GoCardless

GoCardless

GoCardless is a bank debit payments platform for recurring billing and subscription businesses. Scripts embed payment authorization flows on billing pages, guiding users through bank account verification for direct debit setup. Sets session cookies to secure the payment authorization process.

Back to Vendor Library

Overview

GoCardless specializes in bank-to-bank payments, particularly direct debit schemes like SEPA (Europe), Bacs (UK), ACH (US), and BECS (Australia). Unlike card-based payment processors, GoCardless pulls funds directly from bank accounts, making it popular for recurring billing scenarios where lower transaction fees and reduced card-expiry churn are priorities. The platform also offers Instant Bank Pay for one-off payments via open banking APIs.

What This Script Does

GoCardless's client-side scripts power the payment authorization flow where customers set up direct debit mandates. The integration typically uses GoCardless.js or redirects to GoCardless-hosted authorization pages at pay.gocardless.com.

When embedded on the merchant's site, the script guides users through:

  1. Entering bank account details (sort code/account number, IBAN, or routing/account number depending on the scheme)
  2. Reviewing the direct debit mandate terms
  3. Confirming authorization for the merchant to collect future payments

Cookies set during the authorization flow:

  • gc_session — session cookie securing the mandate setup process
  • gc_auth — authentication token for the authorization flow

The script communicates with api.gocardless.com and pay.gocardless.com. Data collected is limited to what is necessary for mandate setup: customer name, email, bank account details (transmitted directly to GoCardless servers), and billing address. GoCardless does not perform cross-site tracking or set marketing cookies. The client-side footprint is minimal — most processing occurs server-side via API calls.

Consent & Compliance

GoCardless is classified as essential. The scripts handle payment mandate authorization — a function that is strictly necessary for the direct debit service the user is explicitly requesting. Under GDPR and the ePrivacy Directive, these session cookies are exempt from consent requirements.

Under CCPA/CPRA, GoCardless acts as a service provider processing data solely for the business purpose of payment collection. Bank account information collected during mandate setup is not sold or shared for advertising purposes. GoCardless is FCA-regulated in the UK and authorized as a payment institution across the EU, providing additional regulatory assurance.

Should You Block This Without Consent?

No. GoCardless scripts are essential for setting up direct debit payment mandates. Blocking them would prevent customers from authorizing recurring bank payments. These are strictly necessary scripts exempt from consent under ePrivacy Directive Article 5(3).

Visit website

Consent Categories

Essential

Also Known As

GoCardless direct debitGoCardless paymentsbank payment platformrecurring bank paymentsGoCardless checkout

Industries

Computers Electronics and Technology

Tracked Domains (1)

gocardless.comEssential

Frequently Asked Questions

Is consent required for GoCardless on my website?

No. GoCardless scripts process direct debit mandates explicitly requested by the user. Session cookies securing the authorization flow are strictly necessary under the ePrivacy Directive Article 5(3). GoCardless does not set marketing or cross-site tracking cookies.

What cookies does GoCardless set?

GoCardless sets gc_session (session cookie securing the mandate authorization flow) and gc_auth (authentication token for the authorization process). Scripts communicate with api.gocardless.com and pay.gocardless.com. No advertising or cross-site tracking cookies are set.

How does ConsentStack manage GoCardless consent?

ConsentStack classifies GoCardless as essential. The payment mandate scripts are never blocked regardless of consent state. GoCardless collects only what is necessary for direct debit setup — name, email, and bank account details transmitted directly to its FCA-regulated infrastructure.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for GoCardless

ConsentStack automatically detects and manages GoCardless trackers so your site stays compliant with global privacy regulations.

Get started free