Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
X Ads (formerly Twitter Ads) is the advertising platform on X (formerly Twitter), with the X Pixel and Conversion API to measure conversions and build remarketing audiences.
X Ads (formerly Twitter Ads) is the self serve advertising platform of X Corp, allowing advertisers to promote tweets, accounts and trends on the X feed. To measure conversions and build audiences on the publisher side, advertisers add the X Pixel (a JavaScript snippet) and optionally the Conversion API for server side events. The platform supports keyword, follower and behavioural targeting as well as Tailored Audiences (custom and lookalike).
The X Pixel sets and reads several third party cookies on the X (twitter.com and x.com) domains: muc_ads (advertising muc identifier, 2 years), personalization_id (personalisation across X, 2 years), guest_id_ads (guest advertising session, 2 years), ads_prefs and _twitter_sess. When a user is logged into X, the pixel associates browsing activity with the X account. The pixel sends page URL, event type (page view, content view, add to cart, purchase), custom parameters and, when Enhanced Conversions is enabled, hashed email or phone numbers.
The X Pixel is a third party advertising tracker that fits squarely within article 5(3) ePrivacy and article 6 GDPR. Consent is the only valid legal basis. X and the publisher are joint controllers for the audience targeting and conversion measurement processing, as detailed in the X Ads joint controller agreement. EU regulators (CNIL, DSK, AEPD) have repeatedly stressed that advertising pixels require prior, opt in consent and that pre ticked boxes or scroll consent are not valid.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the X Pixel inside your CMP until consent is granted for the Marketing or Advertising purpose. X integrates the IAB TCF v2.2: pass the TC string to the pixel through the global addEventListener mechanism. For the Conversion API, send only hashed identifiers from consenting users. Use the X opt out endpoint and disable the pixel for users who have withdrawn consent. Update event_id to deduplicate browser and server events.
X Corp is based in the United States and processes X Ads data on US infrastructure. EU personal data is therefore transferred outside the EEA. Transfers rely on the X DPA, EU SCCs and the EU US Data Privacy Framework. Verify X Corp DPF certification status before relying on it, and have a fallback transfer mechanism documented in your records of processing activities.
Sign the X Ads joint controller agreement and the standard DPA. Block the X Pixel behind a consent gate. Forward the IAB TCF v2.2 string. Limit Tailored Audience retention and avoid uploading sensitive data. Restrict Conversion API events to consenting users. List the X cookies in your cookie policy and identify X Corp as joint controller in your privacy notice with the US transfer disclosure.
Websites using X Ads (formerly Twitter Ads) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever X Pixel is used for large scale remarketing, when Conversion API transmits hashed identifiers, when tailored audiences are uploaded from CRM, or when targeting sensitive verticals.
Sample consent text
We use X Ads (formerly Twitter Ads) and the X Pixel to measure conversions and build remarketing audiences on X. X drops cookies on your device and may associate them with your X account. Without your consent, the X Pixel does not fire and no advertising data is shared.
Third-party domains contacted
twitter.comx.comads-twitter.comt.coanalytics.twitter.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| muc_ads | Marketing | 2 years | Marketing user cookie used by X Ads for advertising attribution and audience building across the X network. |
| personalization_id | Marketing | 2 years | Identifies the visitor on X for personalisation across X owned properties and ads. |
| guest_id_ads | Marketing | 2 years | Identifies a guest (logged out) visitor on X to attribute advertising activity to a consistent profile. |
| ads_prefs | Marketing | 5 years | Stores the visitor advertising preferences on X (interest based ads, opt outs). |
| _twitter_sess | Functional | Session | Maintains the user session on X. |
| eu_cn | Functional | 1 year | Stores whether the visitor was last identified as being located in the EU for compliance enforcement. |
X Ads (formerly Twitter Ads) places tracking cookies for advertising — comply with GDPR using FlowConsent.
The X Pixel sets cookies on twitter.com and x.com: muc_ads (advertising MUC ID, 2 years), personalization_id (personalisation, 2 years), guest_id_ads (guest advertising session, 2 years), ads_prefs and _twitter_sess. They are read on every page view that loads the pixel.
Yes. The X Pixel is a third party advertising and conversion tracker. Article 5(3) ePrivacy and article 6 GDPR require prior, opt in consent before the pixel fires.
Consent (article 6(1)(a) GDPR) for the cookies, the conversion measurement and the audience targeting. Legitimate interest is not appropriate for cross site behavioural advertising.
X Corp is based in the United States. Transfers rely on EU SCCs and on the EU US Data Privacy Framework when X Corp is DPF certified. Verify the certification status periodically.
A DPIA is recommended for large scale remarketing, when uploading Tailored Audiences from a CRM, when running Enhanced Conversions with hashed personal data, or when advertising in sensitive verticals.
Block the X Pixel until consent. Forward the IAB TCF v2.2 string. Use Conversion API for consenting users only with proper event_id deduplication. Limit Tailored Audience retention. Sign the joint controller agreement and the standard DPA.
For social ads with EU footprint: Meta Ads, LinkedIn Ads, TikTok Ads, Snapchat Ads, Pinterest Ads. For European specific reach: Bluesky (no ads yet), Mastodon instances, Reddit Ads, regional networks like XING in DACH or Viadeo in France.
List the X cookies (muc_ads, personalization_id, guest_id_ads, ads_prefs, _twitter_sess) with domain, duration and purpose. Identify X Corp as joint controller in the privacy notice. Describe the US transfers and the safeguards. Link to the X privacy policy and the personalisation opt out page.