Slack

Slack

Slack is a team messaging and collaboration platform. When embedded on websites, Slack widgets load scripts that may set cookies to identify signed-in users and track widget interactions. Most Slack usage is SaaS with minimal direct browser presence on third-party sites.

Back to Vendor Library

Overview

Slack is a workplace communication and collaboration platform operated by Salesforce. Primarily a SaaS application accessed directly at slack.com or via desktop/mobile apps, Slack has a limited but meaningful presence on third-party websites through embeddable widgets and OAuth flows. The most common third-party appearances include: "Add to Slack" OAuth buttons on app marketplace listings, Slack Connect channel invitation links, embedded status page widgets using Slack's API, and "Contact us on Slack" community buttons. Slack serves over 10 million daily active users across more than 750,000 organizations. Its third-party tracking footprint is far lighter than advertising or analytics vendors — Slack does not deploy advertising pixels and does not operate a data marketplace.

What This Script Does

Script Files and Domains

Slack embeds typically load JavaScript from slack.com or its CDN at a.slack-edge.com and cdn.brandfolder.io. The main widget SDK may be referenced as https://slack.com/portal/tos button handlers or loaded via Slack's App Directory embed code. Static assets (icons, fonts) are served from slack-edge.com. API calls for widget data are made to api.slack.com. The Slack status widget (used on status pages) loads from slack.statuspage.io and communicates with api.statuspage.io.

"Add to Slack" OAuth Flow

The most common Slack third-party integration is an "Add to Slack" button. When clicked, it opens an OAuth 2.0 authorization flow on slack.com. Cookies involved in this flow are scoped entirely to slack.com:

  • d — Slack's authenticated session cookie. Persistent, scoped to slack.com. Identifies the logged-in Slack user during the OAuth authorization step.
  • b — Browser session identifier on slack.com.
  • lc — Locale and last-click cookie on slack.com.

No cookies are set on the embedding site's domain by the Slack OAuth flow itself. The embedding site receives only the OAuth access token returned after authorization.

Widget Interactions

When Slack widgets (invite buttons, channel join links) are rendered, JavaScript loaded from slack.com checks for an existing slack.com session cookie to pre-fill authorization screens. This involves a cross-origin request to slack.com but does not set tracking cookies on the host domain. Data collected: widget impression (for Slack's own analytics), click events, and authentication state detection.

Slack Pixel / Analytics

Slack does not operate a traditional advertising pixel for third-party deployment. Salesforce-owned Pardot or Marketing Cloud pixels are separate products and should not be conflated with Slack. Slack's own analytics on its marketing site (slack.com) use standard tools (Google Analytics, Salesforce Marketing Cloud), but these are not injected into third-party sites via Slack embeds.

Consent & Compliance

Category: Functional

Slack embeds on third-party sites are functional integrations — they serve a user-initiated purpose (joining a workspace, viewing a status update, adding an app) and do not perform advertising tracking or behavioral profiling of the embedding site's visitors.

Under GDPR and the ePrivacy Directive, Slack widget scripts that are strictly necessary to provide a user-requested service may qualify for the ePrivacy exemption from consent requirements. If a user clicks "Add to Slack" or "Join our Slack," the subsequent OAuth flow is clearly user-initiated and functionally necessary. The authentication cookies involved are scoped to Slack's own domain.

Under CCPA, Slack widget interactions do not constitute a sale or sharing of personal information. Slack does not receive personal information about the embedding site's visitors beyond what is explicitly provided during user-initiated authorization flows.

Slack/Salesforce operates under the EU-US Data Privacy Framework and complies with GDPR as a data processor under its customer agreements.

Should You Block This Without Consent?

No. Slack embeds serve a user-initiated functional purpose — workspace access, OAuth authorization, status monitoring — and do not perform cross-site advertising tracking. Cookies set are scoped to slack.com. Under most regulatory interpretations, Slack widgets do not require a consent gate. Sites with a conservative compliance posture (or under strict German DSK guidance requiring consent for all third-party resource loads) may choose to lazy-load Slack widgets behind a click interaction, but this is not required under standard GDPR or CCPA analysis.

Visit website

Consent Categories

Functional

Also Known As

Slack widgetSlack embedSlack cookiesSlack privacySlack third-party tracking

Industries

Computers Electronics and TechnologySocial Networks and Online Communities

Tracked Domains (2)

slack.comFunctional
slack-edge.comFunctional

Frequently Asked Questions

Do Slack widgets on my website require a consent gate?

Generally no. Slack embeds — OAuth buttons, workspace invite links — are user-initiated functional integrations that set no tracking cookies on the host domain. Cookies involved in OAuth flows are scoped entirely to slack.com and do not constitute advertising or behavioral tracking of site visitors.

What cookies does Slack set when embedded on a third-party site?

Slack does not set cookies on the embedding site's domain. The d (session), b (browser ID), and lc (locale) cookies are scoped to slack.com and only appear during user-initiated OAuth authorization. No advertising or behavioral tracking cookies are placed on the host page by Slack embeds.

How does ConsentStack classify Slack widgets?

ConsentStack classifies Slack as a functional vendor and permits it to load without requiring visitor consent. Because Slack does not perform cross-site advertising tracking and any cookies are scoped to its own domain, no consent gate is needed. Sites under strict DSK guidance can optionally lazy-load Slack buttons on user interaction.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for Slack

ConsentStack automatically detects and manages Slack trackers so your site stays compliant with global privacy regulations.

Get started free