Do I need to disclose Optimizely in my privacy policy?

Yes. Optimizely collects personal data including visitor identifiers, experiment exposures, and behavioral events. Under GDPR, CCPA, and similar regulations, you must disclose any third-party tools that process visitor data. Include the processor name (Episerver/Optimizely), data categories collected, and purposes in your privacy policy.

What specific data does Optimizely collect?

Optimizely collects visitor IDs, experiment variation assignments, conversion and revenue events, page views, click events, and custom visitor attributes you configure. The optimizelyEndUserId cookie persists for 6 months to maintain visitor continuity across sessions. Additional data depends on your implementation and which events you track.

Does Optimizely require cookie consent?

Yes, under GDPR and similar regulations. The optimizelyEndUserId cookie is used for analytics and requires explicit user consent before being set on client browsers. However, Optimizely supports server-side implementations that avoid client-side cookies, which may reduce consent requirements depending on your data handling.

Who is the data processor and where is data stored?

Optimizely is operated by Episerver (Optimizely), a United States-based company. Data is processed in the US. Under GDPR, transfers to the US require adequate safeguards such as Standard Contractual Clauses. Review Optimizely's privacy policy at https://www.optimizely.com/legal/privacy-policy/ and data processing agreement for transfer mechanisms and security details.

Feature Flags & Experimentation

Privacy policy clauses for Optimizely

Optimizely is a digital experience optimization platform that enables websites to conduct A/B tests, run feature experiments, and personalize user experiences. It tracks visitor behavior and experiment participation to help organizations improve conversion rates and user engagement through data-driven decision-making.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Optimizely collects

Your privacy policy must disclose each of the following data types when you use Optimizely.

Visitor ID and attributes

Experiment variations and exposures

Conversion and revenue events

Page views and click events

When does Optimizely trigger privacy obligations?

Installation triggers cookie and tracking obligations

The moment you add Optimizely's SDK to your site or app, the `optimizelyEndUserId` cookie is set and visitor attributes, experiment exposures, and conversion events begin flowing to Optimizely's US servers. This immediately triggers:

GDPR (EU/UK visitors): Article 82 (cookies) and Article 6 (lawfulness) obligations apply. The ePrivacy Directive Article 5(3) requires explicit prior consent before non-essential cookies are placed. Optimizely's cookie is not technically essential—it serves analytics and experimentation—so you must obtain affirmative consent *before* the SDK loads, not after.

Privacy policy clauses for Optimizely

What data Optimizely collects

When does Optimizely trigger privacy obligations?

Installation triggers cookie and tracking obligations

Where data goes

Cookies set by Optimizely

Common compliance pitfalls

Pitfall 1: Privacy policy does not name Optimizely or disclose its cookie

Pitfall 2: Deploying Optimizely in "client-side" mode without prior consent

Pitfall 3: No Data Processing Agreement (DPA) with Optimizely

Legal note

Sample privacy policy clause

What regulators look for

Audit priorities

Frequently asked questions

Do I need to disclose Optimizely in my privacy policy?

What specific data does Optimizely collect?

Does Optimizely require cookie consent?

Who is the data processor and where is data stored?

Don't ship without Bandit.