Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The Spotify Pixel is the advertising conversion tracking solution of Spotify Ad Services, used by advertisers to measure the impact of audio, video and display campaigns on the Spotify platform. It sets cookies on the advertiser website, captures conversion events, links them to Spotify users, and supports a server side Conversions API. Because the pixel involves cross context behavioural advertising and data transfers to the United States, explicit consent is required under the GDPR and the ePrivacy Directive.
The Spotify Pixel is the conversion measurement and audience building technology of Spotify Ad Services. Advertisers integrate it on their website to attribute conversions (purchases, sign ups, app installs) back to audio, video or display campaigns on Spotify. The pixel is paired with the Spotify Conversions API for server side first party measurement, similar to Meta CAPI or Google Enhanced Conversions. Spotify is incorporated in Sweden but the advertising backend is operated from the United States.
The pixel collects conversion events, page URLs, referrers, user agents, IP addresses, click identifiers (when arriving from a Spotify ad) and an anonymous Spotify cookie identifier. Advertisers may optionally send first party data through the Conversions API: hashed email addresses, phone numbers and customer identifiers. Spotify matches these signals to logged in Spotify users for cross device attribution and lookalike audience generation.
The Spotify Pixel is a third party advertising tracker. Its cookies are not strictly necessary, so they require prior consent under Art. 5(3) of the ePrivacy Directive. The processing of personal data for cross context behavioural advertising must be based on consent under Art. 6(1)(a) and Art. 7 GDPR. The European Data Protection Board has reaffirmed in 2024 and 2025 that legitimate interest cannot justify behavioural advertising.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Configure your Consent Management Platform to block the Spotify Pixel until consent for marketing is granted. The CMP must offer Accept and Reject with equal prominence, granular purposes, and easy withdrawal. When using the Conversions API server side, only send first party data after the user has consented to advertising, and apply hashing in transit as required by the Spotify integration guide.
Spotify USA Inc. is certified under the EU US Data Privacy Framework, which provides an adequacy mechanism for transfers between the EU and the United States. Operators must still document a Transfer Impact Assessment, sign Spotify Standard Contractual Clauses and monitor the validity of the DPF following any legal challenge after Schrems II.
Document Spotify Ad Services in your Article 30 register, sign the Spotify Ads Data Processing Addendum, configure your CMP to gate the pixel and the Conversions API, hash first party identifiers before transmission, disclose the US transfer in your privacy notice, and offer an opt out mechanism that propagates a deletion request to Spotify when required.
Websites using Spotify Pixel must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when the Spotify Pixel is used at scale for behavioural advertising, audience targeting or combined with first party CRM data uploaded via the Conversions API. The CJEU Schrems II ruling requires a Transfer Impact Assessment for the US transfer.
Sample consent text
We use the Spotify Pixel, the conversion tracking technology of Spotify Ad Services, to measure the performance of our advertising on Spotify and to build audiences for future campaigns. This involves transferring your personal data to the United States.
Third-party domains contacted
ads.spotify.compixel.spotify.compartner.spotify.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _spotify_id | Marketing | 1 year | Spotify advertising identifier used to link a website visitor with a Spotify user for cross device attribution and lookalike audiences. |
| _spotify_session | Marketing | Session | Tracks the current advertising session, including page views and conversion events captured by the pixel. |
| _spotify_match | Marketing | 30 days | Stores click identifier when the visitor arrives from a Spotify ad, used for attribution against the Spotify Ads dashboard. |
Spotify Pixel places tracking cookies for advertising — comply with GDPR using FlowConsent.
The pixel sets first party tracking cookies on the advertiser domain to store an anonymous Spotify identifier, the active advertising session and click identifiers from incoming Spotify ad traffic. These cookies are not strictly necessary and require consent before being set.
Yes. The pixel is a third party advertising tracker. Art. 5(3) of the ePrivacy Directive requires consent for non essential cookies, and Art. 6 GDPR requires consent for cross context behavioural advertising. Consent must be granular and as easy to withdraw as to grant.
Consent (Art. 6(1)(a) GDPR). Legitimate interest cannot justify cross context behavioural advertising per the EDPB Guidelines 8/2020 and 2/2023, and recent decisions against Meta and TikTok have reinforced that position.
Yes. Spotify USA Inc. operates the advertising infrastructure and is certified under the EU US Data Privacy Framework. Standard Contractual Clauses and a Transfer Impact Assessment remain advisable for operators who export EU personal data to Spotify Ads.
A DPIA is recommended when the pixel is integrated with first party CRM data through the Conversions API, when used at scale for retargeting, or when combined with other advertising trackers. The combined risk to data subjects often crosses the Art. 35 GDPR threshold.
Gate the pixel behind a Consent Management Platform, only fire on consent for marketing, sign the Spotify Ads Data Processing Addendum, hash first party identifiers before sending them through the Conversions API, disclose the US transfer in your privacy notice and offer easy withdrawal of consent.
Yes. Acast (Sweden), Audion (France), Targetspot (Belgium), Triton Digital (US but with EU partners) and major European broadcasters' digital ad networks offer audio campaign attribution. None replaces Spotify reach, but they reduce exposure to US transfers when EU audience focus is dominant.
Add a Spotify Pixel section listing the cookies (_spotify_id, _spotify_session, _spotify_match), their duration and purpose. Mention Spotify USA Inc. as the processor and the US transfer covered by the EU US DPF. Re trigger the consent banner so existing visitors can review the new vendor.