Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
mParticle is a Customer Data Platform that collects events from web, mobile and server sources and forwards them to hundreds of marketing, analytics and data warehouse integrations.
mParticle is a Customer Data Platform (CDP) that sits between your data sources (web pages, mobile apps, backend services) and your downstream tools (analytics, advertising, email, CRM, data warehouse). Events are collected through the mParticle web SDK, mobile SDKs or server side HTTP API, normalised into a unified schema, then forwarded to hundreds of integrations such as Braze, Google Analytics 4, Meta CAPI, Snowflake or BigQuery. mParticle is owned by Rokt since 2024 and headquartered in New York.
On the web, the mParticle JavaScript SDK sets a first party cookie (mprtcl-v4) to maintain a stable visitor ID across sessions, plus a session cookie (mprtcl-prevsessid). It collects pageviews, custom events, screen views, user attributes and identities (email, phone, customer ID). The IDSync feature merges identities across devices and sources, building a persistent user profile in mParticle servers. This profile is the fuel for the audience builder and the connected downstream tools.
As soon as the mParticle web SDK runs in the browser, it stores and reads identifiers on the user device. Under article 5(3) of the ePrivacy Directive (and its national transpositions such as TTDSG in Germany, article 82 of the Loi Informatique et Libertés in France or article 22.2 of the LSSI in Spain), prior consent is mandatory unless the cookie is strictly necessary. mParticle events are not strictly necessary for the service requested by the user, so consent is required before the SDK initialises. The downstream legal basis depends on each forwarding rule: advertising destinations need consent, while a transactional email vendor may rely on contract or legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
mParticle provides a native Consent State API. Your CMP must call setConsentState on every page load so that each event carries the user choices (purposes accepted, GDPR location, timestamp, document version). In mParticle, you then define Consent Forwarding Rules on every output: an event is only sent to a given destination if the matching purpose is granted. Without this configuration, mParticle will fan out events even to vendors the user has rejected. Integrate the IAB TCF v2.2 string when working with advertising partners.
By default, mParticle runs on AWS in the United States, which means EU personal data is transferred outside the EEA. mParticle relies on Standard Contractual Clauses and is certified under the EU US Data Privacy Framework. For European customers, mParticle offers an EU pod hosted in Frankfurt (AWS eu-central-1). Activating the EU pod is the cleanest way to limit transfers, but it does not exempt you from the consent obligation under ePrivacy.
Sign the mParticle Data Processing Addendum with the EU SCC module. Activate the EU pod if your audience is mainly European. Block the mParticle SDK behind your CMP and forward the consent state through the official API. Disable IDSync rules that combine sensitive identifiers without a clear legal basis. Audit every active output integration: each one is a separate data flow that needs a documented purpose. Update your records of processing activities and your cookie policy with the list of vendors fed by mParticle.
Websites using mParticle must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended whenever mParticle is used to build persistent cross device profiles, to enrich events with first party data, or to forward identifiers to advertising destinations. Pay particular attention to the IDSync rules, the list of active output integrations and the cookies set on the user device.
Sample consent text
We use mParticle, a Customer Data Platform, to collect and route data about your interactions with our website to our analytics and marketing partners. mParticle sets identifiers on your device and forwards them to selected third party tools, including some based in the United States. Without your consent, this collection and forwarding does not take place.
Third-party domains contacted
mparticle.comjssdkcdns.mparticle.comidentity.mparticle.comnativesdks.mparticle.comwebview.mparticle.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mprtcl-v4 | Analytics | 1 year | Persistent mParticle visitor cookie storing the mParticle ID (MPID), session ID, identity map and serialised consent state. |
| mprtcl-prevsessid | Analytics | Session | Stores the previous mParticle session ID, used to compute session boundaries. |
| mprtcl-sync | Marketing | 1 year | Set when downstream forwarders that require ID sync are activated client side, to coordinate cookie matching with vendors such as Meta or Google. |
mParticle collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The mParticle web SDK sets first party cookies on your own domain. The main ones are mprtcl-v4 (the persistent visitor cookie that stores the mParticle ID, session ID and consent state) and mprtcl-prevsessid (previous session reference). Additional storage can be created in localStorage. The SDK can also synchronise cookies belonging to downstream integrations such as Meta or Google when those forwarders run client side.
Yes. The mParticle SDK reads and writes identifiers on the user device, which triggers article 5(3) of the ePrivacy Directive across the EU. The downstream destinations (analytics, advertising, CDP enrichment) also process personal data under article 6 GDPR. You must obtain prior consent and you must propagate it to mParticle with the Consent State API.
The collection itself runs on consent under article 6(1)(a) GDPR. Each forwarding rule inherits the original consent or relies on its own basis: legitimate interest may apply to a fraud detection forwarder, contract to a transactional email vendor, but consent remains the safest default for analytics and advertising destinations.
mParticle stores and processes data on AWS in the United States by default. An EU pod in Frankfurt is available to keep European data inside the EEA. When the US pod is used, data transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework. Document the chosen mechanism in your records of processing activities.
A Data Protection Impact Assessment is recommended whenever mParticle is the central CDP feeding a wide ecosystem of vendors, when it processes special category data or when it enables cross device tracking. The combination of IDSync, audience builder and advertising forwarders generally meets the EDPB criteria that trigger a mandatory DPIA.
Place the mParticle SDK under a consent gate, integrate the Consent State API with your CMP, define Consent Forwarding Rules on every output integration, activate the EU pod when possible, sign the DPA with EU SCCs, and limit the data points captured to what each business purpose requires. Audit the active integrations quarterly and remove the unused ones.
Other Customer Data Platforms include Segment by Twilio, RudderStack (open source friendly, with EU hosting), Tealium AudienceStream (EU data centres available), Hightouch (reverse ETL) and BlueConic. For lighter needs, a server side Google Tag Manager container can route events to a few destinations without the full CDP overhead.
List mParticle as a Customer Data Platform with the cookies mprtcl-v4 and mprtcl-prevsessid, their purpose (visitor identification, session continuity, consent state) and their duration. Add a section to your privacy notice explaining that events are processed by mParticle Inc. and routed to the downstream vendors you actually have enabled. Keep the destination list synchronised with reality.