Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SharpSpring is a marketing automation and CRM platform now branded as Constant Contact Lead Gen and CRM. It tracks website visitors, captures form submissions and runs lead scoring, setting persistent identification cookies that require prior consent under GDPR and the ePrivacy Directive.
SharpSpring is a B2B marketing automation platform acquired by Constant Contact in 2021 and rebranded as Constant Contact Lead Gen and CRM. On a website it operates through an asynchronous JavaScript tracker (__ss.js), embedded form snippets and optional landing page builders. The tracker identifies anonymous visitors with persistent cookies, observes page views, button clicks and form submissions, and feeds the data into a CRM workspace that runs lead scoring, dynamic emails, drip campaigns and reporting.
SharpSpring writes first party cookies such as __ss (anonymous tracker identifier, up to 10 years), __ss_tk (session identifier) and koitk (Koi tracking subdomain). It also calls subdomains hosted under koi.com to record events. When a known prospect submits a form, the platform stitches the cookie identifier to the email address and starts processing personal data: name, email, phone, IP, page history and any custom fields collected through forms or imports.
Under Article 5(3) of the ePrivacy Directive, the SharpSpring tracker can only be loaded after a valid opt in: it sets non strictly necessary cookies and triggers profiling. Under the GDPR the website operator is controller and Constant Contact is processor. A Data Processing Agreement under Article 28 is mandatory, with a sub processor list and clear retention rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
SharpSpring runs on US infrastructure. EU controllers must put Standard Contractual Clauses in place under Article 46(2)(c) GDPR and, where Constant Contact is certified, rely additionally on the EU US Data Privacy Framework. A transfer impact assessment should document government access risks and the additional safeguards (encryption, role based access, audit logs).
Block the SharpSpring tracker by default and load it after marketing consent. Sign the Constant Contact DPA, store the consent record alongside the lead in the CRM, expire visitor cookies after 13 months at most and document retention for CRM records. Provide a clear path for visitors to withdraw consent, exercise access and erasure rights, and opt out of email communications.
Websites using SharpSpring (Constant Contact Lead Gen and CRM) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because SharpSpring combines behavioural tracking, lead scoring and large scale email automation with US hosting. Document the consent mechanism, the data processing agreement with Constant Contact, international transfers and data minimisation measures.
Sample consent text
We use SharpSpring (Constant Contact Lead Gen and CRM) to measure your browsing, attribute your enquiries and automate sales follow ups. SharpSpring sets tracking cookies and transfers data to the United States. By clicking Accept, you authorise these operations. You can withdraw your consent at any time.
Third-party domains contacted
sharpspring.commarketingautomation.serviceshsforms.sharpspring.comapp.sharpspring.comkoi.comapp.sharpspring.comkoi-3QNHL3VG3O.marketingautomation.servicessharpspringmail.comconstantcontact.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __ss | HTTP | 10 years | SharpSpring anonymous tracker identifier used to link visits, sessions and form submissions to a persistent profile. |
| __ss | first_party | 1 year | Persistent SharpSpring visitor identifier used to recognise returning users and link sessions to a lead profile. |
| __ss_tk | first_party | 1 year | Tracking token used to associate page views and form submissions with a SharpSpring contact record. |
| __ss_tk | HTTP | Session | SharpSpring session token used for in session correlation of events. |
| koitk | HTTP | 1 year | Identifier set by the SharpSpring Koi tracking subdomain to support cross subdomain attribution. |
| __ss_referrer | first_party | Session | Stores the original referrer URL of the visitor for marketing attribution within SharpSpring. |
| _pk_id | HTTP | 13 months | Stores a hashed prospect identifier when the user has been recognised via a previous form submission. |
| _ss_oka | first_party | 1 year | Stores attribution and source information used by the SharpSpring campaign tracking engine. |
| _ss_ub | first_party | 1 year | Behavioural identifier used by SharpSpring for visitor scoring and segmentation. |
| hubspotutk | third_party | 6 months | Set when SharpSpring forms are embedded via the HubSpot derived hsforms endpoint to identify visitors. |
SharpSpring (Constant Contact Lead Gen and CRM) places tracking cookies for advertising — comply with GDPR using FlowConsent.
SharpSpring deposits several first party cookies including __ss, __ss_tk, __ss_referrer, _ss_oka and _ss_ub. They are persistent visitor identifiers used to track behaviour across sessions and to link anonymous activity to a known contact once a form has been submitted.
SharpSpring sets first party cookies including __ss (anonymous tracker identifier, up to 10 years), __ss_tk (session token), koitk (Koi subdomain tracker, 1 year) and may store a hashed prospect identifier. It also calls Koi tracking subdomains to record events.
Yes. SharpSpring deposits non essential cookies and performs profiling, so prior, freely given, specific, informed and unambiguous consent is required under Art. 5(3) of the ePrivacy Directive and Art. 6(1)(a) GDPR. The script must remain blocked until the user accepts.
Yes. SharpSpring loads behavioural tracking and persistent cookies, so under Article 5(3) of the ePrivacy Directive the loader must wait for an explicit opt in. EU regulators treat marketing automation pixels as non strictly necessary.
The primary legal basis is consent under Art. 6(1)(a) GDPR for marketing tracking and profiling. Once the user becomes a customer, contractual necessity under Art. 6(1)(b) GDPR can support transactional emails, while legitimate interest under Art. 6(1)(f) only covers narrow technical logs.
Consent (Art. 6(1)(a) GDPR) is required for the tracking pixel and cookies. Legitimate interest (Art. 6(1)(f) GDPR) can support internal back office lead management once consent is collected and a balancing test is documented.
Yes. SharpSpring is operated by Constant Contact, Inc. in the United States, and visitor profiles, IP addresses and form submissions are processed on US infrastructure. Transfers rely on the EU US Data Privacy Framework and Standard Contractual Clauses with supplementary measures.
Yes. SharpSpring runs on US infrastructure operated by Constant Contact. Use Standard Contractual Clauses under Article 46(2)(c) GDPR and rely on the EU US Data Privacy Framework once the entity is certified. Perform a transfer impact assessment.
A DPIA is strongly recommended. The combination of persistent identifiers, profiling, lead scoring and international transfers triggers Art. 35(3)(a) GDPR criteria. The DPIA should evaluate Schrems II risks, retention, automated decisioning and consent quality.
Yes, because SharpSpring combines large scale behavioural tracking with lead scoring and email automation across US infrastructure. Document the data flows, the actors, transfers and safeguards.
Block the script by default, integrate it with a Consent Management Platform, fire it only after explicit opt in, sign a Data Processing Agreement with Constant Contact, configure retention inside SharpSpring and disclose the US transfer in your privacy policy.
Block the tracker by default, load it after marketing consent, sign the Constant Contact DPA, log the consent record alongside the lead, expire cookies after 13 months at most, document retention and offer a clear consent withdrawal and rights exercise path.
For EU friendly marketing automation consider Brevo (France), Mailerlite, ActiveCampaign (with SCC), Plezi (France) for B2B, or HubSpot Starter combined with a CMP that controls tracker loading.
Yes. Brevo (France), Plezi (France), Webmecanik (France) and Salesmanago (Poland) provide marketing automation hosted in the European Union, which reduces Schrems II exposure compared with US based platforms.
List each SharpSpring cookie (__ss, __ss_tk, __ss_referrer, _ss_oka, _ss_ub) with purpose, type and duration, mention Constant Contact, Inc. as recipient, disclose the US transfer, and provide a working link to withdraw consent through your CMP.
List the controller, the processor (Constant Contact), the purposes (marketing tracking, automation), the cookies, the koi.com sub processor domains, the US transfers and their legal basis, and the rights and withdrawal mechanism.