Didomi Data Protection – Requirements for the Privacy Policy

Didomi is an internationally widespread Consent Management Platform (CMP) based in Paris, France. Anyone who uses Didomi on a website must document in their privacy policy that Didomi itself processes data – not only to manage consents, but also for the purpose of consent logging, the obligation to demonstrate consent under Art. 7(1) GDPR, and compliance control.

This guide sets out what information is required under data protection law and how website operators (controllers) can integrate the topic of Didomi into their privacy policy in a legally secure manner.

A. Purpose and Function of Didomi

Didomi is a cloud-based platform for managing user consents and cookie preferences. The core functions:

• Cookie banner: JavaScript-based UI for requesting consent
• Consent String (IAB TCF v2.2): Coded representation of all consent decisions according to the standard of the Interactive Advertising Bureau
• Google Consent Mode v2: Simplified integration with Google Analytics, Google Ads, and other Google services
• Consent logging: Storage and traceability of consent decisions in Didomi databases
• Preference Management: Management dashboard for website operators; retrieval of consent logs and user preferences

Technical integration is usually carried out via a JavaScript snippet (SDK) that loads Didomi on every page.

B. Mandatory Disclosures in the Privacy Policy

The following information is required in the privacy policy when Didomi is used:

• Provider and contact (Didomi SAS, registered office, data protection officer)
• Categories of data processed (anonymous user ID, consent decisions, timestamps, IP address, user agent, URL, language)
• Processing purposes (consent management, compliance evidence, security, legal enforcement)
• Duration of storage (usually until withdrawal or expiry of statutory retention periods)
• Authorised recipients (the website operator itself, where applicable sub-processors of Didomi)
• Data subject rights (access, rectification, erasure, data portability under Art. 15–20 GDPR)
• Legal bases (Art. 6(1)(c), (f) GDPR; § 25(2) No. 2 TDDDG for the CMP cookie itself)

To generate a complete, customised privacy policy, many operators use specialised tools:

C. Provider: Didomi SAS

Didomi typically acts towards the website operator as a processor (Art. 28 GDPR) where a Data Processing Agreement (DPA) has been concluded. For data processing for the purpose of its own operational optimisation or abuse prevention, Didomi may also in some cases act as a controller.

D. Data Processing – Procedure in Steps

The following sequence illustrates how Didomi collects and uses data:

E. Data Collected and Processed by Didomi

Didomi processes the following categories of data:

Web server log data

• IP address (where applicable anonymised)
• Timestamp of the banner interaction
• HTTP request headers

Device and browser information

• User agent (browser type, operating system, device type)
• Browser language
• Browser size / viewport resolution

URL visited / page context

• Domain and path of the page on which the banner was displayed
• Referrer information (where available)

Location data

• Coarse geographical localisation (country, where applicable city) based on IP address

Consent-specific data

• Consent decision per cookie/tracker (accepted/rejected)
• Consent String (IAB TCF v2.2 coded)
• Anonymous or pseudonymous user ID (Didomi-internal ID for the user)
• Time and changes to consent preferences

Conversion events

• Banner impression, button clicks, consent updates as events

F. Purposes of Use

Didomi processes this data for the following purposes:

Provision of consent management functionality

• Display and management of the cookie banner
• Storage and retrieval of consent decisions

Security and abuse prevention

• Protection against manipulation of consents
• Detection of automated or fraudulent requests
• Protection against DDoS and other cyber attacks on the CMP infrastructure

Compliance and evidence

• Documentation of consent as evidence under Art. 7(1) GDPR
• Fulfilment of statutory retention requirements
• Audit trails for data protection controls

Legal enforcement and accountability

• Fulfilment of the obligation to demonstrate (accountability principle, Art. 5(2) GDPR)
• Processing of data subject rights requests (access, erasure)

G. Legal Bases

1. Why Didomi Is Integrated in the First Place – Compelling Obligation

The use of a CMP such as Didomi is necessary in order to fulfil the consent obligation under § 25(1) TDDDG (Telecommunications Telemedia Data Protection Act) for non-essential cookies and trackers. Without a CMP, the website operator cannot properly capture and demonstrate consents.

2. Legal Bases for Didomi Itself

Art. 6(1)(c) GDPR – Legal Obligation

• Data processing by Didomi is necessary in order to fulfil the obligation to demonstrate consent under Art. 7(1) GDPR: The controller (website operator) must demonstrate that and how they have obtained consent.

Art. 6(1)(f) GDPR – Legitimate Interest

• Didomi also processes data for the purpose of security (abuse prevention, DDoS protection) and compliance control (internal audits, troubleshooting), which constitutes legitimate interests.

§ 25(2) No. 2 TDDDG – Exemption for the Essential Cookies of the CMP Itself

• The Didomi CMP cookie itself (for storing consent decisions) is exempt from the consent requirement when it is "requested by the user" (i.e. necessary in order to implement the consent process at all).

H. Special Features and Notes

• EU hosting: Didomi primarily uses EU data centres (France, Germany). This reduces third-country transfer risks under Art. 44–49 GDPR.

• Data Processing Agreement (DPA): Didomi provides a standard DPA. The website operator must conclude this in order to fulfil the processor requirements.

• IAB TCF v2.2 Compliance: The Consent String generated by Didomi is coded according to the standard of the Interactive Advertising Bureau and is understood by most ad-tech platforms.

• Google Consent Mode v2: Didomi integrates the Google Consent Mode API, which transmits automated signals to Google services (e.g. Analytics, Ads) – this is itself a data transfer that should be documented separately.

• Sub-processors: Didomi may use sub-processors (e.g. cloud providers, analysis tools). These should be listed in the sub-processor list of the DPA.

• Right of withdrawal: Users can withdraw consents at any time via the banner or the Didomi preference centre.

I. Frequently Asked Questions

J. Conclusion and Practical Checklist

The use of Didomi is a procedure recognised under data protection law for managing cookie consents. A precondition for lawfulness is, however, transparent documentation in the privacy policy and the conclusion of a valid Data Processing Agreement (DPA).

For a complete and tailored privacy policy, we recommend a specialised tool:

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com