Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Alimama is the marketing and advertising technology platform of Alibaba Group, used by sellers on Tmall, Taobao and AliExpress to run paid ads, retargeting and conversion measurement. It collects browsing, purchase and identity data through pixels and cookies, then ties signals across devices using Alibaba's super ID. For European websites, embedding Alimama tags transfers personal data to mainland China and triggers strict GDPR and ePrivacy obligations, including prior explicit consent and a layered cookie banner.
Alimama is the in house marketing technology platform of Alibaba Group, the company behind Tmall, Taobao and AliExpress. It powers paid search ads, display ads, retargeting and brand campaigns across the Alibaba ecosystem and partner publisher networks. When a European merchant places an Alimama tracking pixel on its website, the script captures pageviews, product interactions, add to cart events and conversions, then sends them to Alibaba servers for attribution and audience building.
Alimama is best known for its cross device super ID, which links the same person across phones, tablets and computers using authenticated Alibaba accounts and probabilistic signals. That makes Alimama a powerful retargeting tool, but also a high risk processor under GDPR.
On a typical e commerce site that has integrated Alimama, the tracking script sets cookies on domains such as mmstat.com, atanx.alicdn.com and tanx.com. Common identifiers include cna (visitor ID, around 13 months), isg (session ID), t (long lived tracking), tb_token (transaction token) and miid (member ID when the visitor is logged into an Alibaba account).
The pixel also collects: IP address, user agent, referrer, page URL, viewed products, search terms, cart events, purchase value, and device fingerprint signals such as screen size and language. When the visitor is signed in to Alibaba, all of this can be tied to a stable account level profile.
Alimama is a marketing and advertising tool, so the cookies it sets are not strictly necessary under Article 5(3) of the ePrivacy Directive. They require prior, freely given, specific, informed and unambiguous consent before any tag fires. Pre ticked boxes, scroll based acceptance and cookie walls have been repeatedly sanctioned by the CNIL and other European authorities.
The data captured by Alimama (online identifiers, behavioural data, purchase data, sometimes account level data) qualifies as personal data under Article 4 GDPR and is processed for advertising and profiling purposes covered by Article 22.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Alimama servers are located in mainland China, which is not covered by an adequacy decision from the European Commission. Any deployment therefore involves an international transfer governed by Chapter V of the GDPR. Standard Contractual Clauses must be in place, complemented by a Transfer Impact Assessment as recommended by the EDPB.
Beyond the contracts, organisations should account for Chinese laws (National Intelligence Law of 2017, Data Security Law of 2021, PIPL) which can compel local providers to disclose data to public authorities. Several European DPAs consider that this legal context is comparable to or stricter than the Schrems II concerns raised about US surveillance.
To use Alimama on a website that targets EU or UK visitors, you should: block all Alimama scripts before consent through a CMP such as FlowConsent, document a clear lawful basis (consent under Article 6(1)(a) and Article 49(1)(a) for the China transfer), update your privacy policy and cookie policy to name Alimama and the transfer, sign Standard Contractual Clauses with Alibaba, run a DPIA and Transfer Impact Assessment, and offer an easy reject all option that is as accessible as accept all.
You should also configure your CMP to block Alimama domains (mmstat.com, atanx.alicdn.com, tanx.com, alimama.com) until the visitor opts in to advertising cookies, and to release that consent immediately to the Alimama tag manager so attribution still works.
For brands selling on Tmall and Taobao, Alimama is essentially unavoidable on the Chinese leg of the funnel, but the tracking on the European storefront can often be replaced or limited. Server side conversion APIs, hashed first party data and aggregated reporting reduce the volume of raw personal data sent to China. Where a separate measurement stack is feasible (Matomo, Plausible, server side GA4 in EU), it is sound practice to keep the EU side measurement separate from the Alimama retargeting layer.
Websites using Alimama must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is strongly recommended before deploying Alimama tags on a European site. Key risks: large scale profiling and cross device tracking, transfer of personal data to mainland China without an adequacy decision, exposure to Chinese surveillance laws, and combination with Alibaba marketplace identifiers that can re identify EU users. Document the lawful basis (consent), the necessity test, the transfer impact assessment under EDPB Recommendations 01/2020, and the technical and organisational safeguards in place.
Sample consent text
We use Alimama, the advertising platform of Alibaba Group, to measure the performance of our campaigns and to show you relevant ads on Tmall, Taobao, AliExpress and partner sites. This involves storing cookies and similar identifiers on your device and transferring your personal data to Alibaba servers in mainland China, a country without an EU adequacy decision. You can accept, refuse or customise these cookies and you can withdraw your consent at any time from our cookie preferences page.
Third-party domains contacted
alimama.commmstat.comlog.mmstat.comatanx.alicdn.comtanx.comsimba.taobao.comalicdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cna | third_party | 13 months | Persistent visitor identifier set on mmstat.com, used for cross site tracking, attribution and audience building across the Alibaba advertising network |
| isg | third_party | session | Session level identifier used to keep tracking continuity within a single browsing session and to detect automated traffic |
| t | third_party | 1 year | Long lived tracking cookie used by Alimama and Tanx for retargeting and frequency capping |
| tb_token | third_party | session | Transaction and security token used when the visitor authenticates with an Alibaba account or interacts with a marketplace widget |
| miid | third_party | 1 year | Alibaba member identifier set when the visitor is logged in to Tmall, Taobao or AliExpress, used to tie behaviour to an account level profile |
| xlly_s | third_party | session | Load balancing and routing cookie set by Alibaba edge infrastructure to keep the user on the same server during a session |
| cookie2 | third_party | 1 year | Authentication cookie used by Alibaba properties, may be sent to Alimama tags when the visitor is signed in to an Alibaba account |
Alimama places tracking cookies for advertising — comply with GDPR using FlowConsent.
Alimama and its sister advertising domains set first and third party cookies such as cna (visitor identifier, around 13 months), isg (session identifier), t (long lived tracking), tb_token (transaction token) and miid (Alibaba member identifier). They are deposited from domains like mmstat.com, atanx.alicdn.com, tanx.com and alimama.com.
Yes. Alimama is an advertising and profiling tool, so its cookies and pixels are not strictly necessary. Under Article 5(3) of the ePrivacy Directive and the GDPR, you must collect prior, freely given, specific, informed and unambiguous consent before any Alimama tag fires. The reject all option must be as easy to use as the accept all option.
The lawful basis is consent under Article 6(1)(a) of the GDPR for the processing itself. Because the data is sent to mainland China, you also need explicit consent under Article 49(1)(a) for the international transfer, unless you can rely on Standard Contractual Clauses combined with appropriate supplementary measures and a documented Transfer Impact Assessment.
Yes. Alimama is operated by Alibaba Group and stores data on servers located in mainland China, which has no adequacy decision from the European Commission. Any deployment on a website targeting EU or UK visitors triggers the Chapter V transfer rules of the GDPR and requires SCCs plus a Transfer Impact Assessment that takes into account Chinese surveillance laws.
A Data Protection Impact Assessment is strongly recommended and, in most cases, required. Alimama combines large scale profiling, cross device identification, and a transfer to a non adequate country, three criteria that the EDPB lists as triggers for a mandatory DPIA. The DPIA should cover purposes, data flows, the lawful basis, the Transfer Impact Assessment, the technical safeguards and the rights of data subjects.
Block the Alimama scripts before consent through a Consent Management Platform such as FlowConsent, classify the cookies as advertising in your cookie policy, name Alimama and the China transfer in your privacy notice, sign Standard Contractual Clauses with Alibaba, run a DPIA and a Transfer Impact Assessment, and offer a clear reject all option in the banner. Test that your tags only fire after explicit opt in for advertising cookies.
For sites that mainly target European customers, you can decouple measurement from retargeting: keep a privacy friendly analytics layer (Matomo, Plausible or server side GA4 hosted in the EU) for performance reporting, and use Alimama only on the leg of the funnel that genuinely targets Chinese marketplaces. Server side conversion APIs and aggregated reporting also reduce the volume of personal data sent to China.
List Alimama and its tracking domains (mmstat.com, atanx.alicdn.com, tanx.com, alimama.com) in your cookie policy under the advertising or marketing category. Specify the cookie names, their purpose, their duration, the controller (Alibaba Group), and the fact that the data is transferred to mainland China. Link to Alibaba's privacy policy and to your CMP preferences page so visitors can withdraw consent at any time.