CookieChimp Logo
Get Started

Every Cookie Set by AI Widgets on Your Website — Chatbots, Search, Recommendations, and More

AI chatbots, search widgets, recommendation engines, and personalisation tools all set cookies on your users' devices the moment you embed them. This guide maps the exact cookie footprint of every major AI integration — Intercom, Drift, HubSpot, Zendesk, Dynamic Yield, Algolia, and more — and shows how to stay compliant.

Written by
Daniel
Published on

In short: Every AI tool you embed on your website — chatbots from Intercom, Drift, and HubSpot, search widgets from Algolia and Coveo, recommendation engines from Dynamic Yield and Nosto, personalisation tools from Optimizely and VWO — sets cookies on your users' devices. Some last 30 minutes. Others persist for nearly six years. The moment you add that script tag, those cookies become your compliance responsibility. This guide maps the exact cookie footprint of every major AI integration, explains the regulatory landscape, and shows how to handle it all.

AI-powered tools are everywhere in modern web development. Chatbots handle customer support. Recommendation engines drive revenue. Search widgets surface relevant content. Personalisation layers optimise conversion. Translation tools expand reach.

Behind every one of these integrations, there are cookies.

Most developers don't think about this until a compliance audit forces them to. But with GDPR enforcement accelerating — the CNIL issued €486.8 million in fines in 2025 alone, OpenAI was fined €15 million by the Italian Garante, and the UK ICO flagged 134 out of the first 200 websites it reviewed — the cost of ignoring cookie compliance has never been higher.

This guide covers every major category of AI widget, the exact cookies each one sets, and what you need to do about it.

AI Chatbot Widgets

Chatbots are the most common AI integration on the web. Every major platform sets cookies for visitor identification, session management, and conversation history. Here's what each one drops on your users' devices.

Intercom (Fin AI)

Cookie Duration Purpose
intercom-id-[app_id] 9 months Anonymous visitor identifier
intercom-session-[app_id] 7 days (configurable) Tracks unique browser sessions — auto-extends by 1 hour during active use
intercom-device-id-[app_id] 9 months Device identification to prevent abuse

All first-party cookies (domain-scoped, cannot be read cross-domain). Also uses localStorage keys like intercom.intercom-state. Intercom supports deferring widget boot until cookie consent is granted — calling Intercom('shutdown') clears cookies on logout.

Drift (Salesloft)

Cookie Duration Purpose
driftt_aid ~2,099 days (~5.7 years) Anonymous visitor identifier
driftt_sid 1 day Session identifier
drift_aid Persistent UUID-format anonymous ID
driftt_eid Persistent Engaged visitor identifier

Drift's driftt_aid cookie has one of the longest lifetimes in the industry — nearly six years. Beyond cookies, Drift also stores extensive behavioural data in localStorage: Drift.Targeting.firstVisit, numberOfVisits, numberOfSessions, originalReferrer, currentReferrer, searchTerm, and more. The widget can be deferred behind consent by delaying the drift.load() call.

HubSpot Chatbot

Cookie Duration Purpose
messagesUtk 6 months Chat user identity (GUID) — links conversation history
hs-messages-is-open 30 minutes Remembers if chat widget is open
hs-messages-hide-welcome-message 24 hours Respects visitor minimisation preference
__hstc 13 months Main HubSpot tracking cookie (domain, utk, timestamps, session count)
hubspotutk 13 months Visitor identity tracking — used for contact deduplication on form submission
__hssc 30 minutes Session tracking (domain, viewCount, session start)
__hssrc Session Session restart detection
__hs_opt_out 13 months Prevents tracking code from sending data (consent)
__hs_do_not_track 13 months Prevents tracking but allows anonymised data (consent)
__hs_cookie_cat_pref 13 months Records which cookie categories were consented to
__cf_bm 30 minutes Cloudflare bot protection (necessary)

HubSpot's chatbot consent is turned on by default for new chatflows — the widget prompts visitors before dropping messagesUtk. But the broader HubSpot tracking code (__hstc, hubspotutk) often runs alongside the chatbot and sets its own cookies with 13-month lifetimes. Adding HubSpot's chatbot almost always means adding HubSpot's entire tracking infrastructure.

Zendesk Chat

Cookie Duration Purpose
__zlcmid 365 days Zopim Live Chat ID — identifies device across visits
__zlcid Session Current session identifier
__zlcprivacy Persistent Privacy/consent preference flag — when set, __zlcmid is deleted
ZD-suid Session Unique session ID (analytics)
ZD-store Persistent Persists widget state and visitor information
AWSALBCORS 7 days AWS load balancing

Zendesk's messaging Web Widget defines three cookie consent ranges: "all" (all cookies), "functional" (no analytics), and "none" (widget hidden, all storage deleted). The classic Chat widget uses the cookieLaw JavaScript API for consent management.

Crisp Chat

Cookie Duration Purpose
crisp-client/session* 6 months (renewed) Session management
crisp-client/socket Session WebSocket connection for real-time chat

Crisp offers a "Total Privacy" mode that defers all cookies until the user manually opens the chatbox. They claim their cookies are strictly necessary for the messaging service, though this classification is debatable under GDPR.

LiveChat

Cookie Duration Purpose
__lc_cid 2 years Customer identity verification
__lc_cst 2 years Customer secure token

Both cookies are Secure and HttpOnly. LiveChat classifies these as essential for service delivery.

LivePerson

Cookie Duration Purpose
LPVID Persistent Unique visitor identifier
LPSID-[accountnumber] Session Session identifier
__lpv, __lps Persistent/Session First-party visitor and session identification

Freshchat (Freshworks)

Cookie Duration Purpose
zarget_user_id 365 days Experiment bucketing

Also sets third-party cookies from wchat.freshchat.com and api.freshworks.com. Widget loading can be deferred by calling window.fcWidget.init({}) manually instead of auto-initialising.

The Lightweight Alternatives

Not every chatbot platform relies on cookies. Some newer tools have designed around them:

  • Botpress primarily uses localStorage for session persistence, with fallback to sessionStorage or cookies.
  • Voiceflow doesn't use cookies by default — it offers localStorage, sessionStorage, or memory persistence modes.
  • Tidio stores state primarily in localStorage, with minimal cookie usage (tidio_state_*).
  • Clerk.io is completely cookieless — it uses anonymous session IDs computed from IP + User Agent + a rotating store salt.

These platforms demonstrate that it's possible to build functional AI chatbots without heavy cookie footprints.

AI Search Widgets

AI-powered search is increasingly common on content-heavy sites, e-commerce stores, and documentation platforms. These tools set cookies for personalisation and analytics.

Tool Key Cookies Duration Category
Algolia _ALGOLIA (anonymous userToken UUID) 6 months (configurable) Analytics — in search-insights.js v2+, useCookie defaults to false, so cookies are opt-in
Coveo coveo_visitorId (v4 UUID) Persistent Functional/Analytics — also stores in localStorage

Algolia's shift to opt-in cookies in v2+ is notable — if you're running an older version, cookies are set by default. Upgrading changes the compliance picture significantly.

AI Recommendation Engines

Recommendation engines are the backbone of e-commerce personalisation. They track browsing behaviour, purchase history, and user preferences to surface relevant products. Their cookies tend to be long-lived and wide-reaching.

Tool Key Cookies Duration Category
Dynamic Yield _dyid (unique user ID), _dyid_server (server-side copy), _dyjsession (session), _dycst (consent status), _dy_geo (geolocation) 365 days max / session Personalisation/Analytics — supports Active Cookie Consent Mode where no cookies are set until consent is granted
Nosto nostojs, 2c.cId (browser ID), 2c.dId (cross-device ID) 4 years Analytics — all first-party
Clerk.io None (cookieless by default) N/A N/A — optional clerk_visitor cookie with consent

Nosto's 4-year cookie lifetime is worth flagging — it's one of the longest in the industry and will raise questions in any compliance audit. Nosto themselves say that whether their cookies are "essential" or "marketing" is the website owner's determination, not theirs. That means the compliance classification falls on you.

AI Personalisation and A/B Testing

Tool Key Cookies Duration Category
Optimizely EPi:NumberOfVisits, .EPiForm_VisitorIdentifier, ai_session, ai_user 90 days – 1 year Analytics — also uses localStorage extensively
VWO _vwo_uuid_v2 (visitor UUID), _vis_opt_s (session), _vwo_sn (session number) Persistent Analytics

AI Translation

Tool Key Cookies Duration Category
Weglot wglang (language preference) Session Preferences — may require consent depending on jurisdiction

Patterns Every Developer Should Understand

Looking across all these AI integrations, a few patterns emerge:

1. Visitor identification is universal. Nearly every AI widget generates a unique ID (usually a UUID) and stores it in a cookie: intercom-id-*, driftt_aid, __zlcmid, __lc_cid, LPVID, _vwo_uuid_v2, coveo_visitorId, _dyid, 2c.cId. These are the backbone of personalisation and conversation continuity.

2. Cookie lifetimes vary wildly. From 30-minute session cookies (__hssc) to Drift's ~6-year driftt_aid and Nosto's 4-year cookies. Longer lifetimes mean more compliance scrutiny.

3. "Essential" classification is contested. Many chat widget providers classify their cookies as "strictly necessary" because the chat feature doesn't work without them. But under GDPR, whether a chat widget itself is "necessary" for your website is a different question. A visitor ID cookie for a chatbot that the user hasn't interacted with yet is arguably not strictly necessary for your site's core purpose.

4. The shift to localStorage and cookieless approaches is real. Newer platforms (Botpress, Voiceflow, Clerk.io, Tidio) are designing around cookies entirely. This is partly driven by Apple's ITP capping JavaScript-set first-party cookies to 7 days (or 24 hours in some cases), and partly by the compliance overhead that cookies create.

5. Third-party scripts add hidden cookies. HubSpot's chatbot comes bundled with broader tracking code. Freshchat sets third-party cookies from multiple Freshworks domains. Widgets rarely exist in isolation — they bring their ecosystem with them.

How you integrate an AI tool fundamentally changes your cookie compliance obligations. This is one of the most important architectural decisions you can make.

Client-Side Widget Integration

When you embed an AI tool via a <script> tag, JavaScript executes in the user's browser. This means:

  • Cookies are set directly on the user's device — first-party or third-party
  • Browser storage APIs (localStorage, sessionStorage, indexedDB) are used alongside cookies
  • You inherit every cookie the widget's vendor sets — their analytics, their tracking, their session management
  • Apple's ITP caps JavaScript-set first-party cookies to 7 days (24 hours in some cases)
  • Ad blockers affect 25–30% of traffic in some industries, potentially breaking widget functionality
  • API keys and configuration are visible in client-side code
  • Each vendor script adds to page weight, impacting Core Web Vitals

From a compliance perspective, you must block these scripts until the user consents. Every cookie the widget sets is your responsibility.

Server-Side API Integration

When your backend calls an AI provider's API (OpenAI, Anthropic, etc.) and returns results to your frontend:

  • No cookies are set on the user's device by the AI provider
  • Server-set cookies (via Set-Cookie header) can use HttpOnly and Secure flags, protecting against XSS
  • API keys remain on the server, not exposed to the client
  • No third-party scripts are loaded in the browser — no impact on page performance
  • Data can be filtered, anonymised, or redacted on the server before being sent to AI providers
  • Consent enforcement happens centrally — if a user opts out, server-side logic excludes their data in one place

From a compliance perspective, server-side integrations are dramatically simpler. You control exactly what data leaves your infrastructure and what cookies (if any) are set.

The Hybrid Approach

Many modern implementations use a thin client-side layer for the UI (a chat interface, a search box) that communicates with your own server-side proxy, which then calls the AI API. This gives you the UX benefits of a client-side widget with the privacy control of server-side processing.

The trade-off: you lose some of the "drop in a script tag and it works" convenience. But you gain complete control over your cookie footprint, data flows, and compliance posture.

The Regulatory Landscape Is Getting Stricter

If you're thinking "cookies are a low-priority compliance issue," the enforcement data tells a different story.

Regulator Action Fine/Outcome
CNIL (France) 2025 Cookie consent violations across 21 entities — Google (dark pattern banners), Shein (non-functional "Reject all" button) €486.8 million total (Google €325M, Shein €150M)
Irish DPC 2024 LinkedIn — unlawful behavioural analysis for targeted advertising €310 million
Irish DPC 2025 TikTok — children's data handling violations €530 million
CNIL (France) 2024 Orange — continued reading cookies after consent revocation €50 million
Dutch DPA 2024 Clearview AI — facial recognition database €30.5 million
Italy (Garante) 2024 OpenAI (ChatGPT) — insufficient legal basis for data processing, lack of transparency, no age verification €15 million
Italy (Garante) Replika chatbot — no lawful basis, no age verification €5 million
UK ICO 2025 Reviewed top 1,000 UK websites 134 compliance warnings from first 200 sites
Sweden IMY 2025 Pre-selecting non-essential cookie categories, hiding privacy controls Enforcement against 3 companies

Two of these fines are directly against AI companies — OpenAI and Replika. The message is clear: AI tools are not exempt from privacy enforcement.

Key enforcement trends to watch:
- Dark patterns are explicitly illegal. Pre-checked boxes and asymmetric accept/reject buttons draw fines (Shein's non-functional "Reject all" cost them €150M).
- Withdrawal must actually work. If a user clicks "Reject," tracking must stop. Cosmetic compliance draws enforcement (Orange, €50M).
- DPAs are using automated scanning at scale. The Dutch DPA monitors ~10,000 websites annually. The UK ICO reviews are systematic.
- Prior consent is non-negotiable. Displaying a banner while simultaneously setting cookies is a violation — scripts must be blocked until consent is given.

Per the CJEU ruling C-40/17 (Fashion ID), businesses embedding third-party resources into their products can be considered joint data controllers under GDPR. This means if you embed an AI chatbot widget that processes personal data, you share responsibility for that processing — even if you never access the data yourself.

The EU AI Act Adds Another Layer

The EU AI Act (compliance deadline August 2, 2026) creates dual obligations for AI systems. If your AI integration falls under high-risk classification, you'll need to meet both GDPR and AI Act requirements simultaneously. The EDPB's April 2025 report noted that LLMs rarely achieve anonymisation standards, and controllers deploying third-party LLMs must conduct comprehensive legitimate interests assessments.

ePrivacy Update

The European Commission formally withdrew the proposed ePrivacy Regulation in February 2025. The existing ePrivacy Directive remains the legal backbone for cookie consent rules. Plans to incorporate cookie rules into GDPR via a new Article 88a are expected to be adopted by end of 2026, coming into force in 2027 at the earliest.

How to Stay Compliant: The Practical Checklist

For developers integrating AI tools into their products, here's what you need to do:

1. Audit Every Third-Party Script

Before adding any AI widget, understand its cookie footprint:
- What cookies does it set? (Check the vendor's cookie policy and verify independently)
- Are they first-party or third-party?
- What are the cookie lifetimes?
- Which are strictly necessary vs. analytics/marketing?
- Does the widget use localStorage or sessionStorage as well?

Any AI widget script that sets non-essential cookies must be blocked until the user consents. This means:

<!-- Block an AI chatbot widget until the visitor consents -->
<script type="text/plain" data-category="functional" data-service="AI Chatbot"
  src="https://your-chatbot-widget.com/widget.js">
</script>

Setting type="text/plain" prevents the browser from executing the script. A consent management platform switches it back to text/javascript once consent is given.

3. Prefer Server-Side Integrations Where Possible

If you're building an AI-powered feature (search, recommendations, chat), consider calling the AI API from your server rather than loading a client-side widget. This eliminates the AI provider's cookies from the equation entirely.

This is where most generic cookie consent tools fall short. They weren't built for a world where a single chatbot widget can set half a dozen cookies with lifetimes ranging from 30 minutes to 6 years.

How CookieChimp Handles AI Widget Compliance Automatically

CookieChimp was built for exactly this kind of complexity. When you install CookieChimp on your site, it:

  1. Scans your entire site and detects every cookie — including ones set by AI chatbot widgets, recommendation engines, search tools, and personalisation platforms
  2. Categorises each cookie automatically using AI — it knows that driftt_aid is a functional cookie from Drift, that _dyid is a marketing cookie from Dynamic Yield, and that __cf_bm is a necessary Cloudflare cookie
  3. Blocks non-essential scripts until the user gives consent — the chatbot widget doesn't load, the recommendation engine doesn't fire, the personalisation tool doesn't track, until consent is given
  4. Shows the right consent banner based on visitor location — GDPR opt-in for EU visitors, CCPA opt-out for California, PIPEDA compliance for Canada, and every other major regulation worldwide
  5. Records every consent decision with a full audit trail for compliance documentation
  6. Detects integrations automatically — if your site runs Google Analytics, Facebook Pixel, HubSpot, or Microsoft Clarity alongside AI widgets, CookieChimp configures consent signals for each one (Google Consent Mode v2, Meta Consent API, Microsoft Consent Mode, HubSpot consent signals)

The entire integration is one script tag:

<head>
  <script src="https://cookiechimp.com/widget/YOUR_COOKIECHIMP_ID.js"></script>
</head>

No manual cookie tables. No guessing which regulation applies. No figuring out whether a chatbot's visitor ID cookie is "functional" or "analytics." CookieChimp handles all of it.

For developers who want manual control, you can block specific AI widget scripts until consent:

<!-- Block Intercom until visitor consents to functional cookies -->
<script type="text/plain" data-category="functional" data-service="Intercom"
  src="https://widget.intercom.io/widget/YOUR_APP_ID">
</script>

<!-- Block Drift until visitor consents to functional cookies -->
<script type="text/plain" data-category="functional" data-service="Drift"
  src="https://js.driftt.com/include/YOUR_DRIFT_ID.js">
</script>

<!-- Block Dynamic Yield until visitor consents to marketing cookies -->
<script type="text/plain" data-category="marketing" data-service="Dynamic Yield"
  src="https://cdn.dynamicyield.com/api/YOUR_SECTION_ID/api_dynamic.js">
</script>

CookieChimp prevents these scripts from running until the visitor consents to the matching category. When they do, CookieChimp switches the type back to text/javascript and the widget loads. If they later withdraw consent, CookieChimp removes the cookies and blocks the scripts again.

Key Takeaways

  • Every AI widget you embed sets cookies on your users' devices. Chatbots, search tools, recommendation engines, personalisation platforms — they all have a cookie footprint, and it becomes your compliance responsibility the moment you add the script tag.
  • Cookie lifetimes are all over the place. Drift's visitor ID lasts ~6 years. Nosto's cookies persist for 4 years. HubSpot's chatbot brings 13-month tracking cookies along with it. Know what you're adding before you add it.
  • "Essential" doesn't always mean essential. Widget vendors classify their own cookies generously. Under GDPR, a chatbot visitor ID cookie set before the user even opens the chat is probably not "strictly necessary" for your site.
  • Server-side AI integrations are dramatically simpler for compliance. No third-party scripts, no cookies from the AI provider, no widget-related consent requirements.
  • Newer platforms are going cookieless. Botpress, Voiceflow, Clerk.io, and Tidio use localStorage or memory-based persistence instead. If cookie compliance is a concern, these are worth evaluating.
  • Enforcement is accelerating. €486.8 million in CNIL fines in 2025. OpenAI fined €15 million. The EU AI Act adds new obligations by August 2026. Cookie compliance is no longer a "nice to have."
  • A CMP like CookieChimp handles AI widget cookies automatically — scanning, categorising, blocking, and recording consent for every tool on your site, including the AI ones.

Whether you're adding a chatbot to your SaaS product, integrating AI-powered search, or embedding a recommendation engine in your e-commerce store, cookie compliance is part of the job. The good news is that with the right architecture decisions and the right tools, it doesn't have to be painful.

Get started with CookieChimp for free →