Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Segment (by Twilio) is a Customer Data Platform (CDP) that collects user events from websites and apps, and routes them to hundreds of downstream analytics, marketing, and data warehouse tools. As a central data router, Segment multiplies the GDPR compliance surface area — every connected destination tool inherits Segment-collected personal data, and each destination requires its own lawful basis and transfer mechanism. Consent routing in Segment (blocking events per destination until the relevant consent category is given) is essential for GDPR-compliant deployments.
Segment is a Customer Data Platform (CDP) that serves as a central hub for collecting, standardising, and routing user event data to downstream tools. Instead of installing multiple analytics and marketing SDKs on a website or app, developers install Segment once — then configure which events are forwarded to which destination tools (Google Analytics, Mixpanel, Amplitude, Salesforce, Klaviyo, etc.). Segment currently integrates with over 300 destination tools, making it the backbone of many marketing and analytics technology stacks.
Segment''s routing architecture means that personal data collected by the Segment SDK is forwarded to every enabled destination. Each destination has its own GDPR requirements: its own legal basis, its own DPA, its own transfer mechanism if US-hosted. If you have 15 destinations connected to Segment, you effectively have 15 separate GDPR compliance obligations for the same underlying data. This makes Segment deployments among the most complex GDPR compliance scenarios.
Segment provides consent management features that allow events to be routed to specific destinations only when the relevant consent category has been given. For example, if a user consents to analytics but not advertising, Segment should forward events to Mixpanel (analytics) but not to Klaviyo (marketing). Configure Segment''s consent object to map consent categories to destination groups. Integrate with your CMP to pass consent signals to Segment''s consent APIs.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sign the Segment DPA and SCCs. Audit all connected destinations and sign DPAs with each. Implement consent routing so events are only forwarded to destinations with valid consent. Block the Segment analytics.js SDK until base analytics consent is given. Configure Segment Protocols to enforce data schemas that exclude PII from event properties. Implement the Segment Deletion and Suppression API for erasure requests — this propagates deletions to supported downstream destinations.
Websites using Segment must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Segment deployments. As a CDP routing personal data to multiple destination systems, the cumulative privacy risk of all connected destinations must be assessed together. Document all destinations, their legal bases, transfer mechanisms, and consent requirements.
Sample consent text
This website uses Segment to collect analytics data and route it to our analytics and marketing tools. Segment and its destination tools may process your data in the US. You can manage which tracking categories are active in your cookie preferences.
Third-party domains contacted
segment.comcdn.segment.comapi.segment.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ajs_anonymous_id | persistent | 1 year | Segment anonymous user identifier for event tracking before user identification |
| ajs_user_id | persistent | 1 year | Segment identified user ID linking events to known user profiles across sessions |
Segment collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Segment's analytics.js sets cookies and localStorage identifiers requiring consent. Additionally, each destination Segment routes data to may require its own consent category. Implement consent routing to block destination-specific flows until relevant consent is given.
Segment maps consent categories to destination groups. Events only flow to a destination when the corresponding consent category is confirmed. Integrate with a CMP like OneTrust or Cookiebot that supports Segment consent routing.
Yes. All Segment data is processed in the US requiring SCCs. Every US-hosted destination tool also requires its own transfer mechanism. Sign the Segment DPA which includes SCCs.
Consent for the Segment SDK itself. Each destination requires its own legal basis: analytics may use consent, CRM may use legitimate interest or contract performance, advertising requires consent.
Yes. As a CDP routing data to multiple systems, assess the cumulative risk across all destinations in a single DPIA covering all active destinations, data categories, legal bases, and transfer mechanisms.
Use the Segment Privacy Portal API (DELETE /regulations) to submit deletion requests. Segment deletes from its systems and propagates requests to supported downstream destinations.
Server-side tracking avoids client-side cookies. However, if the data still relates to individual users from browser sessions, GDPR obligations remain regardless of where the tracking code runs.
Rudderstack (self-hostable, EU cloud), Piwik PRO Tag Manager (EU-based), and mParticle (EU options) are the main alternatives.