Dropbox

Dropbox

Cloud storage platform occasionally embedded on content sites via Dropbox Chooser or file previews. The Chooser widget loads a script that opens a Dropbox OAuth popup to let users select files from their Dropbox account. File preview embeds load content from Dropbox's CDN without setting tracking cookies on the host page.

Back to Vendor Library

Overview

Dropbox is a cloud storage and file synchronization platform used by individuals and teams to store, share, and collaborate on files. When Dropbox scripts appear on third-party websites, they are typically loaded as part of the Dropbox Chooser widget — a developer tool that enables website visitors to select and upload files directly from their Dropbox account — or as part of embedded file preview links. Dropbox is operated by Dropbox Inc., headquartered in San Francisco, and serves over 700 million registered users globally. The Dropbox Chooser is one of the most privacy-minimal third-party integrations available, as its purpose is strictly to facilitate a user-initiated file selection action.

What This Script Does

Script Files and Domains

The Dropbox Chooser loads https://www.dropbox.com/static/api/2/dropins.js. The script is initialized with the developer's application key. The Chooser UI loads in a popup window pointing to https://www.dropbox.com/chooser. File preview embeds load from https://www.dropbox.com/s/{file_id}?raw=1 or similar share links rendered in iframes. CDN assets for the Chooser UI are served from cfl.dropboxstatic.com.

Chooser Widget Flow

  1. The developer renders a Dropbox Chooser button using the Dropbox.createChooseButton() method or the JavaScript API.
  2. On click, a popup window opens to dropbox.com/chooser — entirely on Dropbox's domain.
  3. The user authenticates with their Dropbox account (OAuth 2.0 flow) within the popup.
  4. After file selection, the popup returns a structured response to the parent page's JavaScript callback: an array of file objects with name, link (temporary HTTPS URL), bytes, icon, and isDir properties.
  5. The popup closes. No Dropbox cookies are set on the embedding site's domain.

Cookies and Storage

Dropbox does not set cookies on the host page's domain. The OAuth session and user authentication cookies are scoped exclusively to dropbox.com. The Chooser script itself (dropins.js) does not write to the host page's localStorage or sessionStorage. Device fingerprinting is not performed.

File Preview Embeds

File preview iframes load static content from Dropbox's servers. These are read-only views and do not require authentication for publicly shared links. No tracking cookies are set on the embedding site's domain by preview iframes.

Data Collection

The integration collects only what the user explicitly selects and authorizes: the name, size, and temporary download URL of chosen files. Dropbox's own analytics (used internally) may log that the Chooser was opened and a file was selected, but this data is retained by Dropbox and not shared with the embedding site in a form usable for tracking.

Consent & Compliance

Category: Functional

The Dropbox Chooser is a user-initiated, transactional integration. Under GDPR and the ePrivacy Directive, cookies and scripts that are strictly necessary to provide a service explicitly requested by the user are exempt from consent requirements. The Chooser only activates when a user clicks a button to select files — it is not loaded passively or used for background tracking.

Under CCPA, the Chooser does not collect personal information beyond what the user explicitly selects during a file pick operation. No sale or sharing of personal information occurs through this integration.

No enforcement actions have targeted Dropbox Chooser embeds specifically, and major DPAs have not flagged passive-loading-free widget integrations of this type as requiring consent.

Should You Block This Without Consent?

No. The Dropbox Chooser operates purely as a functional integration: it enables users to select files from their Dropbox account on request. It sets no tracking cookies on the host domain, performs no behavioral profiling, and requires explicit user interaction to activate. Loading the dropins.js script passively is the only borderline consideration — if strict compliance requires it, you can lazy-load the script only when the user interacts with the Chooser button.

Visit website

Consent Categories

Functional

Also Known As

Dropbox ChooserDropbox embedDropbox scriptDropbox OAuth widgetfile picker embedDropbox cookie

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (1)

dropbox.comEssential

Frequently Asked Questions

Does the Dropbox Chooser widget require consent to load?

No. The Dropbox Chooser is a user-initiated, functional integration. It activates only when a visitor clicks to select files, sets no tracking cookies on the host domain, and performs no behavioral profiling, qualifying for the ePrivacy strict necessity exemption.

Does the Dropbox Chooser set any cookies on my website?

No cookies are set on the host site's domain. The OAuth session and authentication cookies are scoped exclusively to dropbox.com. The Chooser script does not write to the host page's localStorage or sessionStorage, and no device fingerprinting is performed.

How does ConsentStack categorize the Dropbox Chooser?

ConsentStack classifies Dropbox as a functional vendor and allows it to load without requiring user consent. Because it performs no tracking and sets no host-domain cookies, it does not need to be gated behind a consent prompt, keeping the file-picker workflow uninterrupted for all visitors.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for Dropbox

ConsentStack automatically detects and manages Dropbox trackers so your site stays compliant with global privacy regulations.

Get started free