Does PHP require disclosure in our privacy policy?

Yes. If your website uses PHP sessions, you must disclose this in your privacy policy because PHP sets the PHPSESSID cookie to track user sessions. This cookie is a tracking mechanism that qualifies as personal data collection under GDPR and CCPA, requiring transparent disclosure to users about what data is collected and why.

What specific data does PHP collect?

PHP collects session data when PHP sessions are enabled. The primary data point is the PHPSESSID cookie value, which is a unique session identifier. Additionally, PHP may log server-side session information such as session start time, duration, and any variables stored within the session (like user ID or authentication status). This data is stored on the server, not transmitted to third parties.

Does PHP require a cookie consent banner?

Yes, if PHPSESSID is set. The PHPSESSID cookie is classified as strictly necessary for website functionality and user authentication. Under GDPR, you must disclose strictly necessary cookies in your cookie banner or policy, though explicit consent is not required. Under CCPA, you must provide notice of this data collection in your privacy policy.

Who processes PHP data and where is it stored?

PHP data is processed and stored on your own web server (self-hosted). No third-party processors are involved unless you explicitly configure PHP to send data to external services. Session data remains under your direct control and is not transferred to external platforms, making you the sole data controller responsible for compliance.

Infrastructure

Privacy policy clauses for PHP

PHP is a server-side scripting language that processes requests and generates web pages before sending them to your browser. Websites use PHP to build dynamic functionality, handle form submissions, manage user interactions, and maintain session state without storing sensitive data on your device.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data PHP collects

Your privacy policy must disclose each of the following data types when you use PHP.

Session data (if PHP sessions used)

When does PHP trigger privacy obligations?

When PHP Triggers Privacy Obligations

PHP's core privacy obligation activates the moment you use server-side sessions via `session_start()`. This automatically sets a `PHPSESSID` cookie on the user's browser — a first-party, strictly necessary cookie that identifies and persists the user's session state on your server.

### The Data Flow

When PHP sessions are enabled, every request transmits the PHPSESSID cookie back to your server, allowing you to retrieve and store session data (login tokens, user IDs, form state, preferences). This constitutes automated personal data processing under GDPR Article 4(1) (any identified or identifiable natural person) and CCPA Section 1798.100 (personal information collected by a business).

### Jurisdiction Thresholds

–GDPR: Applies if your users include any EU residents, regardless of your business location.
–CCPA: Applies if you operate a for-profit business serving California consumers and meet one of three thresholds (annual revenue >$25M, buy/sell data on 100k+ Californians, or derive 50%+ revenue from selling consumer data).

Common compliance pitfalls

Cookie	Duration	Category	Purpose
PHPSESSID	Session	strictly necessary	Server-side session identifier

Common PHP Session and Cookie Compliance Mistakes

### Pitfall 1: PHPSESSID Disclosure Omitted or Buried

The mistake: Operators set `session_start()` without mentioning PHPSESSID in their cookie notice or privacy policy, or mention it only in a vague "technical cookies" catch-all.

Why it happens with PHP: PHPSESSID is created automatically by PHP; developers often don't realize they must affirmatively disclose it because it's not a third-party tool. The cookie name itself is opaque to non-technical users.

Consequence: Regulatory bodies (especially EU DPAs) flag this as non-transparent data processing. Under GDPR Articles 13 & 14, you must inform users of the cookies set and their purpose *before* they are stored. Failure exposes you to audits, warning letters, or fines up to €20M or 4% of global revenue.

### Pitfall 2: Session Data Overload Without Legal Basis

The mistake: Storing excessive or sensitive data in `$_SESSION` (e.g., credit card fragments, medical history, IP geolocation) without documenting a lawful basis or implementing access controls.

Why it happens with PHP: PHP's `$_SESSION` array is convenient and server-side, so developers assume it's "safe" and freely populate it. The storage location on the server creates a false sense of privacy.

Consequence: GDPR Article 6 (lawfulness of processing) requires a documented legal basis. If you store sensitive special category data under Article 9 without explicit consent or another exemption, DPAs will issue enforcement notices. CCPA violations expose you to statutory damages ($100–$750 per violation per consumer).

### Pitfall 3: No Consent Mechanism for Non-Strictly-Necessary Sessions

The mistake: Using PHP session cookies for optional analytics or personalization tracking without consent, classifying them as "strictly necessary" to avoid the consent friction.

Why it happens with PHP: The distinction between "required for login" and "useful for tracking" is blurry; developers conflate session functionality with usage analytics stored in the same cookie jar.

Consequence: ePrivacy law and GDPR Article 5(1)(a) (lawfulness and fairness) require genuine prior consent for non-essential cookies. Misclassification is a high-priority enforcement target; DPAs routinely issue fines for false "strictly necessary" claims.

Privacy policy clauses for PHP

What data PHP collects

When does PHP trigger privacy obligations?

When PHP Triggers Privacy Obligations

Cookies set by PHP

Common compliance pitfalls

Common PHP Session and Cookie Compliance Mistakes

Legal note

Sample privacy policy clause

What regulators look for

What Data Protection Regulators Flag in PHP Audits

Frequently asked questions

Does PHP require disclosure in our privacy policy?

What specific data does PHP collect?

Does PHP require a cookie consent banner?

Who processes PHP data and where is it stored?

Don't ship without Bandit.