Chat widgets (Intercom, Crisp, Tawk) drop cookies before consent
Live-chat widgets like Intercom, Crisp and Tawk.to load a third-party script on page load, set cookies or local-storage identifiers and can begin tracking the visitor before any consent is given.
Why it matters
A chat widget is often argued to be functional, but the common implementations load on every page and set persistent identifiers used for analytics and visitor tracking — which goes beyond what a support tool strictly needs (ePrivacy Art. 5(3) / GDPR Art. 6). Several of these vendors also process data outside the EU (KVKK Art. 9 / GDPR Chapter V). Loading the full widget on page load, before a choice, is the risk.
How to fix it
Load the chat script only after consent, or replace the auto-loading widget with a lightweight "Chat with us" button that boots the vendor script on click. If you treat it as strictly functional, minimise it: disable analytics/visitor-tracking features and document why in your privacy notice.
<!-- Do NOT boot the widget on load. Load it on click (or after consent): -->
document.querySelector('#open-chat').addEventListener('click', () => {
window.intercomSettings = { app_id: 'YOUR_APP_ID' };
const s = document.createElement('script');
s.async = true;
s.src = 'https://widget.intercom.io/widget/YOUR_APP_ID';
document.head.appendChild(s);
}, { once: true });
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.