akamai Bot Manager score and a sensor verification token used to identify legitimate browsers across requests. |
| bm_sz | http_cookie | 4 hours | Akamai session cookie issued at the edge to associate a visitor session with the bot scoring decisions. |
| ak_bmsc | http_cookie | 2 hours | Stores intermediate behavioural state and sensor results during a visit. |
| bm_sv | http_cookie | 1 hour | Sensor verification cookie used to confirm that the JavaScript sensor has been executed by a legitimate browser. |
Akamai Bot Manager is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Bot Manager typically sets _abck (bot score), bm_sz (session), ak_bmsc (behavioural state) and bm_sv (sensor verification) as first party cookies on the protected domain. Lifetimes range from session to one year. They are not used for marketing.
Generally no. The cookies and the sensor are used to protect the integrity of the service and qualify as strictly necessary under Article 5(3) ePrivacy. Disclose Bot Manager in your privacy notice instead of asking for consent.
Legitimate interest under Article 6(1)(f) GDPR for fraud and bot prevention, with a documented balancing test. The strictly necessary cookies benefit from the exemption of Article 5(3) ePrivacy.
Edge evaluation happens close to the visitor (including EU). Akamai Technologies is a US company and central analytics run in the United States. Transfers rely on the EU-US Data Privacy Framework and on SCCs for any non DPF flow.
A DPIA is recommended for deployments on consumer flows where false positives could impact rights (login, account creation, payment). Document the signals, the impact on accessibility, the appeal mechanism, and the retention of bot scores.
Enable Bot Manager on critical surfaces (login, password reset, search) rather than every page. Keep the cookies first party. Document the legitimate interest balancing test. Provide an alternative path for users blocked by mistake.
Alternatives include Cloudflare Bot Management, AWS WAF Bot Control, Datadome, PerimeterX (HUMAN), F5 Distributed Cloud Bot Defense, Imperva Advanced Bot Protection and Reblaze. Datadome and HUMAN can offer EU hosting.
List _abck, bm_sz, ak_bmsc and bm_sv as strictly necessary security cookies, with their lifetime and the fact that Akamai operates the bot management. Mention the US transfer mechanism and link to Akamai's privacy notice.