ConsentMark
Free Scan
I
SecurityMedium complexity

Imperva Advanced Bot Protection

by Imperva Advanced Bot Protection

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Not required
Transfer mechanism
Standard Contractual Clauses
Cookies
__uzma__uzmaj2__uzmb__uzmbj2__uzmc__uzmcj2__uzmd__uzmdj2__uzme__ssds__ssuzjsr2

Overview

Bot detection and anti-fraud platform from Imperva, formerly Distil Networks (acquired by Imperva in 2019). Injects a JavaScript SDK that collects behavioural signals, device characteristics, and network metadata to distinguish bot traffic from real visitors. Cookies are set first-party on the customer's domain (the __uzm* family) even though the script and data collection are operated by Imperva. The security purpose typically supports a legitimate-interest legal basis under GDPR Article 6(1)(f) and the strictly-necessary exemption under ePrivacy Article 5(3), but organisations should still document the legitimate-interest assessment and include bot detection in their privacy notice.

Detection capabilities

Signature count
2
Detection methods
network
Property types
hostnamepathname

Performance impact

Performance Impact

Script size
40 KB
Requests per page
3

Common mistakes

  • 1Not disclosing bot detection + device fingerprinting in the privacy notice - even though it serves a security purpose, it involves collecting detailed behavioural and fingerprinting signals from all visitors
  • 2Assuming the security exemption automatically applies in every EU member state - the ePrivacy Article 5(3) strictly- necessary exemption is interpreted differently across DPAs; some require explicit information disclosure even when consent itself is not needed
  • 3Treating __uzm* cookies as third-party when they are first-party (script-set on the customer's own domain) - this changes the CMP categorisation
  • 4Failing to document the legitimate-interest balancing test for the depth of data collected

Compliance considerations

Imperva's bot detection JS (delivered via cdn.perfdrive.com) collects device fingerprinting data, behavioural signals, and network characteristics on every page view to identify bot traffic. The __uzm* cookies are set as first-party on the customer's domain by the Imperva script - this is an important detail for CMP categorisation because CMPs that only block third-party cookies will not block these. Setting these cookies before consent is widely accepted under ePrivacy Article 5(3) strictly-necessary exemption (security / anti-fraud purpose), but the regulatory interpretation varies across EU member states. The data flows to Imperva-operated servers and likely transits the United States; organisations should ensure SCCs or another Article 46 transfer mechanism is in place and assess against EU-US Data Privacy Framework requirements.

Related services

Gigya

SAP (Gigya)

SecurityLow risk

1 detection signature

Google reCAPTCHA

Google

SecurityLow risk

3 detection signatures

Human Security

human-security

SecurityLow risk

6 detection signatures

Obscurity Tag Monitor

obscurity

SecurityLow risk

2 detection signatures

Scan your site for Imperva Advanced Bot Protection

Run a free ConsentMark scan to see how Imperva Advanced Bot Protection is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan