Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Chartbeat is a real time content analytics platform for publishers that measures concurrent visitors, engaged time, scroll depth, traffic sources, and headline performance, with editorial dashboards used by newsrooms and publishing teams.
Chartbeat is a real time content analytics platform built for publishers, newsrooms, and editorial teams. The signature feature is a live dashboard that shows the number of concurrent readers on each page, the engaged time spent on the article, where readers come from, how far they scroll, and how each headline performs. Editors use those signals to choose homepage placements, refresh underperforming headlines, and shape coverage. Behind the scenes, a small JavaScript snippet on each page sends periodic pings to Chartbeat servers, which aggregate the activity into dashboards, alerts, and historical reports for news leaders.
Chartbeat sets persistent and session cookies that identify returning visitors and stitch sessions across pages, plus storage that holds short term state for engagement measurement. Typical artefacts include the _chartbeat2 long term identifier, the _chartbeat4 session cookie, and the _cb_svref referrer cookie. The platform also processes IP addresses, user agents, page URLs, scroll depth, focus events, and editorial metadata sent through the snippet. Even though the data is mostly behavioural, the combination of identifier and IP address makes it personal data under GDPR Article 4.
Chartbeat is a non essential analytics service under EU regulator guidance from the CNIL, the AEPD, and the BfDI, so its cookies and pings require prior consent under ePrivacy Article 5(3). GDPR applies to the visitor data sent to Chartbeat, with the publisher acting as controller and Chartbeat as processor for the analytics service. Some regulators recognise narrow audience measurement exemptions for first-party, identifier free counters, but the default Chartbeat setup uses identifiers and cross page tracking and therefore falls outside that exemption.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Chartbeat is headquartered in New York and runs the analytics pipeline on Amazon Web Services in the United States. Visitor IPs, identifiers, and engagement events are therefore transferred to a third country. After Schrems II, controllers must complete a transfer impact assessment, rely on Standard Contractual Clauses, and, where applicable, the EU: US Data Privacy Framework certification. Supplementary measures may include IP truncation, sample reduction, and contractual additions, and the choices should be documented and reviewed.
Load Chartbeat only after the visitor has accepted analytics cookies, gating the snippet through your consent management platform. Configure the platform to provide a refuse choice as accessible as the accept choice, store the proof of consent, and offer a link to change preferences. If you want to keep some signal even when consent is refused, consider switching to an aggregated, identifier free analytics tool, or use Chartbeat features that do not rely on persistent identifiers, with a documented balancing test for legitimate interest.
Add Chartbeat to the records of processing and the cookie policy with the categories of data, the retention, and the transfer mechanism. Sign the data processing addendum with Chartbeat and review the sub processor list. Run a DPIA, complete a transfer impact assessment, and document supplementary measures. Set retention values, test the site with consent denied to verify that no Chartbeat cookie or ping is sent before opt in, and review the configuration whenever Chartbeat features or sub processors change.
Websites using Chartbeat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for publishers with significant EU readership because Chartbeat performs systematic monitoring of online behaviour, uses persistent identifiers, and transfers data to the United States. Document the categories of personal data, the cookies and storage used, the legal basis for analytics, the SCCs and Data Privacy Framework reliance, the retention applied to engagement data, and the residual risk after consent gating. Reference the CNIL, AEPD, and EDPB positions on third country transfers.
Sample consent text
We use Chartbeat to measure how readers engage with our content in real time, including concurrent visitors, engaged time, and scroll depth. With your consent, Chartbeat sets cookies and transfers data to its infrastructure in the United States. You can accept, refuse, or change your choice at any time from the cookie settings link in the footer.
Third-party domains contacted
chartbeat.comstatic.chartbeat.comping.chartbeat.netapi.chartbeat.commab.chartbeat.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _chartbeat2 | first_party | 13 months | Long term identifier set by Chartbeat to recognise returning visitors and to attribute engaged time and scroll metrics to the same user across visits. |
| _chartbeat4 | first_party | Session | Session cookie used by Chartbeat to group page views and engagement events that belong to the same visit. |
| _cb_svref | first_party | 30 minutes | Cookie used by Chartbeat to capture the referrer information that brought the visitor to the site for source attribution. |
| _cb | first_party | 13 months | Cookie used by Chartbeat as a complementary identifier for engagement and audience metrics. |
| _cb_ls | first_party | 1 year | Cookie used by Chartbeat to keep a local state for engagement measurement and to support some real time dashboard features. |
Chartbeat collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Chartbeat writes persistent and session cookies, including _chartbeat2, _chartbeat4, and _cb_svref, plus similar storage used to identify returning visitors and to measure engaged time and scroll depth. Because these identifiers are stored on the visitor device, ePrivacy Article 5(3) applies and consent is required before they are written or read.
In almost all configurations, yes. The CNIL, AEPD, and BfDI consider general purpose audience analytics that uses persistent identifiers and tracks readers across pages as non essential, so consent is required. The narrow audience measurement exemption only covers strictly first-party, identifier free counters, which is not the default Chartbeat setup.
Article 6(1)(a) GDPR consent is the appropriate legal basis when Chartbeat is loaded with its standard configuration of persistent cookies and engagement tracking. Aggregated, identifier free counters could in theory rely on Article 6(1)(f) legitimate interest with a documented balancing test, but that requires custom configuration and additional safeguards.
They can be, with the right safeguards. Chartbeat hosts on AWS in the United States, so transfers must rely on Standard Contractual Clauses and, where applicable, the EU: US Data Privacy Framework certification. Controllers should complete a transfer impact assessment, document supplementary measures such as IP truncation, and review the documentation if Chartbeat changes infrastructure or sub processors.
A DPIA is recommended for publishers with significant EU readership. The combination of large scale behavioural monitoring, persistent identifiers, and US transfers matches several criteria from the EDPB DPIA guidelines. Document the data flows, the legal basis, the integrations, the retention, and the residual risk after mitigations such as consent gating.
Block the Chartbeat snippet through your consent management platform until the visitor has accepted analytics cookies. Make the refuse option as easy as the accept option, persist the proof of consent, and provide a link to change preferences. Ensure the snippet does not load and that no Chartbeat cookie or ping is sent before consent.
If consent is refused, switch to a privacy first analytics setup, for example Matomo configured without cookies, an internal aggregated counter, or Chartbeat in a reduced mode if the vendor allows identifier free measurement. Editorial decisions can also rely on contextual signals and direct feedback rather than cross page reader profiles.
List Chartbeat as a US analytics processor, mention each cookie it sets along with the duration and purpose, and explain that engagement metrics and identifiers are transferred to the United States. Disclose the legal basis, the SCCs, the EU: US Data Privacy Framework where applicable, the retention values, and the contact details for exercising data subject rights.