Bolt

Bolt

Bolt is a one-click checkout platform for e-commerce merchants. It embeds checkout acceleration scripts that recognize returning shoppers across the Bolt network and pre-fill payment and shipping information. Persistent identity cookies are set to enable cross-site shopper recognition.

Back to Vendor Library

Overview

Bolt is a one-click checkout platform that accelerates the e-commerce purchase flow by maintaining a network of recognized shoppers whose payment and shipping details are stored securely across all Bolt-enabled merchants. When a returning Bolt shopper visits any merchant in the network, Bolt detects them via a persistent identity cookie, pre-fills their checkout details, and enables purchase completion with minimal friction. The platform serves direct-to-consumer brands, particularly in apparel, footwear, and consumer goods, that prioritize conversion rate optimization on their checkout pages.

Beyond checkout acceleration, Bolt also operates as a payment processor for some merchants and provides an account creation flow (Bolt Accounts) that allows first-time shoppers to save their details to the Bolt network during their initial purchase.

What This Script Does

Script loading: Bolt loads JavaScript from connect.bolt.com/track.js (for shopper recognition and analytics) and connect.bolt.com/embed.js (for the checkout widget). These scripts initialize when the page loads, not only when the visitor reaches checkout, because shopper recognition requires early detection.

Cross-merchant shopper recognition:

  • _bolt_cid — Third-party persistent cookie set on the bolt.com domain, up to 1 year, stores an anonymized Bolt shopper identifier. This cookie is read on any Bolt-enabled merchant site to determine if the visitor is a recognized Bolt account holder. This is a cross-site identity mechanism by design — it is how Bolt recognizes shoppers across different merchants.
  • _bolt_session — Session cookie on the bolt.com domain, maintains the active checkout session during a transaction
  • First-party cookies may also be set on the merchant's domain to persist checkout state and cart recovery signals

Checkout module behavior:

  • When a returning shopper is detected via _bolt_cid, the checkout widget pre-populates the visitor's saved email, shipping address, and payment method (card last four digits and type)
  • The visitor authenticates via a one-time passcode (OTP) sent to their phone or email to confirm their identity before the stored payment details are used
  • New shoppers are offered the option to save their details to Bolt during checkout, creating a Bolt account

Fraud detection:

  • Browser fingerprinting signals (user agent, screen dimensions, timezone, language, installed fonts via canvas fingerprinting) are collected during checkout initialization for risk scoring
  • Device intelligence is transmitted to Bolt's fraud scoring API at api.bolt.com

Cart recovery and analytics:

  • Bolt may capture the visitor's email address from cart or checkout form fields before form submission (known as "email capture") to support abandoned cart recovery flows
  • Conversion events and checkout funnel metrics are reported to the merchant via Bolt's analytics dashboard

Consent & Compliance

Bolt is categorized as essential and functional.

  • Essential (payment processing): The cookies required to complete the checkout transaction that the visitor has initiated are strictly necessary and qualify for the ePrivacy exemption.
  • Functional (shopper recognition): The _bolt_cid cross-merchant shopper identity cookie presents a nuanced consent question under GDPR/ePrivacy. While its purpose is to deliver a functional benefit (pre-filled checkout), it operates as a persistent cross-site identifier linking the visitor's identity across multiple unrelated merchants. EU DPA guidance on third-party persistent identifiers is relevant here — some regulators may classify this as requiring consent despite its functional framing.
  • Email capture before submission: Capturing email addresses from checkout form fields before the visitor completes the form (for abandoned cart recovery) is a controversial practice under GDPR that may require consent or a robust legitimate interest assessment.
  • CCPA/CPRA: The cross-merchant shopper identity network involves personal data (email, address, payment method) processed across multiple business entities. Merchants must disclose Bolt's role in their privacy policy. The cross-merchant data flow should be evaluated for "sharing" obligations under CPRA.
  • EU-US Data Privacy Framework: Bolt (a US company) should be assessed for DPF participation or SCCs for EU personal data transfers.

Should You Block This Without Consent?

No. The core checkout functionality that Bolt provides is essential for completing transactions the visitor has initiated. Blocking Bolt would break the accelerated checkout experience entirely. However, EU-focused merchants should review the cross-merchant _bolt_cid cookie carefully and consult their DPA or legal counsel on whether explicit consent is required for this persistent cross-site identifier, given the strict interpretation of ePrivacy Article 5(3) by some European regulators.

Visit website

Consent Categories

Essential
Functional

Also Known As

bolt checkout trackingbolt cookiesbolt one click privacybolt checkout consentbolt shopper recognitionbolt gdpr

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (1)

bolt.comEssential

Frequently Asked Questions

Does the Bolt checkout cross-merchant cookie require consent in the EU?

This is legally nuanced. The _bolt_cid cookie is a persistent cross-site identifier linking shoppers across unrelated merchants. Some EU regulators classify such identifiers as requiring consent under ePrivacy Article 5(3) despite their functional framing. EU merchants should seek legal advice on this specific cookie.

What is the _bolt_cid cookie and how does it work?

_bolt_cid is a third-party persistent cookie set on bolt.com, lasting up to one year. It stores an anonymized Bolt shopper ID that is read on any Bolt-enabled merchant site to recognize returning shoppers and pre-fill their saved payment and shipping details at checkout.

How does ConsentStack classify Bolt for consent management?

ConsentStack classifies Bolt as essential and functional. Core checkout cookies load without consent because blocking them would break the transaction flow. ConsentStack flags the cross-merchant _bolt_cid cookie for legal review, allowing merchants to add a consent gate for that specific cookie if their DPA advises it.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Bolt

ConsentStack automatically detects and manages Bolt trackers so your site stays compliant with global privacy regulations.

Get started free