Bubble GDPR Intro Guide - Bubble Blog

Hello again @allenyang, thanks for your answer, but this is not about your understanding or mine, it’s just as-it’s-now is not compliant.

Basically what the GPDR looks to accomplish with the new cookie consent it’s the fact that the user has to have the option to control the cookies that’s using the website.

As said two times what makes it compliant it’s the fact that the user HAS TO BE ABLE TO NAVIGATE on the website even if he doesn’t want to use any particular cookie such as analytics or others. For example: If I’m using an analytical plugin to track users experience for SEO or any other purposes, the user can’t deny that particular cookie/consent.

What Bubble plugin does is inform that the website is using cookies and forcing to accept EVERYTHING that’s running on the website. That’s not compliant. I suggest you to check with the legal department and you will see what I’m talking about.

As said before we did an external audit, and we got advised on this, and that’s the reason I’m writing on this thread.

We can’t use external cookies consent because we can’t control which cookies are used from all the elements that running in Bubble background such as plugins or unknown sources.

We can’t add an advice saying using this website requires to accept ALL THE COOKIES because that’s the exact reason why GDPR changed cookie policies (plus that even us as “platform” we don’t know exactly which or how many cookies are running in our site).

  • Receive users consent before you use any cookies except strictly necessary cookies: This condition isn’t meet. Bubble will use all the cookies, no matters if the user gives the consent before.

  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received: This condition isn’t meet. We don’t know how many cookies actually is using our bubble app because many plugins can use/add/modify cookies, and we don’t know what cookies bubble is using in the background.

  • Document and store consent received from users: Where is the consent stored in Bubble? How user can access/see/modify this?

  • Allow users to access your service even if they refuse to allow the use of certain cookies: This condition isn’t meet. As explained before in the example. If any user don’t want to allow the analytics in my website he has no-opt to decline these cookies, he is forced to accept all.

  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place: Same question in 3*

I can understand you don’t want to enter in legal situation but IMHO If I’m planning to use Bubble as a platform in EU I need to be 100% sure this is GDPR compliant with guarantees otherwise I can be fined for not being compliant at all. I’m actually very unsecure and uncomfortable with this because I’m very sure this will not work. It’s something as the “bubble builder” can’t change or use external services. Sometimes I feel Bubble gives answers without committing or giving a 100% guarantee for the companies/individuals that are using Bubble as a platform.

After checking with our engineering team, I do need to correct myself on what I wrote before - I was getting two features mixed up.

You’re right that the cookie consent plugin just offers an FYI banner, based on the version of Osano that we’ve implemented there. So you’re also correct that this is not enough.

The other feature I got mixed up with, which should be much more helpful for GDPR compliance, is the checkbox found in Settings > General called “Do not set cookies on new users by default”. If you check this box, any visitor to your app will not get any Bubble cookies - which also means they will not get a temporary user ID. When you’re using this setting, you can also use the workflow action “Opt-in to cookies”.

The combination of these two means that you can build an experience where no users get cookies, but you can show some kind of consent element that, when the user gives consent, then turns on cookies.

(Note also that there’s a workflow action to opt out of cookies when you’re using this setting. That takes care of being able to withdraw cookie consent.)

When you’re using this setting, the user is still able to navigate around your Bubble app - but you as the creator are in control of what that experience looks like for a non-cookied user.

Bubble itself sets a certain handful of cookies which are necessary for Bubble to behave properly with a logged-in experience. Cloudflare also sets a cookie which I believe is generally regarded as necessary (and not used for things like analytics, personalization, marketing, etc.). More information about these cookies can be found here.

So in short, the above feature is what you’d use to build a user flow where visitors can consent to cookies.

Bubble does not have the feature to create categories of cookies with finer grained controls over each. But, you as the app creator do have control over which plugins you use - and some plugins will influence which cookies your app sets. (I am double checking with our legal counsel on whether the EU’s stance on controls by cookie category has changed recently.)

(The original blog post of this thread had the above feature listed, but I’m editing it now to account for the information that yusaney1 has highlighted here.)


An addition to my last post: we’ve heard back from our legal counsel (again, caveat, that this is our legal counsel and not yours, so if you want to be absolutely sure, you should check with your own :slight_smile: ). Their opinion is that EU regulation* requires that non-essential cookies need affirmative, opt-in consent from users, and doesn’t expressly say anything about categorizations of non-essential cookies. There is a statement that such consent should be “specific, informed and unambiguous”. Listing out the categories of cookies and giving finer-grained controls appears to be one way to satisfy this clause; arguably, one could also just be very specific and transparent about all the different cookies that the site uses, even if there’s only 1 control over all of them.

* EU regulation here being both GDPR and the ePrivacy Directive

Hello @allenyang,

Is there any existing documentation where we could find description of the cookies set and used by Bubble (by default) and the ones relative to Bubble’s plug-ins (if Bubble plugin set any other cookie)?

That would really help for the legal docs :slight_smile:

Thanks for the update @allenyang we will run some more legal checks before proceeding with this…

However, it’s a bit weird that bubble website which “it’s made using bubble editor” it’s using a different “cookie consent”, actually exactly as I explained in the different posts I did here, and the “one made” from bubble to EU users to be compliant looks exactly as it shouldn’t (TBH very disappointed here, It’s like some kind of bad joke).

If Bubble website it’s made with Bubble editor how actually haves the feature to create categories of the cookies that’s using the app? If actually all what you said with the actual bubble plugin is true, why Bubble is using different cookie consent?

We haven’t added it to our formal documentation yet, but I answer the question about Bubble’s default cookies here: California Consumer Privacy Act (CCPA)

We haven’t documented what cookies different plug-ins set yet. Generally it should be the cookie of the corresponding service if it’s needed for the plugin to run. Easiest way to tell without waiting for our documentation is to set up the plugin and see for yourself!

@yusaney1 I checked with our team on this one. Yes, we use this service for our main webpage: https://cookie-script.com/. It’s a paid service that allows for more customization. Please see my above responses for why you shouldn’t rely on the Bubble-made plugin (which came out a while ago) for current GDPR compliance, and for our other guidance here.

1 Like

Cookie script sounds powerful!

Would it be possible to embed this cookie script thing into a bubble site? I was thinking the integration would work if embedded into the script/meta tags in header in the SEO/metatags page.

Like they do here for SquareSpace:

Does anyone know if this works?


Actually it does.


Hi, thanks for this - it was very helpful. @allenyang , is bubble planning any further developments around this such as more granular acceptance of individual cookies that @yusaney1 was suggesting?

No, not at this time. Bubble only sets a limited number of cookies on an end-user which are all important for core behavior of the app, namely staying logged in (see this post). You may also see a Cloudflare cookie from the Bubble platform but this is to make Cloudflare work technically, not to track end-user personal data.

Other cookies are likely due to certain plugins that the app creator chooses to use.

1 Like

Thanks allen

Thanks Allen, and others for this valuable conversation. GDPR does create issues for me (and it’s not that i’m trying to track users secretly, i just am trying not to make a mistake that costs me a fine).

That cookie script system looks like a really decent solution, and the pricing isn’t ridiculous either so thanks for sharing that one.

I appreciate what is being attempted with GDPR implementation, but the reality is for me as a sole developer, fully understanding the requirements and keeping on top of it is just such a huge task when i’m trying to build something that users want to use.

Best wishes Phil

Hello @philip.berryuk,

You can also have a look at iubenda, their GDPR solution is great and they also provide a cookies banner blocking non necessary cookies, according to users’ consent.

There was a lifetime deal on AppSumo, maybe still available.

1 Like

@vivienne @allenyang
Quick question regarding the DPA on the Bubble website. I’m a little unclear as to how this is to be used. Am I right that this is an agreement between me as a Data Controller and Bubble as my Data Processor? So I’d put my details in as the Licensee, having copied the text, and keep it on file as my DPA with you? And then I can say I have a DPA with Bubble (as Bubble does with their data-processors)? Or would the DPA with my details included normally be available to my users on my site?

Hi Shane,

You are correct that the DPA is an agreement between you and Bubble when you are the Data Controller and Bubble is your Data Processor.

We’ve been informed by our legal counsel that since we have published our DPA publicly, it is in effect for all our customers. But, in the event that you really would like a dually signed copy, please send us an email at legal@bubble.io, and we can kick that off.

I believe the DPA between you and Bubble does not need to be available to your users, but for that question you should consult your legal counsel.


1 Like

Thanks Allen, That clarifies it for me. I don’t need anything more.

Well that was a lot of reading.

If I understand correctly- the Bubble-built plugin is “good enough” for most use cases?

Hi @yusaney1,

Can I ask you how did you proceed with this?

1 Like

Hi Allen, All,
can you please advise on this? It is clearly a GDPR related behavior of Bubble that I need to fix:

Many thanks!