Chat Widgets Set More Cookies Than You Think
Adding a live chat widget to your website sounds straightforward. Paste a script, and visitors can message your team in real time. What most site owners miss is what happens underneath: Intercom, Drift, LiveChat, and similar tools drop multiple cookies the moment their JavaScript loads.
Some of these cookies are functional. They remember conversation history so a returning visitor does not have to repeat themselves. Others track browsing behaviour, log page views, and build visitor profiles for sales teams.
That distinction matters under European privacy law.
Article 5(3) of the ePrivacy Directive requires prior consent for storing or accessing information on a user's device, unless that storage is strictly necessary to provide a service the user has explicitly requested. A chat widget that sets analytics or identification cookies before the visitor even opens the chat window does not meet that threshold.
Which Cookies Do Popular Chat Platforms Set?
Each platform uses its own set of cookies. The table below covers the most common ones and their typical classification.
| Platform | Cookie Name | Purpose | Classification |
|---|---|---|---|
| Intercom | intercom-id-* | Identifies the visitor across sessions | Non-essential (tracking) |
| Intercom | intercom-session-* | Maintains the current chat session | Functional |
| Intercom | intercom-device-id-* | Links the visitor to a specific device | Non-essential (tracking) |
| Drift | driftt_aid | Anonymous visitor identifier | Non-essential (tracking) |
| Drift | drift_aid | Tracks visitor across sessions | Non-essential (tracking) |
| Drift | drift_campaign_refresh | Controls campaign display frequency | Non-essential (marketing) |
| LiveChat | __lc_cid | Customer identification | Functional |
| LiveChat | __lc_cst | Secure session token | Functional |
The functional cookies that keep a conversation active during a single session sit closer to the "strictly necessary" threshold. Persistent identifiers that track a visitor before they interact with the chat bubble do not.
The GDPR and ePrivacy Position on Chat Cookies
Two legal frameworks apply. The GDPR governs the processing of personal data, including pseudonymous identifiers stored in cookies. The ePrivacy Directive governs the act of placing cookies on a visitor's device.
Under GDPR Article 6, processing personal data through chat widget cookies typically relies on consent as the lawful basis. Some site owners argue legitimate interest under Article 6(1)(f), but regulators have consistently held that tracking cookies require consent, not a balancing test. The EDPB's guidelines on consent make clear that pre-ticked boxes and implied acceptance do not qualify as valid consent.
The ePrivacy Directive sets a separate, device-level rule. If the cookie is not strictly necessary for a service the user has asked for, consent must come first. A visitor landing on your homepage has not requested a chat service. The chat icon sitting in the corner does not count as a request.
When a Chat Cookie Might Be Strictly Necessary
A narrow exception exists. If a visitor actively opens the chat widget and starts typing, cookies that maintain that specific session could qualify as strictly necessary to deliver the requested service. The key word is "requested" - the visitor must initiate the interaction.
Cookies that persist after the session ends, that identify the visitor on their next visit, or that feed data into your CRM before any chat begins fall outside this exception.
How Regulators Have Treated Non-Essential Widget Cookies
No DPA has issued a decision specifically targeting live chat cookies. The enforcement principles, however, are well established. In 2024 and 2025, the CNIL issued formal notices to multiple website publishers for setting non-essential cookies before obtaining consent. The pattern was consistent: cookies loaded on page load, before the visitor interacted with any consent mechanism.
The ICO launched a new cookies enforcement strategy in January 2025, issuing compliance warnings to 134 UK websites. The focus was on UK GDPR and PECR violations, including cookies set without valid consent.
Chat widget scripts that load on every page and drop tracking cookies before consent behave identically to the advertising and analytics scripts these enforcement actions targeted.
Blocking Chat Widgets Until Consent Is Given
The safest approach is to prevent the chat widget script from loading until the visitor grants consent for functional cookies or, where applicable, analytics cookies.
There are several ways to implement this. The most common method is changing the script's type attribute from text/javascript to text/plain, which stops the browser from executing it. Your consent management platform then switches the type back once the visitor accepts the relevant cookie category.
Drift's own documentation describes a "facade" pattern: load a static placeholder that looks like the chat icon, listen for consent status changes, and swap in the real widget only after consent is confirmed. Intercom supports a similar delayed-load approach through its JavaScript API.
Categorising Chat Cookies in Your CMP
Where you place chat cookies in your consent banner matters. Grouping them under "strictly necessary" would be incorrect for most implementations, since the tracking cookies load before any visitor interaction.
Two reasonable options exist. You can classify chat widgets under "functional cookies" if the widget only sets session-level cookies after the visitor opens the chat. If the widget also feeds visitor data to analytics or sales pipelines, "analytics" or "marketing" may be more accurate. Run a cookie audit using a scanner to see exactly which cookies your specific chat implementation sets.
What Happens When Visitors Decline Consent
If a visitor rejects the cookie category containing your chat widget, the widget should not load at all. This means some visitors will not see a chat option.
That feels uncomfortable for businesses that rely on live chat for sales or support. There are practical alternatives.
Offer a contact form or email link instead. Visitors who decline cookies can still reach your team through a standard HTML form that sets no cookies. You could also display a notice explaining that chat requires cookies, with a link to update their consent preferences.
Some platforms support a cookieless mode for basic functionality, though this typically limits features like visitor identification and conversation continuity.
CCPA, PIPEDA, and Chat Cookies Outside the EU
The CCPA takes a different approach. It does not require prior consent for cookies, but it does give California residents the right to opt out of the "sale" or "sharing" of personal information. If your chat widget passes visitor data to a third-party provider that uses it for its own purposes, that transfer could constitute a sale or share under the CCPA.
Canada's PIPEDA requires meaningful consent for the collection of personal information. Chat cookies that track visitor behaviour fall within scope.
Brazil's LGPD and South Africa's POPIA both include consent as a lawful basis for processing, and both apply to cookies that collect personal data. If your site serves visitors in these jurisdictions, your chat widget consent approach needs to account for each framework.
A Practical Compliance Checklist for Chat Widgets
Audit the cookies your chat platform sets by inspecting cookies in Chrome DevTools before and after opening the chat. Document every cookie name, duration, and purpose. Classify each cookie honestly - session tokens may be functional, but persistent visitor IDs are not strictly necessary.
Configure your CMP to block the chat script until the appropriate cookie category is accepted. Test that no chat cookies appear in the browser when consent is withheld. Verify that rejected cookies are actually blocked by clearing your browser storage and loading the page with cookies declined.
Review your cookie policy and update it to list the specific cookies your chat widget sets. Include the cookie name, provider, purpose, and expiry for each one.
Frequently Asked Questions
Are live chat cookies strictly necessary under GDPR?
Most live chat cookies are not strictly necessary. Session cookies that maintain an active conversation may qualify, but persistent tracking cookies that identify visitors across sessions require consent under Article 5(3) of the ePrivacy Directive.
Do I need consent to load Intercom on my website?
Yes. Intercom sets tracking cookies such as intercom-id-* and intercom-device-id-* that identify visitors across sessions. These require prior consent before the Intercom script loads on your pages.
Can I load a chat widget without cookies?
Some chat platforms offer limited cookieless modes, but most core features depend on cookies for session management and visitor identification. A safer approach is to block the widget until consent is granted and offer a contact form as a fallback.
What cookie category should live chat fall under?
If the chat widget only sets session cookies after the visitor opens the chat, "functional" is appropriate. If it also tracks page views or feeds data to analytics, "analytics" or "marketing" may be more accurate.
Does the CCPA require consent for chat widget cookies?
The CCPA does not require prior consent for cookies. However, if visitor data collected through the chat widget is shared with or sold to third parties, California residents have the right to opt out of that sharing.
What happens if a visitor rejects cookies but needs live chat support?
The chat widget should not load for visitors who decline consent. Offer alternative contact methods such as an email address or a standard contact form that does not require cookies.
Take Control of Your Cookie Compliance
If you are not sure which cookies your chat widget sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
