Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Listrak is a US based digital marketing platform focused on retailers, combining email, SMS, identity resolution, predictive analytics and on site personalisation. Its tracking script captures product views, cart events and browse data, links them to a shopper through hashed email matching and stores the LtkAA and LtkBI cookies on the merchant domain. As a marketing tool, it requires prior consent under the GDPR and the ePrivacy Directive.
Listrak is a US digital marketing platform headquartered in Lititz, Pennsylvania, focused on retail and ecommerce. It combines email marketing, SMS, push, identity resolution, predictive analytics, on site personalisation and integrations with Shopify, Salesforce Commerce Cloud, BigCommerce, Magento and Klaviyo. European retailers selling into North America commonly deploy it via tag managers.
The Listrak tracking script writes the LtkAA (account anchor) and LtkBI (browse identifier) first party cookies on the retailer domain, plus a session storage entry. When a known shopper logs in or submits a form, Listrak hashes their email and matches it to past sessions, stitching anonymous browsing data into an identifiable customer profile.
The Listrak cookies are not strictly necessary, so Article 5(3) ePrivacy requires prior consent. Identity resolution by hashed email and the downstream profiling for predictive segments fall under the GDPR and are based on consent. Marketing emails and SMS follow PECR/LCEN national rules: consent for prospects, soft opt in for similar product communications to existing customers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Listrak tracking script through your CMP until consent is granted. Configure the Listrak Identity Resolution to skip identification for visitors without consent. Use double opt in for email and a separate explicit opt in for SMS, capture the consent text and timestamp in Listrak as proof, and propagate withdrawal of consent across the integration.
Listrak Inc. operates US data centres. The transfer of personal data must rely on the EU U.S. Data Privacy Framework (where Listrak is certified) or on Standard Contractual Clauses signed with the European controller, with documentation in the records of processing and disclosure in the privacy policy.
Sign the Listrak DPA, gate the script on consent, segment European contacts to apply EU compliant message frequency, set retention periods on inactive customers, document Listrak Inc. as a processor with the US transfer and disclose the integration in the privacy policy.
Websites using Listrak must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Listrak performs identity resolution through hashed email matching, builds shopper profiles for predictive analytics and transfers data to the United States.
Sample consent text
We use Listrak for retail marketing and personalisation. With your consent, Listrak will set tracking cookies, capture your browsing and purchase activity, link it to your customer record and transfer the data to Listrak Inc. in the United States. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
cdn.listrakbi.comsl.listrakbi.comclick.listrakbi.comtx.listrakbi.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| LtkAA | first_party | 2 years | Account anchor cookie set by Listrak on the retailer domain to identify the merchant account context for the visitor. |
| LtkBI | first_party | 2 years | Browse identifier used by Listrak to track product views, cart events and link them to a hashed email when the shopper is identified. |
| LtkPopupOptIn | first_party | 30 days | Stores the dismissal of a Listrak popup or signup form to avoid showing it again during the configured period. |
Listrak places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Listrak script writes the LtkAA (account anchor) and LtkBI (browse identifier) first party cookies on the retailer domain, plus session storage entries used for browse abandonment automation.
Yes. The cookies are not strictly necessary, the identity resolution links anonymous browsing to a hashed email and the marketing emails or SMS need their own opt in, so prior consent under Article 5(3) ePrivacy is required.
Consent for the cookies, the profiling and prospect emails or SMS. Soft opt in based on legitimate interests can apply to similar product emails to existing customers under PECR/LCEN. Order confirmation messages rely on contract performance.
Yes. Listrak Inc. operates US data centres. The transfer relies on the EU U.S. Data Privacy Framework or Standard Contractual Clauses signed in the Listrak DPA.
A DPIA is recommended due to identity resolution, predictive segmentation and the US transfers. Smaller deployments limited to one off newsletters with EU contacts may be lower risk.
Sign the DPA, gate the tracking script on consent, separate email and SMS opt ins, capture consent text and timestamp, set retention on inactive customers and document the US transfer in your records of processing.
EU and UK based retail marketing platforms include Bloomreach Engagement (Czech Republic), Dotdigital (UK), Emarsys (Austria, owned by SAP) or Klaviyo with EU region (US controller).
Add a section that names Listrak, lists the cookies (LtkAA, LtkBI) with purpose and duration, mentions the email and SMS automation and discloses the transfer to Listrak Inc. in the United States.