Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Stellantis is the automotive group behind Peugeot, Citroën, Fiat, Jeep, Opel and other brands. Its corporate and brand websites use a shared first party tracking pixel for cross brand analytics, marketing and audience segmentation, with EU based infrastructure.
Stellantis is a multinational automotive group created in 2021 from the merger of PSA and Fiat Chrysler Automobiles. It owns and operates more than a dozen brands including Peugeot, Citroën, DS, Opel, Fiat, Alfa Romeo, Lancia, Jeep, Maserati, Chrysler, Dodge, Ram and Vauxhall. The group runs a unified digital platform that powers the corporate site and most of the brand sites in the European Economic Area, with a shared first party tracking pixel used for cross brand analytics, marketing and audience segmentation.
Stellantis sites set strictly necessary session and security cookies, plus first party analytics, advertising and personalisation cookies once the visitor has accepted them. The shared tracking pixel sends page views, configurator interactions, dealer lookups, lead form submissions, IP address, user agent, device characteristics and a persistent visitor identifier to group servers. Lead forms also collect contact information, vehicle interest and consent records, which can be reconciled with offline CRM and dealer data.
Article 5(3) ePrivacy requires prior informed consent for all non strictly necessary cookies, which covers the cross brand analytics and advertising pixels. The cross brand reconciliation creates a single visitor profile spanning multiple brands and qualifies as profiling under Article 22 GDPR when used for advertising. National regulators such as the CNIL, the Garante and the AEPD have fined large automotive groups for cookie banners that did not allow refusal as easy as acceptance.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Stellantis pixel and any advertising tags should be blocked by the consent management platform until the visitor accepts an analytics or marketing category. The banner must name Stellantis as joint controller alongside the local brand entity, indicate the cross brand sharing, allow refusal in one click and offer granular controls per purpose. Visitors must be able to exercise their access, rectification, erasure, restriction, objection and portability rights through a dedicated privacy form.
The primary infrastructure is hosted in the European Union, mainly in France and Italy. Some advertising, programmatic and measurement partners selected by Stellantis operate from the United States or other third countries. In that case, the transfer is framed by the EU standard contractual clauses, by the EU US Data Privacy Framework where the partner is certified, and by a transfer impact assessment that takes US surveillance laws such as FISA 702 and Executive Order 12333 into account.
Document the joint controllership between Stellantis NV and the local brand entity, gate every non essential tag behind a granular consent banner, configure short retention for raw event logs, maintain a register of partners with their hosting region and contractual safeguards, run a documented DPIA at group level, ensure data subject requests are answered within one month and update the privacy and cookie policy with a clear mention of Stellantis, the categories of data, the recipients, the cross brand reconciliation and the retention.
Websites using Stellantis must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended at group level given the scale (millions of EU visitors), the cross brand audience reconciliation, the rich behavioural data linked to vehicle configurators and lead forms, and the combination with offline CRM and dealer data. Document the categories of data, the joint controllership between brands and Stellantis NV, the retention of analytics and lead data and the safeguards for any onward transfer to advertising partners.
Sample consent text
We use Stellantis tracking technologies to measure how visitors interact with our brand sites and to personalise product information across the group. This sets first party cookies and may share data with other Stellantis brands and advertising partners. We need your consent to enable these technologies. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
stellantis.commedia.stellantis.comcareers.stellantis.cominvestors.stellantis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| st_vid | http_persistent | 13 months | Persistent first party visitor identifier used by the Stellantis pixel for cross brand audience reconciliation. |
| st_sid | http_session | Session | Session identifier used to group page views and configurator interactions during a single visit. |
| st_cs | http_persistent | 6 months | Stores the consent choices made by the visitor on the cookie banner across Stellantis brand sites. |
| st_cfg | http_persistent | 90 days | Remembers the last vehicle configuration started by the visitor to ease return visits. |
| st_lang | http_persistent | 1 year | Stores the language and country selected by the visitor on the Stellantis brand site. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Stellantis brand sites set strictly necessary session and security cookies, plus first party analytics, advertising and personalisation cookies once consent is given. The shared tracking pixel reads a persistent first party visitor identifier used for cross brand audience reconciliation, and exposes additional advertising cookies when partner tags are loaded.
Yes. The cross brand analytics and advertising pixel are not strictly necessary, so Article 5(3) ePrivacy requires opt in consent before they are written. Strictly necessary cookies for security, load balancing and language preference may be set without consent.
Consent under Article 6(1)(a) GDPR for analytics, advertising and personalisation. Legitimate interest under Article 6(1)(f) GDPR for fraud and security cookies. Performance of a contract under Article 6(1)(b) GDPR for the configurator, dealer locator, brochure requests and customer area.
The primary infrastructure is in the EU, mainly France and Italy. Some advertising and measurement partners operate from the US or other third countries. In that case the transfer relies on standard contractual clauses, the EU US Data Privacy Framework where applicable, and a transfer impact assessment by the relevant Stellantis entity.
Yes, a DPIA is appropriate at group level. The processing is large scale, combines behavioural data across brands, uses persistent identifiers and feeds CRM and advertising activation. This meets several criteria of Article 35 GDPR and the EDPB Guidelines on DPIA.
Document the joint controllership, deploy a granular consent management platform that blocks all non essential tags by default, configure short retention for raw event logs, maintain a register of partners with hosting and safeguards, document data subject request workflows and review the cookie banner regularly against CNIL, Garante and AEPD guidance.
For the analytics layer, brands can complement or replace the Stellantis pixel with EU based, consent friendly tools such as Matomo, Piwik PRO, Plausible, AT Internet (Piano Analytics) or Adobe Analytics with EU residency. The corporate cross brand reconciliation remains specific to the group.
List the Stellantis first party cookies and partner cookies, identify the brand entity and Stellantis NV as joint controllers, explain the cross brand audience reconciliation, mention the EU hosting and any US partners with the safeguards used, link to the Stellantis privacy notice and explain how visitors can refuse or withdraw consent.