Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Monocle (formerly Wunderkind/BounceX) is a behavioural marketing platform specialising in identity resolution and triggered email retargeting. It identifies anonymous website visitors using email address matching and sends automated emails to recognised users who abandoned sessions. This identity resolution technology is particularly sensitive under GDPR as it links anonymous browsing behaviour to named individuals without requiring them to fill in a form during the current visit.
Monocle is a behavioural marketing and identity resolution platform. Its core technology identifies anonymous website visitors by matching browser fingerprints and cookie data against a shared identity graph built from email addresses collected across its network of publisher clients. When a known email address is matched to an anonymous visitor, Monocle can trigger automated emails, such as abandoned cart reminders or browse abandonment messages, without the visitor having entered their email during the current visit. This capability makes Monocle one of the most privacy-sensitive third-party tools available.
Monocle collects IP addresses, browser and device fingerprints, browsing behaviour, pages visited, products viewed, cart contents, session duration, and behavioural signals. Its identity resolution layer matches this data against a shared email identity graph. When a match is found, the visitor''s email address, combined with their current and historical behavioural data, is used to trigger personalised email campaigns. The identity graph is shared across Monocle''s client network, meaning a visitor''s identity can be resolved based on email addresses collected by other businesses using the same platform.
Monocle raises some of the most complex GDPR compliance questions of any marketing tool. The identity resolution mechanism relies on a shared cross-client data pool, which means personal data collected with consent for one purpose on one website may be used to resolve identity on a completely different website. This cross-context data use is inconsistent with the GDPR''s purpose limitation principle (Article 5(1)(b)). The automated triggered email retargeting based on behavioural profiling also requires explicit consent and must be disclosed specifically in the consent notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is required before Monocle scripts load. The consent notice must specifically disclose identity resolution technology, explain that Monocle may identify the visitor using their email address from a shared network, and describe the triggered email retargeting function. Generic references to personalisation or marketing are insufficient. Users must specifically consent to identity resolution and automated triggered communications. Withdrawal of consent must stop all identity matching and remove the user from triggered email workflows immediately.
Monocle is a US company and processes all data, including the identity graph, on US infrastructure. Standard Contractual Clauses apply as the transfer mechanism. The cross-client identity graph creates an additional concern: personal data may be shared not just with Monocle as processor, but effectively across the entire client network participating in the identity resolution pool, which requires careful disclosure in your privacy policy.
To deploy Monocle compliantly: obtain specific, granular consent for identity resolution and triggered email retargeting before loading any Monocle scripts; update your privacy policy to specifically disclose the identity graph mechanism; conduct a mandatory DPIA; sign a DPA with Monocle that restricts cross-client data sharing to opted-in users only; document the US transfer in your RoPA; and implement an immediate opt-out that stops identity matching and removes users from triggered campaigns. Given the complexity of GDPR compliance for identity resolution technology, legal review is strongly recommended.
Websites using Monocle must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for Monocle deployments. The core identity resolution technology — linking anonymous browsing to known email addresses — constitutes high-risk profiling under GDPR Article 35. The automated triggered email retargeting based on behavioural signals, combined with US data transfers and the use of a shared identity graph across multiple client websites, all contribute to a processing activity that requires formal impact assessment.
Sample consent text
We use Monocle to personalise our communications and send you relevant messages based on your browsing activity. Monocle may identify you using your email address to send automated follow-up emails based on pages you have visited. This data is processed in the United States. Please accept to enable personalised communications and behavioural retargeting.
Third-party domains contacted
api.wunderkind.cotag.wunderkind.comonocle.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _wk_uid | persistent | 1 year | Cross-client identity resolution identifier used to match anonymous visitors to known email addresses in the shared identity graph |
| _wk_session | session | Session | Session-level behavioural signal collector used to build real-time intent data for triggered email decisions |
Monocle places tracking cookies for advertising — comply with GDPR using FlowConsent.
Monocle sets persistent tracking cookies used to maintain a device identifier and link the current visitor to its cross-client identity graph. These cookies enable Monocle to match anonymous visitors to known email addresses collected across its publisher network, even if the visitor has not entered their email during the current session. These are high-risk tracking cookies requiring explicit prior consent.
Yes, and the consent requirements are stricter than for most tools. Monocle's identity resolution technology links anonymous browsing to named individuals using a shared cross-client data pool. Consent must specifically cover identity resolution and triggered email retargeting, not just generic personalisation. A standard cookie consent banner without specific disclosure of identity resolution is insufficient.
Consent under Article 6(1)(a) GDPR is the only viable legal basis. Legitimate interest cannot be used for identity resolution-based email retargeting. The purpose limitation principle (Article 5(1)(b)) also requires that the cross-client identity graph is only used for purposes for which each individual gave consent, which is difficult to guarantee with a shared identity pool across multiple client websites.
Yes. Monocle is a US company and processes all data including the identity graph on US infrastructure. Standard Contractual Clauses apply. The shared cross-client identity graph creates additional disclosure obligations, as personal data from European visitors may effectively flow across multiple organisations sharing the same identity resolution network.
Yes, a DPIA is mandatory. GDPR Article 35 requires a DPIA for systematic profiling, large-scale processing of personal data for marketing, and processing involving identity matching across multiple data sources. Monocle's cross-client identity resolution, automated triggered emails, behavioural profiling, and US transfer all meet multiple trigger criteria. The DPIA must specifically assess the shared identity graph and cross-client data flows.
Obtain explicit, specific consent for identity resolution before loading Monocle. Update your privacy policy to disclose the identity graph mechanism and cross-client data sharing. Conduct a mandatory DPIA. Sign a DPA with Monocle that addresses the shared identity pool. Implement an immediate opt-out that removes users from the identity graph and all triggered campaigns. Document the US transfer in your RoPA. Given the complexity, seek legal review before deployment.
For triggered email retargeting without identity resolution, standard ESP tools (Klaviyo, Mailchimp) with first-party cart abandonment triggers are simpler to make GDPR-compliant. For browse abandonment, on-site exit-intent tools that capture email explicitly in the current session avoid the cross-client identity graph concern entirely. EU-based tools like Actito or Selligent offer triggered marketing with EU data residency.
Add a dedicated section on identity resolution and triggered email retargeting. Explain that Monocle identifies website visitors by matching device signals to a shared email identity network, that this may result in automated emails being sent based on browsing behaviour without the visitor entering their email in the current session, that data is processed in the US under SCCs, and that users can opt out by contacting you or clicking the unsubscribe link in any triggered email.