Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DataDome is a French edge bot protection platform. Detects and blocks malicious bots, credential stuffing, scraping and fraud through a JavaScript challenge and a strictly necessary first party cookie. Operates on legitimate interest with no consent required for the core security use case.
DataDome is a real time bot detection and online fraud protection platform. The product is deployed as a CDN or web server module (Cloudflare Workers, Fastly Compute@Edge, AWS Lambda@Edge, Akamai EdgeWorkers, Nginx, Apache, Cloudflare integration, native cloud connectors) and as a client side JavaScript tag. Each request is scored in 2 milliseconds based on more than 5 trillion signals per day; bots are challenged, allowed, blocked or sent to a CAPTCHA. The platform also offers Account Protection (continuous authentication), API Protection and Online Fraud detection on top of the base bot mitigation.
DataDome writes a single first party cookie named datadome (1 year, HTTPOnly, Secure) on the publisher domain. The cookie stores an encrypted session token that the DataDome edge uses to recognise the visitor across requests. The JavaScript tag collects a device fingerprint (canvas, user agent, screen, audio context, WebGL) and sends it to DataDome detection servers, where it is processed for the bot decision. The fingerprint and the IP are kept only for the duration needed for the security decision and the threat intelligence analytics.
The datadome cookie and the fingerprint qualify for the strictly necessary exemption of ePrivacy art. 5(3) under the CNIL guidance (2020) on security cookies and the EDPB guidelines 2/2023. The processing is grounded in GDPR art. 6(1)(f) legitimate interest, because protecting the site from bots, credential stuffing, scraping and fraud is a legitimate goal of the publisher and the visitor has a reasonable expectation that such a measure is in place. Consent is only required when DataDome is used beyond pure security, for example to feed an analytics or ad fraud dashboard.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
DataDome offers an EU only deployment where the detection cluster, the logs and the threat intelligence aggregation stay inside the EU (Paris, Frankfurt, Ireland). Customer success and threat research teams in New York and Singapore may access anonymised bot signatures. The 2021 Standard Contractual Clauses cover any incidental transfer, and DataDome is listed under the EU US Data Privacy Framework. As a French company, DataDome is directly under GDPR jurisdiction with the CNIL as the lead authority.
Sign the DataDome Data Processing Addendum, request the EU only deployment, list the datadome cookie in the privacy notice under the strictly necessary category, document the legitimate interest balancing test, integrate the DataDome challenge page with your branding for transparency, configure the log retention to the minimum needed and document the bot detection processing in your record of processing under GDPR art. 30.
Websites using DataDome must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the standard bot detection use case because the data flow is limited and the cookie is strictly necessary. A DPIA is recommended when DataDome is used in conjunction with the Account Protection module that performs continuous authentication, with the Online Fraud module or when bot signatures feed an external SIEM. The DPIA should cover the device fingerprint scope, log retention, the EU only deployment commitment and any export of bot scores to advertising systems.
Sample consent text
Our site is protected by DataDome, a French bot detection service. DataDome sets a strictly necessary cookie (datadome) on your device to recognise legitimate visitors and challenge suspicious traffic. This cookie is exempt from consent under the CNIL guidance on security cookies. Your data is processed in the European Union under the legitimate interest basis (GDPR art. 6(1)(f)). DataDome does not use this data for advertising or profiling.
Third-party domains contacted
datadome.coapi.datadome.cojs.datadome.cocaptcha-delivery.comct.captcha-delivery.comgeo.captcha-delivery.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| datadome | First party (DataDome bot protection) | 1 year | Strictly necessary security cookie containing an encrypted session token used by DataDome to recognise legitimate visitors across requests and to bypass the bot challenge for previously validated sessions |
DataDome is an essential service, but transparency matters. Manage all your consent with FlowConsent.
A single first party cookie named datadome (1 year, HTTPOnly, Secure) on the publisher domain. The cookie stores an encrypted session token used by DataDome to recognise the visitor across requests. No marketing cookie, no third party identifier.
No. The datadome cookie and the fingerprint qualify for the strictly necessary exemption of ePrivacy art. 5(3) under the CNIL guidance on security cookies (2020) and the EDPB guidelines 2/2023. The processing is grounded in GDPR art. 6(1)(f) legitimate interest. Consent is only required if DataDome is used beyond pure security.
Legitimate interest under GDPR art. 6(1)(f), because protecting the site from bots, credential stuffing, scraping and fraud is a legitimate goal of the publisher with a reasonable visitor expectation. Article 28 GDPR governs the processor relationship between the publisher and DataDome SAS.
By default, no with the EU only deployment. DataDome detection clusters in Paris, Frankfurt and Ireland process the traffic. Customer success and threat research in New York and Singapore may access anonymised bot signatures. 2021 SCCs and the EU US Data Privacy Framework cover any incidental transfer.
Usually no for the standard bot detection. Recommended for Account Protection (continuous authentication), Online Fraud detection or when bot scores feed an external SIEM or advertising system. The DPIA should describe the device fingerprint scope and the log retention.
Sign the DPA, request EU only deployment, list the datadome cookie in the privacy notice under strictly necessary, document the legitimate interest balancing test, customise the DataDome challenge page with your branding, set the minimum log retention and document the processing in your record of processing.
Cloudflare Bot Management, Akamai Bot Manager Premier, Imperva Advanced Bot Protection, Human Security (formerly White Ops), PerimeterX (now Human), Kasada, Castle and Arkose Labs. For self hosting: CrowdSec (France, open source), Fail2Ban, ModSecurity. DataDome and CrowdSec are the most EU centric players.
Add a strictly necessary section describing the datadome cookie (1 year, security), state the legal basis (legitimate interest), mention DataDome SAS in Paris as the processor, link to the DataDome Privacy Policy and explain why this cookie cannot be refused without breaking the security service.