GDPR advice on ChatShipper Webwidget functionality

Updated 1 month ago by Joost Rijlaarsdam

This is memorandum written by our Privacy Lawyer on the GDPR impact of the cookies (local storage) used by the ChatShipper webwidget. It stipulates that both components are functional cookies, therefore fall outside of consent.

Memorandum: GDPR advice on ChatShipper chat functionality

Dear Joost,

You have asked me to advise you regarding ChatShipper’s use of two functional software components that support the ChatShipper chat functionality in relation to the EU General Data Protection Regulation (GDPR) and compliance therewith.

1. Background

To serve the visitors of Web1on1 client’s websites, a Webwidget (messaging pop-up) is displayed on a client’s website. For it to function well, the Widget needs 2 software components, the Sunshine Conversations widget and the ChatShipper Wrapper. Below please find an analysis of the GDPR compliance of both functionalities.

2. Sunshine Conversations widget

The Sunshine Conversations (hereafter Sunshine) widget is stored locally in a User’s browser. A “User” refers to an end-user of a Web1on1 client’s platform or a customer of a client’s business. The following are all examples of Users:

  • A visitor to a Web1on1 client’s website
  • The holder of an SMS number
  • A user of a Web1on1 client’s mobile app
  • A member of the public on Facebook Messenger / Whatsapp

When a new User, or a returning User who has cleared the cookie and local storage history, visits a Web1on1 client’s platform they will be anonymous by default. Anonymous Users will be assigned a user-ID.

Assigning a user an ID allows Sunshine to optimize User experience in two ways:

  1. It avoids conversations to break while switching webpages during chat;
  2. 2. It remembers returning visitors to facilitate a conversation history / context.

A user-ID is a string that can have any desired value, but must be unique within the application. Sunshine assigns individual user-IDs that are structured as follows (by way of example): XXXXb782298146afb2fee637XXXXX. A user-ID allows a Web1on1 client’s system to easily map a User to a user record.

User-ID’s are stored permanently in the browser of a User. They do not have an automatic expiry date and remain in the local storage of the User’s browser until deleted. User-ID’s are strictly necessary to offer Users the best experience on ChatShipper client’s website.

This means that the Sunshine widget is a functional feature, meaning, it is necessary to ensure proper functioning of a website, which falls outside the scope of the consent requirements under the GDPR.

3. ChatShipper wrapper

ChatShipper has created additional functionality to the Sunshine widget (the “Wrapper”). The Wrapper is stored locally in the browser of a User for a period of 30 minutes, after which it will be flushed automatically.

The wrapper cookie is used for user experience optimization (functional cookie).

It enables to auto-invite a User after either of the following:

  1. a set period of time (e.g. 30 seconds); or
  2. after the user has visited a certain amount of pages.

To enable sub 2 above the wrapper assigns an anonymous user-ID which allows tracking pages during the session to time the auto-invite message.

Without the Wrapper a customer would, when visiting a client’s website, promptly be invited to chat. This is generally considered intrusive or pushy. Most people prefer to browse a little on their own, before being asked if they need help. This is what the Wrapper ensures.

This means that the Wrapper is a functional feature, meaning, it is necessary to ensure proper functioning of a website, which falls outside the scope of the consent requirements under the GDPR.

3 Conclusion

Both Sunshine and Wrapper offer features which are considered functional, meaning, necessary to ensure proper functioning of a website. Functional cookies fall outside the scope of the consent requirements under the GDPR.

Helena Verhagen

Co-founder & Privacy Lawyer

Privacy Valley B.V


How did we do?