Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SparkPost is an email infrastructure service used for transactional, marketing and notification emails. Since 2021 it is part of Bird (formerly MessageBird), an Amsterdam based CPaaS. SparkPost provides SMTP relay, an HTTP API, inbound email parsing and detailed analytics on opens, clicks, bounces and engagement. Open and click tracking work through pixels and URL wrapping; both have GDPR implications and need careful configuration for European compliance.
SparkPost is an email infrastructure service originally developed by Message Systems, a US email deliverability specialist. It was acquired by MessageBird in 2021 (the Amsterdam based CPaaS that rebranded to Bird in 2024) and now sits in the broader Bird product family alongside Mailgun (acquired in 2023). SparkPost is used by SaaS companies, e commerce platforms and media brands to send transactional emails (password resets, order confirmations, notifications) and marketing emails at scale, with detailed analytics on deliverability and engagement.
SparkPost does not set browser cookies because it is a backend email service. Tracking happens in two places: open tracking via a 1x1 transparent image embedded at the bottom of HTML emails, which the recipient''s email client downloads when the email is rendered, transmitting the IP address, user agent and timestamp to SparkPost; click tracking via URL wrapping, where each link in the email is replaced with a SparkPost redirect URL that logs the click before redirecting to the original destination. Both can be disabled per message via SubAccounts or template options. SparkPost also fires webhook events for delivery, bounce, complaint, unsubscribe and engagement metrics.
Because no information is stored on the recipient''s terminal, ePrivacy Art. 5(3) does not apply to SparkPost emails. The applicable rule is ePrivacy Art. 13 (unsolicited communications) for marketing emails, which requires consent or soft opt in. Under the GDPR, transactional emails rest on contract necessity (Art. 6(1)(b)), marketing emails on consent (Art. 6(1)(a)). The open and click tracking processing rests on legitimate interest under Art. 6(1)(f) but must be disclosed in the privacy notice, and recipients should be able to disable tracking on request.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Default SparkPost infrastructure includes US data centres alongside EU regions (Frankfurt, Dublin). European customers should explicitly enable EU regional processing where data residency commitments require it. Bird is headquartered in Amsterdam, which puts the corporate decision making within the EU, but the SparkPost product retains US infrastructure for global routing efficiency. Bird self certifies under the EU US Data Privacy Framework and offers Standard Contractual Clauses for transfers outside the DPF.
Apple Mail Privacy Protection, enabled by default in iOS 15 and macOS Monterey, pre fetches all email images on Apple servers in the United States before the recipient opens the email. This breaks open tracking by inflating opens to nearly 100% for Apple Mail users, and it changes the IP and user agent visible to SparkPost (Apple''s relay IPs). The data is still processed by SparkPost, but its analytical value is reduced. Operators should adjust their email metrics expectations and not draw individual user inferences from open rates of Apple Mail recipients.
Distinguish clearly between transactional emails (consent free under contract necessity) and marketing emails (consent or soft opt in required). Subscribe to EU regional processing where applicable. Sign the Bird/SparkPost DPA and SCCs. Disclose open and click tracking in the privacy notice. Provide a working unsubscribe link in all marketing emails and honour suppression within 72 hours. Document the processing in the record of processing including the data categories, the legal basis, the retention period and the transfer mechanism.
Websites using SparkPost must obtain user consent under GDPR regulations.
DPIA considerations
SparkPost does not set browser cookies (no website tracking) but embeds tracking pixels and wrapped URLs in outgoing emails. DPIA considerations: (1) the open tracking pixel logs the recipient's IP address, user agent and timestamp when the email is rendered; (2) the click tracking redirect logs the same data plus the original destination URL when the recipient clicks; (3) some webmail clients (Gmail, Apple Mail Privacy Protection) proxy or pre fetch the images, which inflates open rates and complicates the interpretation of the data, but does not change the GDPR analysis; (4) Bird (the parent) is headquartered in the EU (Amsterdam) but the SparkPost product still runs primarily on US infrastructure unless EU regional processing is explicitly enabled; (5) marketing emails require ePrivacy consent or soft opt in, separate from the transactional email basis. A DPIA is recommended for high volume marketing senders and for sites mixing transactional and marketing flows.
Sample consent text
We use SparkPost (a Bird product, with infrastructure in [EU regions / US regions]) to send our transactional emails (password resets, order confirmations) and our marketing emails when you have opted in. SparkPost places a small invisible image and wraps links in our emails to measure deliverability and engagement. Your IP address is logged when the email is rendered. For marketing emails you can unsubscribe at any time using the link in the email or by contacting us.
Third-party domains contacted
sparkpost.comeu.sparkpost.comsparkpostmail.comapi.sparkpost.combird.comSparkPost collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No browser cookies. SparkPost is a backend email service and does not run JavaScript on a website. Tracking happens inside the emails: a 1x1 open tracking pixel and click tracking redirect URLs. Both can be disabled per message.
Not for transactional emails (they rest on contract necessity). Marketing emails require consent or soft opt in under ePrivacy Art. 13 and PECR. The open and click tracking processing rests on legitimate interest but must be disclosed in the privacy notice and visitors should be able to refuse on request.
Contract necessity (Art. 6(1)(b)) for transactional emails. Consent (Art. 6(1)(a)) for marketing emails. Legitimate interest (Art. 6(1)(f)) for security alerts and for the open/click tracking metrics.
By default, yes. EU regional processing is available on Enterprise plans. Bird (the parent) is headquartered in Amsterdam, but the SparkPost product still uses US infrastructure for global routing unless EU residency is explicitly configured. Bird self certifies under the EU US Data Privacy Framework and offers SCCs.
A DPIA is recommended for high volume marketing senders or for sites mixing transactional and marketing flows where the data combines into rich user profiles. For pure transactional email under contract necessity, a DPIA may not be required but documentation in the record of processing remains mandatory.
Separate transactional from marketing flows clearly. Collect explicit consent or rely on soft opt in for marketing. Subscribe to EU regional processing where applicable. Sign the Bird/SparkPost DPA and SCCs. Disclose open and click tracking in the privacy notice. Honour unsubscribe requests within 72 hours and propagate to all linked systems.
Other email infrastructure providers include Mailgun (also Bird), Postmark (US), SendGrid (Twilio, US), Amazon SES (US), Brevo (formerly Sendinblue, France, EU residency), Mailjet (France/Sinch, EU residency), and self hosted Postfix or Postal. EU based options like Brevo and Mailjet avoid the default US transfer.
SparkPost does not need to appear on a cookie banner. In the privacy notice, name Bird/SparkPost as a processor, describe the open and click tracking, state the legal basis for transactional vs marketing emails, declare the data residency choice (EU or US) and the transfer mechanism. Provide a working unsubscribe link in every marketing email.