Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pinterest Conversion Tag (also called the Pinterest Tag) is an advertising pixel that tracks visitor behaviour and purchase events on your website, attributing them to Pinterest ad campaigns. It collects IP addresses, hashed email addresses, and behavioural events, transmitting them to Pinterest servers in the United States. Under GDPR and the ePrivacy Directive, explicit prior consent is required before loading the tag. Operating it without a consent management platform exposes website owners to regulatory enforcement.
Pinterest Conversion Tag, commonly called the Pinterest Tag, is a JavaScript advertising pixel published by Pinterest Inc. that website operators embed to track visitor interactions and attribute them to Pinterest ad campaigns. When a visitor arrives from a Pinterest ad and takes an action (page view, add to cart, checkout, purchase), the tag fires and sends event data to Pinterest. This data powers campaign reporting, optimises Pinterest ad delivery using machine learning, and enables the creation of custom and lookalike audiences for retargeting.
The Pinterest Tag collects visitor IP addresses, page URLs, browser user-agent strings, referrer information, and custom conversion events. With Advanced Matching enabled, it also hashes and transmits email addresses, phone numbers, and names. The tag sets several persistent cookies including _pinterest_ct_ua (unique user attribution, 1 year), _epik (conversion attribution, 1 year), and _pinterest_ct_rt (real-time conversion, session). These cookies allow Pinterest to recognise returning visitors, attribute conversions across sessions, and match website visitors to their Pinterest member profiles.
Pinterest Conversion Tag involves high-risk personal data processing: it tracks users across websites, builds behavioural profiles, and enables cross-site identification. Under the ePrivacy Directive, all non-essential cookies require prior consent. Under GDPR, processing IP addresses, behavioural data, and hashed PII for advertising purposes requires a valid legal basis. EU regulators have consistently ruled that advertising pixels require explicit opt-in consent. Using the Pinterest Tag without a functioning consent management platform constitutes a likely violation of both GDPR and applicable national ePrivacy laws.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Pinterest Tag script must be blocked by default and only loaded after the visitor grants explicit consent to marketing or advertising cookies. Consent must be freely given, specific, informed, and unambiguous under GDPR Article 7. Pre-ticked boxes and continued browsing do not constitute valid consent. A consent management platform should pass consent status to the Pinterest Tag and prevent it from firing where consent has not been obtained. Consent records must be stored for audit purposes. If using Advanced Matching, additional consent covering PII transmission is required.
Pinterest Conversion Tag sends all conversion data to Pinterest Inc. servers in the United States. Pinterest relies on Standard Contractual Clauses for EU-US data transfers. Advertisers using the tag are joint data controllers with Pinterest for conversion tracking purposes. This means European advertisers share responsibility for ensuring lawful transfer and processing of EU visitor data. GDPR Chapter V applies, and website operators should maintain a data processing agreement with Pinterest and document the transfer mechanism used.
Integrate a consent management platform that blocks the Pinterest Tag by default. Add a Pinterest advertising cookie category to your consent banner. Only load the tag after marketing consent is granted. Consider using the Pinterest Conversions API (server-side) alongside or instead of the browser pixel to reduce reliance on cookies. Disable Advanced Matching unless the user has consented to PII sharing. Update your cookie policy to list all Pinterest cookies, their duration, and purpose. Review and accept Pinterest's data processing terms in your ads account.
Websites using Pinterest Conversion Tag must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended given systematic collection of personal data at scale including IP addresses, hashed PII, and behavioural events. Assess: (1) legal basis for Advanced Matching using hashed email, (2) adequacy of Pinterest's Standard Contractual Clauses for US transfers, (3) data minimisation options, (4) data retention periods, (5) whether inferred interests touch special category data.
Sample consent text
I consent to Pinterest Conversion Tag tracking my activity on this site to measure Pinterest ad campaign performance. This may transfer my data to Pinterest Inc. in the United States. I can withdraw consent at any time.
Third-party domains contacted
ct.pinterest.comapi.pinterest.comlog.pinterest.comwidgets.pinterest.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pin_unauth | persistent | 1 year | Assigns a temporary identifier to unauthenticated visitors for conversion measurement and ad frequency capping |
| _pinterest_ct_ua | persistent | 1 year | Stores the Pinterest conversion tag user agent data for cross-device attribution and analytics |
| _pinterest_sess | persistent | 1 year | Maintains the Pinterest session for authenticated users to enable personalised ad targeting |
| _epik | persistent | 1 year | Enhanced Pinterest Identifier for Klaviyo integration, used for cross-platform conversion attribution |
Pinterest Conversion Tag places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The Pinterest Conversion Tag fires immediately on page load, sets persistent advertising cookies, and begins cross-site tracking before any visitor interaction with a Pinterest ad. Under the ePrivacy Directive, prior consent is required for non-essential advertising cookies. Under GDPR Article 6(1)(a), consent is the only valid legal basis for cross-site advertising profiling. The tag must not load until the visitor actively accepts advertising cookies.
The Pinterest Conversion Tag sets _pin_unauth (a unique identifier for unauthenticated visitors, 1 year), _pinterest_ct_ua (a visitor identifier for conversion tracking and attribution, 1 year), _pinterest_sess (a session identifier for authenticated Pinterest users, 1 year), and _epik (an enhanced conversion tracking ID that improves attribution accuracy, 1 year). These cookies enable conversion measurement, audience retargeting, and enhanced matching between website activity and Pinterest user profiles.
Consent under Article 6(1)(a) GDPR is the only valid legal basis for the Pinterest Conversion Tag. Legitimate interest cannot justify cross-site tracking for advertising profiling, as multiple EU data protection authorities have confirmed. The combination of persistent advertising cookies, cross-site tracking, and US data transfers excludes legitimate interest as a valid basis. Freely given, specific, informed, and unambiguous consent must be obtained before loading the tag.
Yes. All data collected by the Pinterest Conversion Tag is processed by Pinterest Inc. in the United States. Pinterest relies on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) for EU to US transfers. You must verify Pinterest current DPF certification, sign the Pinterest Data Processing Agreement via your Business account, and disclose the US transfer and applicable mechanism in your privacy policy.
A DPIA is recommended for e-commerce websites with significant EU traffic that use the Pinterest Conversion Tag for retargeting, particularly if you combine purchase data, customer match lists, or other personal data with Pinterest audience profiling. The cross-site tracking at scale combined with the US data transfer constitutes high-risk processing under Article 35 GDPR. Review the DPIA requirement with your Data Protection Officer.
Block the Pinterest tag script by default using a CMP and inject it only after the visitor grants advertising consent. Implement Pinterest Consent Mode to allow the tag to fire in a limited non-personalised mode before consent and switch to full tracking after consent. Ensure your CMP correctly signals consent state to the Pinterest tag and that consent withdrawal removes the tag and stops all tracking immediately.
Yes. Pinterest supports a server-side Conversions API that sends conversion events directly from your server to Pinterest without client-side cookies, significantly reducing browser-level tracking. This is the most privacy-compliant way to measure Pinterest ad performance, as it avoids cross-site tracking cookies while still enabling conversion attribution. Server-side conversion APIs are also not affected by browser cookie restrictions or ad blockers.
In your cookie policy, list each Pinterest cookie (_pin_unauth, _pinterest_ct_ua, _pinterest_sess, _epik) with its name, category (advertising), duration, and purpose. In your privacy notice, describe the tag conversion tracking and retargeting activities, identify Pinterest Inc. as the data processor, state the legal basis (consent), and disclose the US data transfer with reference to DPF and SCCs. Reference your signed Data Processing Agreement with Pinterest.