Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Peerius is an e, commerce personalisation engine that powers product recommendations, search ranking and triggered emails for online retailers. Acquired by Episerver and now part of Optimizely, it loads through a JavaScript tag that captures every page view, search and add, to, cart event together with a persistent visitor identifier, builds a behavioural profile and returns personalised recommendations. Because it relies on persistent identifiers and profiling, it requires informed consent under the GDPR and the ePrivacy Directive.
Peerius is an e, commerce personalisation suite that powers product recommendation widgets, search re, ranking and triggered marketing emails. Originally a UK startup, Peerius was acquired by Episerver and is now part of Optimizely. It is integrated into retail sites through a single JavaScript tag and a product catalogue feed, then served back as personalised widgets in carousels, search results and emails.
Peerius drops a persistent peerius_uid cookie (2 years) to identify the same shopper across visits, plus session and attribution cookies. It captures every page view, search query, product detail event, add, to, cart and order, the visitor IP, the User, Agent and the referrer. Linked to the email hash on logged, in users, the profile becomes a personally identifying behavioural record covering months or years of activity.
Because Peerius profiles shoppers, sets persistent identifiers and triggers marketing emails, it requires prior, freely given, informed consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Legitimate interest is not a defensible basis for the tracking, behavioural profiling and triggered marketing combined. The Peerius tag must therefore be blocked until consent is captured by the CMP, and the cookies must be deleted on withdrawal.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
European Peerius deployments are primarily served from EU data centres, but Optimizely is a US company and its support, monitoring and engineering teams may access the data from the United States. Sign the Optimizely DPA, attach the EU Standard Contractual Clauses, and document the EU, US Data Privacy Framework certification of Optimizely Inc. in your processing register. Carry out a Transfer Impact Assessment for the residual US surveillance exposure.
Block the Peerius tag until consent is granted. Add Peerius and Optimizely to the consent banner under marketing or personalisation. Mention them in the privacy notice and add the United States to the country list. List the peerius_uid, sid, cd and ab cookies in the cookie policy. Implement a DPIA when the deployment exceeds 50,000 monthly active visitors or when Peerius decisions affect pricing or content visibility.
Websites using Peerius must obtain user consent under GDPR regulations.
DPIA considerations
Peerius performs systematic profiling of e, commerce visitors using persistent identifiers, behavioural events and purchase history. Key DPIA considerations: (1) Article 22 GDPR risk if recommendations or pricing decisions are automated without meaningful human review; (2) persistent visitor IDs (peerius_uid, 2 years) enable long, term cross, session profiling that may qualify as large, scale processing; (3) onward sharing with the Optimizely group exposes data to potential US replication; (4) integration with the retailer's order data turns Peerius into a joint, controllership analysis question for shared purposes; (5) triggered email recommendations bring the ePrivacy Article 13 marketing consent rules into play. A DPIA is generally required for any deployment over 50,000 monthly active visitors.
Sample consent text
We use Peerius (Optimizely Inc.) to personalise the products and content you see on this site based on your browsing and purchase behaviour. Peerius sets cookies and stores a long, term identifier that lets it recognise your device across visits. Your data may be transferred to Optimizely affiliates in the United States under Standard Contractual Clauses. You can refuse this personalisation at any time in the cookie settings: the site will still work, but recommendations will be generic.
Third-party domains contacted
peerius.comcdn.peerius.comapi.peerius.comrecs.peerius.comoptimizely.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| peerius_uid | Marketing | 2 years | Persistent visitor identifier that allows Peerius to build a long, term behavioural profile across sessions and to retrieve recommendations for the same shopper across visits. |
| peerius_sid | Marketing | Session | Session identifier used to group the events of a single visit (page views, searches, cart actions) before they are sent to the recommendation engine. |
| peerius_cd | Marketing | 30 days | Stores the click, through data of the last recommended product to attribute conversions to Peerius recommendations. |
| peerius_ab | Analytics | 90 days | Stores the A/B test bucket assigned to the visitor so that Peerius can measure the lift of personalised recommendations vs. control. |
Peerius uses cookies for user preferences — inform visitors with a consent banner.
Peerius sets peerius_uid (2 years, persistent visitor ID), peerius_sid (session, current visit), peerius_cd (30 days, click attribution) and peerius_ab (90 days, A/B test bucket). All are set as first, party or third, party from peerius.com domains.
Yes. Peerius performs behavioural profiling with persistent identifiers and triggers marketing emails, so prior consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy is mandatory. The Peerius tag must be blocked by the CMP until consent is granted.
Only consent. Legitimate interest is not defensible because the processing combines persistent tracking, behavioural profiling and triggered marketing. Document consent capture, withdrawal mechanism and refresh cycle in your processing register.
EU deployments are hosted in EU data centres but Optimizely Inc. is a US company and its support teams may access the data from the US. Standard Contractual Clauses and the EU, US Data Privacy Framework cover the transfer; a Transfer Impact Assessment is still expected.
A DPIA is generally required because Peerius is large, scale systematic profiling under Article 35(3)(b) GDPR. It becomes mandatory above 50,000 monthly active visitors or when Peerius drives automated decisions affecting users (pricing, content visibility).
Wire the Peerius tag behind your CMP consent gate. Pass purpose IDs through the Optimizely integration and respect denied consent (do not fire events, do not push email hashes). Configure short retention for profiles of inactive visitors. Refresh consent annually.
Yes: Algolia Recommend, Sales Layer, Klevu, Bloomreach Discovery (EU regions), or Nosto (Finland) for personalisation engines that can be deployed in EU only modes. None completely removes the profiling consent obligation but they reduce US transfer exposure.
List peerius_uid, peerius_sid, peerius_cd and peerius_ab with their duration, purpose and category (marketing / analytics). Add Peerius / Optimizely Inc. to the recipients list. Mention the United States as a destination country and link to Optimizely's privacy policy.