Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mautic is the leading open source marketing automation platform, used to track website visits, score leads, run email campaigns and trigger nurture flows. Its tracking pixel (mtc.js) writes the mtc_id and mtc_sid cookies and links anonymous browsing to identifiable contacts when forms are submitted, which makes it a marketing tracker requiring prior consent under the GDPR and ePrivacy Directive.
Mautic is an open source marketing automation platform originally launched in 2014 and now stewarded by the Mautic Community and Acquia. It covers contact databases, email campaigns, landing pages, dynamic content, lead scoring and behavioural segmentation. Many European mid market and B2B companies self host Mautic on their own EU servers, while others use the Acquia Campaign Studio or Mautic Cloud SaaS editions.
The Mautic tracking script writes mtc_id (a stable visitor identifier) and mtc_sid (a session identifier) on the publisher domain. When a known contact opens an email or submits a form, Mautic links the cookie identifier with the contact record, turning the previously anonymous browsing history into identifiable behavioural data.
The mtc cookies are not strictly necessary, so Article 5(3) ePrivacy requires prior consent before they are written. The downstream profiling and lead scoring fall under the GDPR and need a clear legal basis. For prospects, consent is generally the only safe option; for existing customers, legitimate interests may apply for soft opt in email scenarios under national ePrivacy implementations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block mautic.js / mtc.js in your tag manager until the visitor accepts the marketing category. Mautic ships a Do Not Track plugin that can disable cookie writing for users who refuse consent. The contact preference centre should also be wired to the consent state, so withdrawing consent disables tracking and email campaigns end to end.
Self hosting Mautic in the EU on your own infrastructure removes any third country transfer concern. If you choose Acquia Campaign Studio or another US hosted SaaS edition, the controller must rely on the EU U.S. Data Privacy Framework or Standard Contractual Clauses and disclose the transfer in the privacy policy.
Gate the tracking script behind your CMP, document the legal basis for each segment in the records of processing, set retention periods on contacts and cookie lifetimes, and offer a clear unsubscribe link in every email. For transactional emails, separate the legal basis (contract performance) from marketing consent in the Mautic configuration.
Websites using Mautic must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Mautic is used for behavioural lead scoring on a large database, when sensitive segments are built or when a US hosted cloud edition is chosen. Self hosted EU instances with limited tracking lower the risk significantly.
Sample consent text
We use Mautic to track your visit, send marketing emails and personalise our communications. With your consent, we will store the mtc_id and mtc_sid cookies on your device and link your browsing to your contact record. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
mautic.orgself-hosted Mautic instance (controller domain)mautic.acquiacloud.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mtc_id | first_party | 1 year | Stable visitor identifier set by the Mautic tracking script to recognise the visitor across sessions and link browsing to a contact record. |
| mtc_sid | first_party | session | Session identifier set by Mautic to attribute page views to the current visit. |
Mautic places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Mautic tracking script writes mtc_id (a stable visitor identifier) and mtc_sid (a session identifier) on the publisher domain. When a contact is known, additional cookies may be set to link sessions across devices.
Yes. The mtc cookies are not strictly necessary, so prior consent is required under Article 5(3) of the ePrivacy Directive. The profiling and lead scoring also require a clear legal basis under the GDPR.
For prospects, consent is the only safe basis. For existing customers, legitimate interests can support soft opt in email under national ePrivacy implementations, but website tracking still needs consent.
Not when Mautic is self hosted in the EU. If you use Acquia Campaign Studio or another US hosted SaaS edition, transfers occur and must rely on the EU U.S. Data Privacy Framework or Standard Contractual Clauses.
A DPIA is recommended when Mautic is used for behavioural lead scoring on a large database, when sensitive segments are built or when the SaaS edition is hosted outside the EU.
Block mtc.js until consent, enable the Do Not Track plugin, set retention periods on contacts and cookies, document each segment's legal basis and provide a clear unsubscribe in every email.
Privacy friendly alternatives include EU hosted SaaS marketing automation (Plezi, Sendinblue, ActiveCampaign EU) or first party CDPs combined with a transactional ESP.
Add a section that names Mautic, lists the cookies (mtc_id, mtc_sid) with purpose and duration, mentions the hosting location and clarifies the transfers if the SaaS edition is used.