Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Piano is a subscription, paywall and audience activation platform that combines analytics, identity, consent management and content monetisation in one JavaScript SDK.
Piano (piano.io) is a subscription, paywall and audience activation platform used heavily by publishers and media groups. It bundles Piano ID (identity and account management), Piano Composer (paywall and offer orchestration), Piano DMP (audience segments), Piano Analytics (after the acquisition of AT Internet) and a Consent Management Platform certified under the IAB TCF v2.2. Everything is deployed through a single tp.js JavaScript SDK.
Piano writes __utp (anonymous Piano user identifier), __pat and __pvi cookies for paywall behaviour, __qca for engagement and many segment cookies depending on the modules enabled. Through Piano ID the platform stores the logged in identifier and a session token. The CMP module writes a consent string in line with TCF v2.2 and a separate consent identifier. Server side Piano receives IP, user agent, page URL, reading behaviour, subscription status and account data.
The paywall and identity functions are strictly necessary for paid content delivery and rely on contract performance. Audience activation, DMP segments, advertising integrations and behavioural personalisation are not strictly necessary and require consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR. The CMP module itself is exempt from consent for the recording of the consent decision.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Configure the Piano CMP to ask explicit consent for advertising, profiling and audience activation purposes. Keep paywall and identity flows under contract performance. Surface a granular opt out for DMP segments. Mind the EDPB position that legitimate interest is not acceptable for cross site advertising trackers; rely on consent.
Piano operates data centers in Amsterdam and Paris for EU customers, in addition to Philadelphia, Denver, Hong Kong and Sydney. Choosing the EU region keeps reader data within the EU at rest. Piano Inc. remains US headquartered and may access data from the US for global support; rely on the EU US Data Privacy Framework and the Piano Standard Contractual Clauses for any transfer.
Pick the EU data center, segment the consent purposes by module (paywall, analytics, advertising, DMP), expose a clear withdraw mechanism, audit which third parties receive data via the CMP and turn off any integration that exceeds the declared purposes. Train editorial and product teams on the limits of segmentation, and add Piano to your records of processing activities as both processor and joint controller (CMP module).
Websites using Piano must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Piano combines paywall, identity and DMP modules, when audience segments are enriched with third party data, when minors are addressed, or when AI driven offer personalisation is enabled.
Sample consent text
We use Piano to deliver paywalls, personalised offers and audience analytics. Piano writes cookies on your device and shares your IP address, account identifier and reading behaviour with Piano Inc. in the United States. We only load Piano modules that require consent if you accept.
Third-party domains contacted
tinypass.compiano.iocdn.tinypass.combuy.tinypass.comexperience.piano.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __utp | first_party | 1 year | Anonymous Piano user identifier used for paywall and analytics |
| __pat | first_party | 1 year | Stores paywall state and offer access for the visitor |
| __pvi | first_party | 1 year | Visit identifier used to count page views against the paywall meter |
| __qca | first_party | 1 year | Engagement and quintile cookie used by audience modules |
| __tac | first_party | 1 year | Stores the encoded TCF v2.2 consent string for downstream vendors |
Piano uses cookies for user preferences — inform visitors with a consent banner.
Piano writes __utp (anonymous user identifier), __pat and __pvi (paywall behaviour), __qca (engagement), the TCF v2.2 consent string and several segment cookies for DMP. Piano ID adds an authentication cookie when the reader logs in.
Partially. The paywall and the Piano ID login are strictly necessary and exempt. Audience activation, DMP segments, advertising integrations and behavioural personalisation require prior consent under Art. 5(3) ePrivacy and the GDPR.
Contract performance for paywall and identity. Consent for DMP, advertising integrations and audience activation. Legitimate interest is not acceptable for cross site advertising trackers.
Piano Inc. is US headquartered. EU data centers in Amsterdam and Paris reduce the residency footprint, but support and global operations may access data from the US. Rely on the EU US Data Privacy Framework and Piano Standard Contractual Clauses.
Recommended when Piano combines paywall, identity and DMP, when audience segments are enriched with third party data, when minors are addressed, or when AI driven offer personalisation is enabled.
Pick the EU region, declare each module separately in the CMP, expose granular controls, audit downstream vendors loaded via the CMP, and review every TCF purpose to ensure it matches the modules actually in use.
For paywalls: Poool (France), Tinypass legacy, Laterpay (Germany), Stripe Subscriptions backed by your own implementation. For audience analytics: AT Internet historic (now Piano Analytics), Matomo, Plausible. For CMP: Didomi, Axeptio, Sourcepoint.
List Piano cookies per module (paywall, identity, DMP, CMP, integrations) with purpose, lifetime and controller. Specify that the CMP module is governed by IAB TCF v2.2 and explain the EU US Data Privacy Framework basis for any transfer.