Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AWeber is a US email marketing platform offering newsletters, automation, landing pages and embeddable sign up forms. AWeber web tracking pixels (aweber.com, forms.aweber.com) collect IP address, page URL and subscriber attribution data, and store it on US infrastructure.
AWeber is a US email marketing platform aimed at small and medium businesses, offering broadcasts, automations, landing pages and embeddable sign up forms. Personal data enters AWeber through three channels: subscriber data submitted via AWeber sign up forms or landing pages, contact data imported manually or via the API, and engagement data (opens, clicks, IP, user agent, geolocation) generated by recipients opening AWeber email broadcasts. AWeber also offers a web tracking pixel that attributes new subscribers to source pages on the customer site.
When an AWeber sign up form is embedded, scripts load from forms.aweber.com and may set tracking cookies on aweber.com to attribute the subscriber. Email broadcasts sent through AWeber include an open pixel hosted on aweber.com and click tracking that redirects through aweber.com before reaching the destination. From an ePrivacy perspective these tracking technologies require prior consent because they are not strictly necessary for the service the visitor explicitly requested.
Marketing emails sent through AWeber typically require explicit opt in consent (Art. 6(1)(a) GDPR, Art. 13 ePrivacy Directive). The soft opt in exception (existing customer relationship, similar products, easy unsubscribe) is narrower than many marketers assume. The AWeber sign up form, open pixel and click tracking must be disclosed in the privacy policy, and the unsubscribe link must be functional in every broadcast. Subscriber records should carry timestamp and source evidence of consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
AWeber Communications, Inc. stores subscriber data exclusively in the United States. Transfers from the EU require a valid transfer mechanism: AWeber self certifies under the EU US Data Privacy Framework and offers a Data Processing Addendum incorporating the Standard Contractual Clauses. Controllers must conduct a Transfer Impact Assessment and consider supplementary measures, especially where subscribers are public officials, journalists or members of sensitive communities.
Sign the AWeber Data Processing Addendum and log it with your processor inventory. Configure double opt in on sign up forms, log timestamp and source for each consent, and include AWeber in the cookie banner if the web tracking pixel or embedded forms load before consent. Set a retention rule that removes unsubscribed and long inactive contacts. Provide a clear unsubscribe link in every broadcast. Document the EU US transfer mechanism (DPF and SCCs) and review the AWeber subprocessor list periodically.
Websites using AWeber must obtain user consent under GDPR regulations.
DPIA considerations
AWeber processes contact data, IP addresses, engagement metrics (opens, clicks) and may receive special category indicators when used by health, political or religious organisations. A DPIA is recommended when AWeber holds large subscriber bases, when behavioural segmentation is used, or when subscribers come from minors. Document AWeber as a processor, sign the AWeber DPA, reference the DPF self certification and SCCs, define retention rules for unsubscribed and inactive contacts, and assess the transfer impact in light of US surveillance laws (FISA 702, EO 14086).
Sample consent text
Our newsletter sign up form is provided by AWeber Communications, Inc. (United States). To display the form we load scripts from aweber.com which may set cookies and collect your IP address. Click Accept to load the form and continue. Submitting your email also constitutes consent to receive marketing emails which you can revoke at any time.
Third-party domains contacted
aweber.comforms.aweber.comsend.aweber.comawtrack.comaweber-static.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| aw_visitor_id | First party (aweber.com web tracker) | Persistent (1 year) | Identifies the visitor across visits to the publisher site to attribute newsletter sign ups to the source page |
| aw_session | Strictly necessary (AWeber admin authentication) | Session | Maintains the authenticated session for AWeber customers in the admin console |
| _csrf_token | Strictly necessary (CSRF protection) | Session | Anti CSRF token protecting AWeber form submissions and admin actions |
| aw_signup_ref | First party (sign up attribution) | Persistent (30 days) | Stores the referring page and campaign for attribution of new subscribers in AWeber reports |
AWeber places tracking cookies for advertising — comply with GDPR using FlowConsent.
AWeber sets first party cookies on aweber.com such as aw_visitor_id (1 year, source attribution), aw_signup_ref (30 days, campaign attribution) and aw_session (session, admin login). Embedded sign up forms loaded from forms.aweber.com inherit these cookies. In email broadcasts, AWeber uses open pixels on aweber.com and click redirects which create logs but no client side cookies.
Yes. The AWeber web pixel and embedded sign up forms set non essential cookies and load scripts before the visitor interacts. Under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR you must obtain prior consent. The marketing email itself also requires explicit subscriber opt in under the ePrivacy Directive.
Marketing broadcasts rely on Art. 6(1)(a) GDPR consent combined with Art. 13 ePrivacy Directive (opt in). Transactional emails to existing customers may rely on Art. 6(1)(b) (contract) or the soft opt in for similar products, provided every message offers a working unsubscribe link.
AWeber stores subscriber data only in the US. The transfer mechanism is the EU US Data Privacy Framework (AWeber is self certified) plus the Standard Contractual Clauses in the AWeber Data Processing Addendum. Conduct a Transfer Impact Assessment and document supplementary measures (encryption, access controls) before sending personal data to AWeber.
A DPIA is recommended when AWeber holds large subscriber bases, when behavioural segmentation is used to profile readers, when minors are subscribed or when the sender belongs to a sensitive sector (health, politics, religion). Document AWeber as processor, the DPF and SCC transfer mechanisms, retention rules and the data subject rights workflow.
Enable double opt in on every sign up form, log timestamp, IP and source page for each consent, defer the AWeber pixel and embedded forms until cookie consent is given, sign the AWeber DPA, configure a working unsubscribe link in every broadcast and set automated retention to delete bounced and long inactive contacts.
EU hosted alternatives include Brevo (France), MailerLite (Lithuania with EU region), Mailjet (France) and Cleverreach (Germany). Self hosted options such as Listmonk or Sendy with EU SMTP relays avoid US transfers entirely. The choice depends on volume, automation needs and existing martech stack.
List the aweber.com cookies (aw_visitor_id, aw_signup_ref) and forms.aweber.com scripts in the cookie policy. In the record of processing activities, document AWeber as a processor for the newsletter list, name AWeber Communications, Inc. (United States) as data importer, reference the DPF and SCCs, define retention for unsubscribed contacts and describe how to exercise data subject rights.