Gigya

Gigya

Customer identity and access management (CIAM) platform acquired by SAP. Gigya scripts handle social login, progressive profiling, and consent collection. Stores identity data in Gigya's cloud and syncs customer profiles to CRM and marketing automation systems.

Back to Vendor Library

Overview

Gigya (now SAP Customer Data Cloud) is an enterprise customer identity and access management (CIAM) platform. It provides social login, user registration, progressive profiling, consent management, and identity federation for large consumer-facing brands. Gigya processes hundreds of millions of consumer identity records globally and serves as a consent repository for GDPR and CCPA compliance workflows.

What This Script Does

Gigya's client-side SDK is a comprehensive identity management library that handles the full user authentication lifecycle.

Script Files and Domains

  • gigya.js — Primary SDK (~300–500KB). Loaded from cdns.gigya.com. Provides all client-side identity functionality including social login buttons, screen-sets, and API methods.
  • gigya-cs.js — Companion script for screen-set rendering and UI customization.
  • API calls to datacenter-specific endpoints: accounts.us1.gigya.com, accounts.eu1.gigya.com, accounts.eu2.gigya.com, accounts.au1.gigya.com (varies by deployment region).
  • Social login redirects go through socialize.{datacenter}.gigya.com for token exchange with Google, Facebook, and Apple.

Cookies Set

  • gig_bootstrap_{apiKey} — Authentication flow state cookie. Short-lived (session-scoped). Stores the current authentication step and prevents CSRF during login.
  • gig_canary — Canary deployment cookie for A/B testing of Gigya SDK versions. Persists for up to 6 months.
  • gig_login — Set after successful authentication on some deployments. Contains an encrypted session reference. Persists for the configured SSO session duration.
  • glt_{apiKey} — Gigya Login Token. First-party cookie containing the authenticated session token. Persists according to the site's SSO session policy (typically 2 weeks to 1 year for "remember me" flows).
  • Social platform third-party cookies: When social login is initiated, Facebook sets _fbp, Google sets SAPISID/HSID during the OAuth flow.

Data Collected Per Interaction

  • Social profile data returned by the identity provider (name, email, profile picture, social UID) — scope is configurable
  • User-entered registration fields (configurable; may include name, email, date of birth, phone number, custom fields)
  • Consent preferences: which policies were accepted, version of policy accepted, timestamp, and IP address of consent
  • Progressive profiling data: additional fields collected across multiple sessions
  • Login events: timestamp, login method, IP address, device type
  • Account activity: profile updates, consent changes, social account connections

Consent Management Features Gigya includes its own consent management module (now branded as SAP Customer Data Cloud Consent Management) that records granular consent preferences per user, per purpose, and per version of privacy policies. This makes Gigya itself a consent repository — it stores the consent records that your GDPR compliance depends on.

Analytics Module When Gigya Analytics is enabled, behavioral events (login frequency, social login usage, registration funnel drop-off) are sent to Gigya's analytics infrastructure.

Consent & Compliance

Consent category: Functional / Analytics (split by module)

  • GDPR/ePrivacy: The core authentication functionality operates under Article 6(1)(b) (contract performance) for sites requiring accounts, or Article 6(1)(f) (legitimate interest) for sites where login is optional but beneficial. Progressive profiling and analytics features require explicit consent under Article 6(1)(a). The glt_ session token cookie is strictly necessary for maintaining authenticated state. The Gigya Analytics module requires consent.
  • CCPA/CPRA: Identity data (name, email, social profiles) is personal information subject to access and deletion rights under CCPA. Gigya provides APIs to fulfill DSARs (data subject access requests) and deletion requests.
  • EU data residency: Gigya offers EU datacenter options (eu1, eu2, eu5). Organizations processing EU resident data should configure their Gigya deployment to use EU datacenters to avoid cross-border transfer concerns.
  • EU-US Data Privacy Framework: For US deployments, SAP (as Gigya's parent) participates in the DPF. SCCs are available as an alternative transfer mechanism.
  • DPA enforcement history: The Irish DPA (DPC) has investigated social login consent practices. Ensure that Gigya's social login implementation presents clear, affirmative consent prompts before initiating OAuth flows that share data with social platforms.

Should You Block This Without Consent?

Conditional. Gigya's core authentication is functional and cannot be blocked without preventing users from logging in. However, the analytics module and progressive profiling features should be disabled or blocked until functional/analytics consent is obtained. Social login buttons that trigger OAuth flows to Facebook and Google should not be rendered until the user has acknowledged data sharing with those platforms — many DPAs consider rendering social login buttons as implicit data transfer initiation.

Visit website

Consent Categories

Functional
Analytics

Also Known As

GigyaSAP Customer Data CloudSAP CDCCIAMsocial logincustomer identity managementSAP Gigya

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (1)

gigya.comAnalytics

Frequently Asked Questions

Is consent required for Gigya on my website?

Conditional. Gigya's authentication is functional — the glt_ cookie is strictly necessary for logged-in state. The analytics module and progressive profiling require separate consent. Social login buttons that trigger OAuth flows to Facebook or Google warrant disclosure before rendering, as many DPAs consider this data transfer initiation.

What cookies does Gigya set?

Gigya sets gig_bootstrap_{apiKey} (auth flow state, session-scoped), gig_canary (SDK A/B testing, up to 6 months), gig_login (encrypted session reference), and glt_{apiKey} (login token, typically 2 weeks to 1 year). Social login causes Facebook and Google to set their own third-party cookies during the OAuth exchange.

How does ConsentStack detect Gigya?

ConsentStack detects Gigya via gigya.js from cdns.gigya.com and API calls to accounts.{datacenter}.gigya.com. Core authentication is classified as functional and permitted after functional consent. The analytics module is classified separately and blocked until analytics consent is confirmed. ConsentStack evaluates each Gigya module independently.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for Gigya

ConsentStack automatically detects and manages Gigya trackers so your site stays compliant with global privacy regulations.

Get started