Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sift is a machine learning-based fraud detection and trust and safety platform used by e-commerce, fintech, and marketplace companies. It collects detailed device, behavioural, and interaction data to build risk scores for individual users and transactions. While fraud prevention can rely on legitimate interest, the ePrivacy Directive still requires consent for cookies set on users' devices. Data is processed on US servers with no EU residency option.
Sift is a machine learning-based fraud prevention and trust and safety platform used by major e-commerce platforms, fintech companies, and online marketplaces. It provides real-time risk scoring for account creation, logins, payments, and other user actions. The Sift Beacon JavaScript snippet collects detailed device and behavioural signals from every page, building a continuous risk profile for each user. When integrated with a website, Sift can automatically block or flag suspicious activity based on its global network of fraud signals across thousands of client platforms.
Sift collects an extensive range of signals including IP address, browser type and version, operating system, screen resolution, installed fonts, device identifiers, mouse movement patterns, keystroke dynamics, scroll behaviour, click patterns, session duration, navigation history within the site, and network characteristics. It also collects user account attributes, transaction details, and behavioural velocity metrics. This combination of device fingerprinting and behavioural biometrics creates a highly granular individual profile used to generate risk scores.
Sift''s GDPR compliance is more complex than most third-party tools because fraud prevention has specific provisions. GDPR Recital 47 acknowledges fraud prevention as a legitimate interest, which means organisations may not always need consent for the underlying risk scoring. However, the ePrivacy Directive still requires consent for cookies set on users'' devices, regardless of the purpose. Furthermore, when Sift''s risk scores lead to automated decisions that significantly affect users (account suspension, transaction blocking), Article 22 on automated decision-making applies, requiring additional safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For cookie-based tracking, consent is required under the ePrivacy Directive before Sift sets cookies. For the broader data processing (IP, device fingerprinting, behavioural signals), legitimate interest under Article 6(1)(f) may apply if a documented balancing test demonstrates that fraud prevention overrides individual privacy interests in the specific context. This balancing test must be recorded in your Records of Processing Activities. Users must still be informed of the processing in your privacy policy and given the right to object.
Sift processes all data on US infrastructure with no EU data residency option. This is a third-country transfer under GDPR Chapter V. Standard Contractual Clauses are the applicable transfer mechanism. The transfer is particularly sensitive given that Sift shares risk signals across its global network of clients, meaning individual user data may contribute to risk assessments used by other organisations. This network effect should be disclosed in your privacy policy and assessed in your DPIA.
To use Sift compliantly: obtain consent before loading the Sift Beacon snippet; document your legitimate interest balancing test for the broader fraud detection processing; conduct a DPIA given the automated decision-making and device fingerprinting; update your privacy policy to disclose Sift as a processor, describe the fraud prevention processing, and explain the US transfer; sign a DPA with Sift; implement meaningful safeguards for automated decisions (human review option, right to object); and document all processing in your RoPA.
Websites using Sift must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required when Sift is used to make or significantly influence automated decisions about individual users, such as blocking transactions, suspending accounts, or flagging users as fraudulent. The combination of device fingerprinting, behavioural profiling, automated risk scoring, and US data transfer creates a high-risk processing profile under GDPR Article 35.
Sample consent text
We use Sift to protect our platform from fraud and abuse. Sift collects device information, interaction patterns, and behavioural data to assess transaction and account risk. This data is processed in the United States. This processing may also rely on our legitimate interest in preventing fraud. You may object to this processing by contacting us.
Third-party domains contacted
beacon.sift.comapi.sift.comcdn.sift.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sn | persistent | 1 year | Device identifier used to maintain consistent fraud risk scoring for returning users across sessions |
| sid | session | Session | Session identifier used to track user actions within a single session for real-time fraud risk assessment |
Sift is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Sift sets a persistent cookie used to maintain a device identifier across sessions, enabling consistent risk scoring for returning users. It also collects device fingerprinting data without cookies via JavaScript. The cookie-based tracking requires prior consent under the ePrivacy Directive, while the broader device fingerprinting may rely on legitimate interest subject to a documented balancing test.
Partially. For cookies set on users' devices, consent is required under the ePrivacy Directive before the Sift Beacon loads. For the broader data processing used for fraud risk scoring, legitimate interest under GDPR Article 6(1)(f) may apply without consent, provided a balancing test is documented and users are informed in the privacy policy with a right to object.
The ePrivacy Directive requires consent for cookies. For the underlying fraud detection processing, GDPR Recital 47 recognises fraud prevention as a legitimate interest. However, when Sift's outputs lead to automated decisions significantly affecting users (account blocking, transaction rejection), Article 22 GDPR applies, requiring either explicit consent or a specific legal exception, plus safeguards including a human review option.
Yes. Sift is a US company and processes all data on US infrastructure with no EU data residency option. This is a third-country transfer under GDPR Chapter V governed by Standard Contractual Clauses. Additionally, Sift shares risk signals across its global client network, meaning individual user behavioural data contributes to a shared fraud intelligence pool processed in the US.
Yes, a DPIA is required or strongly recommended. GDPR Article 35 requires a DPIA when processing involves systematic profiling of individuals, automated decision-making with significant effects, or large-scale processing of sensitive data. Sift's device fingerprinting, behavioural biometrics, automated risk scoring, and US data transfer all trigger these criteria. The DPIA must specifically assess the automated decision-making safeguards and the network-level data sharing with other Sift clients.
Block the Sift Beacon until consent is obtained for cookies. Document your legitimate interest balancing test for fraud processing. Conduct a mandatory DPIA. Update your privacy policy to describe Sift's data collection, the fraud prevention purpose, the US transfer, and the right to object. Sign a DPA with Sift. Implement human review options for automated decisions. Ensure users can contest fraud-based account actions. Document everything in your RoPA.
Fraugster (now Rapyd) is a German-founded fraud prevention platform with EU data processing options. Signifyd offers EU data residency for European customers. For organisations that need full data sovereignty, server-side fraud rules engines deployed on EU infrastructure (such as custom rule sets in Stripe Radar on EU-hosted accounts) can reduce reliance on US-processed ML models.
Add a dedicated section for fraud prevention processing in your privacy policy. Describe Sift as a processor used for fraud detection, list the data collected (device identifiers, IP, behavioural signals), state the legal basis (legitimate interest for fraud prevention, with consent for cookies), disclose the US transfer and SCC safeguard, explain the right to object to automated decisions, and provide contact details for exercising this right.