Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Salesforce Marketing Cloud Account Engagement (formerly Pardot) is a B2B marketing automation platform offering lead capture forms, email marketing, lead scoring and grading, drip campaigns and web visitor tracking through the Pardot tracking code. It assigns persistent visitor_id cookies, attributes anonymous visits to known prospects once a form is submitted, and feeds engagement data into Salesforce CRM. Used by B2B sales and marketing teams to nurture leads, score account interest and trigger sales workflows.
Salesforce Marketing Cloud Account Engagement, still widely known by its former name Pardot, is a B2B marketing automation platform tightly integrated with Salesforce CRM. It combines landing pages, lead capture forms, email marketing, drip nurture programs, lead scoring, lead grading and an account based engagement view. The most privacy sensitive component is the Pardot tracking code, a JavaScript snippet (commonly named pi.js) that you embed on every page of your marketing site. Once a visitor consents, the script writes a first party cookie containing a visitor_id linked to your Pardot account identifier (piAId), records page views, time on page, form submissions and clicks, and posts these events to a Salesforce hosted endpoint such as pi.pardot.com or your configured tracker subdomain. When a previously anonymous visitor submits a form, Pardot performs cookie stitching: the visitor_id is connected to the prospect record carrying the email address, and all historical page views suddenly become identifiable, which is a key reason why prior consent is essential.
Pardot raises several GDPR concerns that go beyond a basic analytics tool. The platform performs systematic profiling by assigning numeric scores and letter grades to prospects, which then drives automated assignment to sales reps and inclusion in targeted email cadences. Under Article 22 GDPR, data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and aggressive sales outreach triggered by behavioral scoring can fall close to that line. The cookie horizon is also long: Pardot visitor cookies typically last up to ten years by default, allowing very long retrospective profiles. Finally, the cookie stitching mechanism, where anonymous browsing history is retroactively associated with an identified person, must be transparently disclosed in the privacy notice and covered by a valid legal basis from the very first page view.
The main cookies set by the Pardot tracking script are visitor_id followed by your account number (for example visitor_id12345), which stores the unique visitor identifier, lpv followed by the account number for the last page view timestamp used to deduplicate hits, a session cookie named pardot for short lived continuity, and pi_opt_in which records the consent state when you implement the opt in API. Depending on your tracker domain setup, these cookies can be set either in the first party context on your own marketing domain or in the third party context on pi.pardot.com. All of these are non essential under Article 5(3) of the ePrivacy Directive and the German TTDSG, since they exist to enable cross session marketing analytics and lead identification rather than to deliver the page the user explicitly requested.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Account Engagement is operated by Salesforce Inc. with primary infrastructure in the United States. European customers can opt into the EU pod, which keeps the production database in Frankfurt, but ancillary processing, global support, sub processors and Marketing Cloud integrations may still entail transfers outside the EEA. Salesforce relies on Standard Contractual Clauses in the 2021 form and is self certified under the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF. Controllers should document this transfer chain in their record of processing activities (ROPA), perform a Transfer Impact Assessment that considers U.S. surveillance laws such as FISA 702 and Executive Order 14086, and surface the transfer clearly in the privacy notice and consent banner.
A compliant deployment starts with consent management. The Pardot snippet must be blocked by default and only injected after the visitor accepts the marketing or advertising consent category in your CMP, with all previously set cookies cleared on rejection. Configure a first party tracker subdomain so that cookies are set on your own marketing domain, which improves lifetime in browsers like Safari (ITP) and reduces cross site risks. Shorten cookie lifetimes from the ten year default to the minimum needed for your sales cycle, typically six to twenty four months. Use the Pardot Consent API to honor opt outs, suppress profiles for users who exercise their right to erasure, and integrate with the data subject rights workflow in Salesforce. Restrict form fields to data strictly necessary for the stated purpose, separate marketing communication consent from cookie consent, and document the retention policy for prospect activity history.
For organizations seeking lighter footprint marketing automation, alternatives include HubSpot Marketing Hub (US based, similar profile), Adobe Marketo Engage (also US infrastructure with EU options), and European vendors such as Brevo (formerly Sendinblue), ActiveCampaign with EU residency, Mautic (open source, self hosted) or Plezi for B2B. For very high risk audiences (public sector, healthcare, legal) consider keeping lead capture server side, sending only consented form data to a CRM, and using a cookieless analytics tool to measure marketing performance without persistent identifiers.
Websites using Salesforce Marketing Cloud Account Engagement must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended and likely mandatory under Article 35 GDPR. Pardot involves systematic monitoring of website visitors, persistent identifiers across sessions, automated lead scoring (a form of profiling that can produce significant effects on individuals targeted by sales outreach), large scale processing of contact data, and international transfers to the United States. The DPIA should evaluate the necessity of behavioral tracking versus less invasive alternatives (server side form processing without persistent cookies), retention periods for visitor histories, the impact of automated scoring on prospects, the adequacy of SCCs and DPF safeguards, transparency toward unknown visitors who become identified after form submission, and the rights of data subjects to object to profiling under Article 22 GDPR.
Sample consent text
We use Salesforce Marketing Cloud Account Engagement (Pardot) to recognize returning visitors, measure interest in our products, attribute marketing campaigns and send relevant follow up communications. This service stores visitor_id cookies on your device, links your activity to your email address once you submit a form, and shares your behavioral data with Salesforce Inc. in the United States under Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. We will only activate Pardot tracking and load the pi.pardot.com tracking script with your explicit consent. You can withdraw consent at any time from our cookie settings. Without consent, you can still browse our site and contact us through alternative channels.
Third-party domains contacted
pi.pardot.comgo.pardot.compardot.comsalesforce.comforce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| visitor_id<piAId> | first_party | 10 years (default, configurable) | Persistent visitor identifier scoped to the Pardot account number (piAId). Tracks a browser across sessions, links anonymous browsing to a prospect record once a form is submitted, and powers lead scoring and email attribution in Salesforce Account Engagement. |
| lpv<piAId> | first_party | 30 minutes | Last Page View timestamp, scoped to the Pardot account number. Used by the tracking script to deduplicate rapid successive page views, throttle scoring events and avoid double counting of activity within the same browsing session. |
| pardot | first_party | Session | Session cookie set during a single browsing session to maintain continuity between page views and form interactions. Cleared when the browser is closed. |
| pi_opt_in | first_party | 10 years (configurable) | Stores the visitor opt in or opt out decision when the Pardot Consent API is enabled. Allows the tracking script to determine whether to activate visitor tracking, lead scoring and email engagement attribution on subsequent visits. |
| visitor_id<piAId>-hash | first_party | 10 years | Hashed verification value paired with the visitor_id cookie, used by Salesforce Account Engagement to validate the integrity of the visitor identifier and prevent tampering or cookie injection. |
Salesforce Marketing Cloud Account Engagement places tracking cookies for advertising — comply with GDPR using FlowConsent.
Pardot sets several non essential cookies, all loaded by the pi.js tracking script. The main one is visitor_id followed by the Pardot account number (for example visitor_id12345), a persistent identifier that can live up to ten years by default. It is accompanied by lpv plus account number (last page view timestamp, used to deduplicate page views), a short lived session cookie called pardot, and pi_opt_in when the Pardot Consent API is enabled. Depending on your tracker domain setup, these cookies are set either on your own marketing domain (first party) or on pi.pardot.com (third party). None of them are strictly necessary, so all require prior consent under Article 5(3) of the ePrivacy Directive.
Yes. Pardot performs cross session tracking, lead identification through cookie stitching and automated profiling via lead scoring. Under Article 5(3) of the ePrivacy Directive (and national transpositions such as the French Data Protection Act, the German TDDDG, the Italian Codice Privacy or the Spanish LSSI) any non essential storage requires prior informed consent. The Pardot snippet must therefore be blocked by default by your CMP and only loaded after the user accepts the marketing or advertising category. Pre ticked boxes, soft opt in, or implied consent from continued browsing are not valid.
For website tracking and the resulting profiling, the only realistic legal basis is consent under Article 6(1)(a) GDPR, combined with Article 5(3) ePrivacy for cookie storage. Legitimate interest under Article 6(1)(f) is generally not appropriate for behavioral tracking, persistent identifiers and cross session profiling, since EDPB guidance and national supervisory authorities consider that the impact on data subjects outweighs the controller's interest. For existing CRM contacts, legitimate interest or contract performance may cover transactional emails, but marketing automation, lead scoring and cookie based tracking still rely on consent.
Yes. Salesforce Inc. is a US company and Account Engagement is primarily hosted in the United States. European customers can subscribe to the EU pod with the production database in Frankfurt, but global support, sub processors and Marketing Cloud integrations can still trigger transfers outside the EEA. Salesforce relies on the 2021 Standard Contractual Clauses and is certified under the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF. You must document these transfers in your ROPA, perform a Transfer Impact Assessment and disclose them in your privacy notice.
A DPIA is strongly recommended and usually required. Pardot meets several criteria from the EDPB and national DPA lists that trigger an Article 35 GDPR assessment: systematic monitoring of website visitors, persistent identifiers, automated scoring that can produce significant effects (sales contact, exclusion from leads), large scale processing of contact data, and international transfers to a third country. The DPIA should describe the lifecycle from anonymous visit to identified prospect, evaluate retention, examine the impact of automated scoring, assess SCC and DPF safeguards, and define mitigation measures such as shorter cookie lifetimes and a first party tracker domain.
Treat Pardot as a marketing tool that must be loaded only after consent. Block the pi.js script by default in your tag manager and CMP, and load it only when the marketing or advertising category is accepted. Set up a first party tracker subdomain so cookies are written on your own marketing domain. Reduce the cookie lifetime from the ten year default to the minimum needed for your sales cycle. Enable the Pardot Consent API to honor opt outs across the platform and to delete or suppress profiles on erasure requests. Keep form fields minimal, separate cookie consent from marketing communication consent, and update your privacy notice to describe cookie stitching, automated scoring and US transfers.
Common alternatives in the marketing automation space include HubSpot Marketing Hub (US based, similar privacy profile), Adobe Marketo Engage (US infrastructure with regional options), and European vendors such as Brevo (formerly Sendinblue), ActiveCampaign with EU residency, Mautic (open source, self hostable) or Plezi for pure B2B in Europe. For very privacy sensitive deployments, you can also keep lead capture entirely server side, integrate it directly with your CRM without web tracking, and measure marketing performance with a cookieless analytics solution like Plausible, Matomo (self hosted) or Fathom.
List the Pardot cookies explicitly in your cookie policy: visitor_id (with the account number suffix), lpv, pardot and pi_opt_in. Describe each cookie's purpose (visitor identification, last page view, session continuity, consent state), its duration (from session up to several years), its category (marketing or advertising) and whether it is first or third party in your configuration. Mention Salesforce Inc. as the recipient, explain that data is transferred to the United States under SCCs and the EU-U.S. Data Privacy Framework, and provide a link to the Salesforce privacy notice. The same information must appear in granular form in your CMP preference center so users can opt in or out specifically for Pardot.