Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Mixpanel is a leading product analytics platform that tracks individual user events across web and mobile applications. It enables teams to build funnels, measure retention, analyse user journeys, and run A/B experiments. Consent is required for Mixpanel tracking cookies and localStorage under the ePrivacy Directive. An EU data residency option (Amsterdam) is available. Mixpanel provides a GDPR-compliant DPA and SCCs for US-hosted deployments. The EU region eliminates transfer complexity for European organisations.
Mixpanel is a product analytics platform operated by Mixpanel Inc. (San Francisco) since 2009. It captures user events (clicks, page views, custom events, feature flags exposure) and exposes them through funnels, retention analysis, cohort builders, A/B test reports and the AI assistant Mixpanel Spark. SDKs are available for web, iOS, Android, server side runtimes and reverse ETL through Census, RudderStack and Segment.
The web SDK (mixpanel-2-latest.min.js) writes a first party cookie named mp_{project_token}_mixpanel on the publisher domain (default 1 year, configurable). The cookie value is a JSON object holding the distinct id, the device id and any user properties set via mixpanel.identify or mixpanel.people.set. The SDK also writes mp_{token}_mixpanel_referrer when referrer tracking is enabled. Local storage entries can be used as fallback. Server side SDKs do not write any cookie because they run on the server.
Mixpanel is a product analytics tool that profiles users by behaviour, persistent id and user properties. Consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is therefore required before loading the SDK on a public website. The CNIL analytics exemption does not apply because Mixpanel allows cross device tracking via mixpanel.identify and transmits the visitor id to a US controlled processor. For server side events that do not write storage on the visitor device, legitimate interest can be argued, but the publisher must still minimise the data and update the privacy notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mixpanel launched its EU residency option in 2022 (api-eu.mixpanel.com, Google Cloud Belgium and Microsoft Azure Netherlands). Raw events stay inside the European Region for EU projects. However, operational metadata (account, billing, audit, Spark AI assistant) is processed in the US. Mixpanel Inc. is certified under the EU US Data Privacy Framework since 26 October 2023 and provides the EU Standard Contractual Clauses (module 2 controller to processor) in its DPA.
Set api_host to api-eu.mixpanel.com to keep raw events in the EU. Gate the SDK behind the analytics category of your CMP. Avoid sending personal identifiers (email, full name) directly in event properties; use hashed identifiers and the User Profile API instead. Configure data retention to 365 days or less in the Mixpanel project settings. Document Mixpanel Inc. in your records of processing (GDPR art. 30) and in the privacy notice. Disable Spark AI for projects that handle special categories of data. Run a DPIA when Mixpanel is used to profile users in a way that produces legal effects (pricing, eligibility).
Direct alternatives include Amplitude (US, EU residency on Hyperscale plan), Heap (US, EU residency on Premium), PostHog (UK and US, self hostable open source), Pendo (US), June, Statsig and the EU open source June.so, Hightouch Events, Snowplow Behavioral Data Platform and OpenPanel.
Websites using Mixpanel must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Mixpanel processes user level events at scale or combines them with logged in identifiers. Document the EU/US data flow.
Sample consent text
We use Mixpanel, a product analytics platform from Mixpanel Inc., to understand how features are used. We have selected the EU residency (api-eu.mixpanel.com on Google Cloud Belgium), so the events we send remain in the European Region. Mixpanel writes the cookie mp_{token}_mixpanel on this domain to keep your distinct user id. Operational metadata may still be processed in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. Mixpanel is loaded only after you accept the analytics category in our cookie preferences.
Third-party domains contacted
mixpanel.commixpanel.comapi.mixpanel.comapi.mixpanel.comapi-eu.mixpanel.comapi-eu.mixpanel.comcdn.mxpnl.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mp_distinct_id | persistent | 1 year | Mixpanel unique user identifier stored in localStorage for individual-level product analytics and event tracking |
| mp_<token>_mixpanel | First party (Mixpanel) | 12 months | Stores the distinct_id and super properties used by Mixpanel for product analytics. Used only when localStorage is unavailable. |
| distinct_id (localStorage) | First party (Mixpanel) | Persistent | Anonymous user identifier stored in localStorage by the Mixpanel SDK to recognise returning visitors. |
Mixpanel collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Mixpanel stores a persistent distinct_id in localStorage or cookies to track individual users. This requires consent under the ePrivacy Directive before the Mixpanel SDK loads. Block Mixpanel via your CMP and call mixpanel.opt_out_tracking() when users decline.
Yes. Mixpanel launched EU data residency (Amsterdam) in 2023. Set api_host to api-eu.mixpanel.com in your Mixpanel SDK initialisation. EU residency ensures data never leaves the EU and eliminates the need for SCCs.
Consent (Art. 6(1)(a)) for client-side tracking via localStorage and cookies. Server-side event tracking without client-side storage may rely on legitimate interest for aggregate analytics, but the default Mixpanel client SDK requires consent.
Yes. Sign the Mixpanel Data Processing Agreement before using Mixpanel on EU-facing products. For US-hosted deployments, the DPA includes SCCs. For EU region deployments, the DPA covers EU-resident processing.
Use the Mixpanel Deletion API (POST /engage#delete-profile endpoint) to delete user profiles by distinct_id. Submit deletion requests within 30 days of receiving the erasure request. Mixpanel processes deletions and removes data from systems and backups.
Yes. Use anonymous distinct_ids (random UUIDs) rather than email addresses. Avoid user properties containing names, emails, or other PII. Implement server-side ID stitching if you need to link anonymous events to identified users after consent.
Recommended for large-scale deployments. Mixpanel processes individual-level behavioural data which can create detailed user profiles. Use EU data residency to simplify the transfer component of the DPIA.
EU-based product analytics alternatives include PostHog (self-hostable, EU cloud), Piwik PRO (EU-based), and Amplitude (EU region available). Mixpanel itself with EU residency enabled is a strong GDPR-compliant option.
Mixpanel prefers localStorage to store distinct_id. When localStorage is unavailable a first party cookie mp_<token>_mixpanel is set (12 months). No third party cookies are deposited by the SDK itself.
Yes. Mixpanel stores a persistent identifier and tracks behavioural events, both non essential. Prior consent is required under Art. 5(3) ePrivacy. Recent CNIL and DSK guidance confirms that localStorage access is subject to the same consent obligation as cookies.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for the SDK. Contract performance (Art. 6(1)(b)) can apply to logged in product analytics needed to deliver the contracted feature, but only with proper notice.
By default yes (AWS US). EU residency (Frankfurt) is available on Enterprise plans by setting api_host to https://api eu.mixpanel.com. Admin plane and support remain in the US. Transfers covered by EU SCCs and the EU US Data Privacy Framework.
A DPIA is recommended for user level analytics at scale or when Mixpanel is combined with logged in identifiers. Document the EU/US data flow and retention.
Provision the EU project, sign the DPA, block the SDK behind your CMP, disable IP collection (ip:false), wire opt_out_tracking to the CMP, mask sensitive event properties, set a short retention, document Mixpanel in the Article 30 record.
Privacy first product analytics: PostHog (EU/US, can self host), Amplitude (US), Heap (US, Contentsquare), Pendo (US), June.so (Switzerland), Plausible (EU, simpler analytics), Matomo (EU). For self hosting: PostHog Open Source.
List the mp_<token>_mixpanel cookie and the distinct_id localStorage entry. Mention the EU US Data Privacy Framework, the chosen residency region (EU or US) and link to Mixpanel's privacy policy.