Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pardot, rebranded Marketing Cloud Account Engagement in 2022, is the B2B marketing automation, lead scoring and account based marketing platform of Salesforce.
Pardot is the B2B marketing automation product of Salesforce, rebranded Marketing Cloud Account Engagement in 2022. It combines email marketing, dynamic content, drip campaigns, lead scoring and grading, account based marketing, sales alerts, ROI reporting and Salesforce CRM integration. It is widely adopted by B2B sales and marketing teams that want to identify and qualify website visitors before passing them to the sales pipeline.
The Pardot tracker (pd.js or piAId snippet) drops third party cookies on pardot.com (visitor_id_*, pi_opt_in, lpv_*) and first party cookies on the publisher domain. The cookie name includes the Pardot account ID and the visitor ID. On every page view it sends URL, referrer, page title, custom parameters and prospect identifiers. Once a visitor fills a Pardot form, the tracker links the visitor profile to a Salesforce Lead or Contact, enabling person level tracking through later sessions.
Pardot tracker cookies are not strictly necessary. Article 5(3) ePrivacy requires prior consent before they can be set. Article 6 GDPR requires consent as the legal basis since Pardot enables behavioural profiling of identified prospects. CNIL has explicitly clarified that B2B marketing tools that build lead profiles trigger the same consent obligations as B2C tracking. Marketing emails sent to B2B prospects also require consent under article 13 ePrivacy in most EU jurisdictions, with limited exceptions for legal persons in France.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Pardot tracker (pd.js) inside your CMP until consent is granted. Use the Pardot Tracker Module Opt In feature so the cookie is only dropped when a consenting visitor explicitly opts in. Disable Pardot tracking until the CMP fires the granted event. Use the Salesforce Consent Management object to log consent in the CRM and tie it to the Lead or Contact. Provide an unsubscribe link in every Pardot email.
Pardot runs on Salesforce infrastructure in the United States by default. An EU pod option exists for some Salesforce Marketing Cloud customers and provides Frankfurt data residency. Transfers rely on the Salesforce DPA, EU SCCs and on the Salesforce DPF certification under the EU US Data Privacy Framework. Document the transfer mechanism in your records of processing activities and inform prospects in your privacy notice.
Sign the Salesforce DPA with EU SCCs. Activate the EU pod when available. Enable Pardot Tracker Module Opt In. Wrap the tracker in a CMP gate. Use double opt in on Pardot forms. Maintain explicit Communication Preferences in the Salesforce Consent Object. Categorise visitor_id_* and pi_opt_in as Marketing cookies. Identify Salesforce Inc. as processor in the privacy notice with the US transfer disclosure.
Websites using Pardot (Salesforce Marketing Cloud Account Engagement) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Pardot is the central B2B marketing automation, when lead scoring relies on long lists of behavioural attributes, when Account Based Marketing combines Pardot with Salesforce Audience Studio, or when sensitive industries process leads.
Sample consent text
We use Pardot (Salesforce Marketing Cloud Account Engagement) to track website visits, score leads and feed our B2B marketing automation. Pardot drops cookies on your device and shares data with Salesforce in the United States. Without your consent, the tracker does not run and your visit is not logged in our lead database.
Third-party domains contacted
pardot.compi.pardot.comgo.pardot.commarketingcloudaccountengagement.comsalesforce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| visitor_id<account> | Marketing | 10 years | Pardot persistent visitor identifier (account specific) used to track a prospect across sessions and link page views to a Salesforce Lead or Contact. |
| visitor_id<account>-hash | Marketing | 10 years | Hash that secures the matching of the visitor_id cookie to prevent tampering. |
| pi_opt_in | Marketing | 10 years | Stores the visitor opt in status for Pardot tracking when the Tracker Module Opt In feature is used. |
| lpv<account> | Marketing | 30 minutes | Limits the rate at which Pardot logs page views for the same visitor on the same page to avoid double counting. |
Pardot (Salesforce Marketing Cloud Account Engagement) places tracking cookies for advertising — comply with GDPR using FlowConsent.
Pardot drops third party cookies on pardot.com (visitor_id_<account>, pi_opt_in, lpv_<account>) and first party cookies on the publisher domain. The cookie names embed the Pardot account ID and a unique visitor ID. The visitor_id cookie has a default 10 year expiration.
Yes. Pardot tracker cookies are not strictly necessary and trigger article 5(3) ePrivacy. The behavioural profiling and lead scoring require consent under article 6 GDPR. Marketing emails to B2B prospects require consent under article 13 ePrivacy in most EU jurisdictions.
Consent (article 6(1)(a) GDPR) for tracking and marketing emails. Legitimate interest may apply to existing customer communications, but lead scoring of unidentified prospects cannot rely on legitimate interest after Schrems II and CNIL doctrine.
Pardot data is processed by Salesforce in the United States by default. An EU pod option exists for some Marketing Cloud customers. Transfers rely on the Salesforce DPA, EU SCCs and Salesforce DPF certification.
A DPIA is recommended whenever Pardot is the central B2B marketing automation, when lead scoring uses extensive behavioural attributes, when ABM combines Pardot with Salesforce Audience Studio or when leads come from sensitive industries.
Block pd.js until consent. Activate Tracker Module Opt In. Use double opt in on forms. Log consent in the Salesforce Consent Object. Limit lead retention. Sign the Salesforce DPA with EU SCCs. Activate the EU pod when available.
HubSpot Marketing Hub (US, with EU data residency option), Marketo Engage by Adobe, Plezi (French B2B), Webmecanik (French, open source compatible), ActiveCampaign and Brevo for SMB needs. Mautic for self hosted B2B automation.
List the visitor_id_<account>, pi_opt_in and lpv_<account> cookies with domain, duration (10 years for visitor_id) and purpose. Identify Salesforce Inc. as processor in the privacy notice. Describe US transfers and safeguards. Link to the Salesforce privacy statement and the Pardot privacy notice.