Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akamai mPulse is a real user monitoring (RUM) and digital experience analytics tool operated by Akamai Technologies. It injects a small JavaScript loader (boomerang.js) on every page and beacons performance metrics, errors and custom events to mpulse.akamai.com. mPulse sets cookies and shares visitor IP addresses and timings with Akamai in the United States, which means EU sites need to handle it as a consent driven analytics tag.
Akamai mPulse is a real user monitoring (RUM) and digital experience analytics product. It uses an open source script called Boomerang (boomerang.js) which is injected on every page, measures page navigation timings, Core Web Vitals, resource loading, JavaScript errors and custom application events, and posts them as beacons to mpulse.akamai.com for processing and dashboarding. mPulse is sold to large web properties for performance and conversion analysis, often integrated with the Akamai CDN to correlate edge data with browser data.
Each page load generates a beacon containing IP address, User Agent, referrer, URL, screen and viewport, network type and a battery of timing metrics. mPulse sets a first party RT cookie that stores a persistent visitor identifier and the previous page URL so that navigation flows can be reconstructed. Custom dimensions configured by the merchant (logged in state, cart value, A/B variant) are attached to the beacon. The data is retained for the period selected in the mPulse plan, typically 30 to 90 days for raw beacons.
The RT cookie is set on the first page view and persists for one year, which puts it under Article 5(3) of the ePrivacy Directive: consent is required because it is not strictly necessary to provide the requested service. The IP address sent in the beacon is personal data under the GDPR. The Akamai EU US data transfer is governed by the EU US Data Privacy Framework and Standard Contractual Clauses. Some EU regulators (CNIL exemption for measurement, BfDI guidance) allow strictly aggregated, first party, non shared performance measurement without consent, but mPulse does not meet that test in its default configuration.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In most EU jurisdictions yes, because mPulse sets a persistent cookie, transmits IP addresses to a US controller and goes beyond strictly aggregated measurement. Block boomerang.js until consent is captured. The Akamai documentation supports loading mPulse asynchronously after a custom event, which makes it easy to gate the script behind a CMP. If you want to keep some measurement without consent, you can run a parallel server side performance log on your own infrastructure.
Akamai Technologies, Inc. is headquartered in Cambridge, Massachusetts, and processes mPulse beacons on US infrastructure. Akamai is self certified under the EU US Data Privacy Framework, which provides an adequacy decision for transfers to certified Akamai entities. Akamai also offers the EU SCCs through its Data Processing Addendum. EU customers can request a Transfer Impact Assessment summary covering the Akamai stance on US surveillance law and the technical and contractual safeguards.
Gate the boomerang.js loader behind your consent manager under the Analytics category. Sign the Akamai DPA and reference the DPF or SCCs in your privacy policy. Disable any custom dimensions that contain directly identifying information, and prefer hashed or pseudonymous identifiers for logged in visitors. Where possible, configure the mPulse retention to the shortest period your dashboards still need (often 30 days is enough). Document the integration in the Article 30 record.
Websites using Akamai mPulse must obtain user consent under GDPR regulations.
DPIA considerations
A standalone DPIA is not generally required for mPulse on a typical website. Document the integration in the record of processing, especially the persistent RT cookie and the EU US data flow. When mPulse is combined with extensive A/B testing, personalisation or behavioural segmentation, the cumulative effect can justify a wider DPIA.
Sample consent text
We use Akamai mPulse to measure how our pages perform on real visitors' devices. This sets a few cookies and sends your IP address and timings to Akamai Technologies in the United States. Do you accept?
Third-party domains contacted
mpulse.akamai.comc.go-mpulse.netakstat.ioakamaihd.netcdn.akamai.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| RT | first party | 1 year | Persistent visitor identifier set by Boomerang/mPulse, plus the URL of the previous page; used to reconstruct user navigation flows in mPulse dashboards. |
| akaalb_<application> | third party | Session | Akamai Application Load Balancer cookie set when the site is fronted by the Akamai CDN; not strictly a mPulse cookie but commonly appears together. |
| _abck | third party | 1 year | Akamai Bot Manager cookie used to identify automated traffic; appears alongside mPulse on Akamai customers' sites. |
| bm_sz | third party | 4 hours | Akamai Bot Manager session cookie correlating browser characteristics to risk scoring. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
mPulse sets a first party RT cookie storing a persistent visitor identifier and the previous page URL, valid for around one year. Additional Akamai cookies (bm_sz, ak_bmsc, _abck) may appear when the site sits behind the Akamai CDN with Bot Manager, but these are CDN cookies, not mPulse cookies.
In most EU jurisdictions yes. The RT cookie is persistent and not strictly necessary, so Article 5(3) ePrivacy requires consent. Combine this with the fact that mPulse transmits IP addresses to a US controller and the safer position is to gate the script behind your consent manager.
Consent under Article 6(1)(a) GDPR. Legitimate interest is rarely accepted by EU DPAs for a persistent first party identifier combined with a cross border transfer, even when the goal is performance measurement.
Yes. Akamai Technologies, Inc. is a US controller and processes beacons on US infrastructure. The transfer is covered by Akamai's EU US Data Privacy Framework certification and the EU SCCs in its DPA. Document these in the privacy policy.
No, not as a standalone integration on a typical website. Document it in the record of processing. When mPulse is paired with extensive personalisation, customer journey reconstruction or behavioural segmentation, include it in a wider DPIA.
Gate boomerang.js behind your consent manager, sign the Akamai DPA, configure custom dimensions to avoid personal data, hash or pseudonymise user identifiers, set retention to the minimum that meets your needs, and mention mPulse explicitly in the cookie banner and privacy policy.
EU based alternatives include Piano (formerly AT Internet) Real User Monitoring, Eulerian, Matomo plus its Plausible plug ins, or open source self hosted boomerang.js. Some Core Web Vitals data can also be gathered through the Chrome User Experience Report (CrUX) without setting cookies.
Add an entry under Analytics: provider (Akamai Technologies, Inc., USA), domains (mpulse.akamai.com, c.go-mpulse.net, akstat.io), cookies (RT first party, around 1 year), purpose (real user monitoring of performance and custom events), transfer mechanism (Data Privacy Framework and SCCs).