Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Monetate is an enterprise personalisation and experimentation platform that delivers individualised website experiences based on visitor behaviour, segments, and machine learning models. It sets persistent cookies and collects browsing data from the first page load. Because Monetate profiles individual users across sessions and transfers data to US servers, its deployment on European websites requires prior consent under GDPR and the ePrivacy Directive.
Monetate is the enterprise personalisation platform operated by Kibo Commerce (USA). It runs an experimentation engine (A/B and multivariate testing), an AI driven recommendations module, segment based content swaps and a real time decisioning API. The tag loads from monetate.net and exchanges JSON payloads with engine.monetate.net for each page view. Monetate is positioned as a competitor to Adobe Target, Dynamic Yield and Optimizely.
The Monetate tag writes the first party cookies mt.v (visitor identifier, 5 years by default, reduced to 13 months under the CNIL recommendation), mt.s (session counter, 30 minutes) and mt.exp (experiment exposure record, 13 months). When the publisher activates the Monetate Connect SDK, an mt.uid cookie is added to hold the deterministic user identifier hashed from the logged in customer id. Local storage entries monetateClientSegments and monetateBehaviour buffer the data when cookies are blocked.
Monetate is a personalisation tool that profiles visitors by behaviour, geolocation, device and CRM signals to assign them to experiences. Consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is required before loading the tag, because cookies are written and personal data is sent to a US controlled processor. When recommendations or experiences produce legal or similarly significant effects (price changes, eligibility, discount tier), GDPR art. 22 applies and the publisher must inform users, offer human intervention and document the safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Kibo Software Inc. is established in the United States and certified under the EU US Data Privacy Framework. Decisioning can be served from the EU cluster (AWS Dublin and Frankfurt) on customer request, but operational telemetry, AI training and customer support are operated from Pennsylvania. The Monetate data processing addendum incorporates the EU Standard Contractual Clauses (module 2 controller to processor) and lists the sub processors (AWS, Snowflake, Datadog).
Activate the EU region during contract signature. Block the Monetate tag behind the personalisation category of your CMP. Cap mt.v retention to 13 months in the Monetate dashboard. Run a DPIA when Monetate decides on prices, recommendations on financial products, or health and well being content. List Monetate and Kibo Software Inc. in your records of processing (GDPR art. 30) and in the privacy notice. Verify the active DPF certification on dataprivacyframework.gov and refresh the transfer impact assessment annually.
Direct alternatives are Adobe Target (US), Dynamic Yield (US, owned by Mastercard), Optimizely Web Experimentation (US), Insider (Turkey), Algolia Recommend (US and France), and the open source Growthbook (cookieless friendly). For EU sovereign personalisation, AB Tasty (France) and Kameleoon (France) keep data inside the EEA.
Websites using Monetate must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Monetate profiles visitors for personalisation. Document the segments, the retention period, the US transfer and the consent mechanism.
Sample consent text
We use Monetate, a personalisation and AB testing platform operated by Kibo Commerce, to tailor parts of our site to your interests. Monetate stores a pseudonymous identifier in the cookies mt.v and mt.s on this domain, and sends your browsing context (URL, viewport, device, referrer) to Kibo servers in the European region. Operational telemetry may be processed in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. Monetate runs only after you accept the personalisation category in our cookie preferences, and you can withdraw your consent at any time.
Third-party domains contacted
monetate.netse.monetate.netsb.monetate.netengine.monetate.netlocalhost.monetate.netengine.monetate.netkibocommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mt | persistent | 2 years | Unique visitor identifier used for cross-session personalisation segment assignment and behavioural tracking |
| mt.v | First party (Monetate) | 13 months | Anonymous visitor identifier used to recognise returning visitors. |
| mt.v2 | persistent | 2 years | Visitor segment and experience assignment data used to deliver consistent personalised content across sessions |
| mt.s | First party (Monetate) | 30 minutes | Session cookie used to group page views. |
| mt.exp | First party (Monetate) | 13 months | Stores the experiment variants assigned to the visitor. |
| mt.recs | First party (Monetate) | 7 days | Caches the most recent product recommendations for performance. |
Monetate collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Monetate sets a persistent first-party visitor identifier cookie valid for up to 2 years that tracks behaviour and segment membership across sessions. It also writes experiment assignment data to localStorage. These are not strictly necessary cookies and require prior consent under the ePrivacy Directive before the snippet is allowed to load.
Yes. Monetate loads on page entry and immediately begins profiling visitor behaviour and assigning personalisation segments before any interaction. This requires prior consent under both the ePrivacy Directive (for cookies) and GDPR (for behavioural profiling). The snippet must be blocked by your CMP until explicit consent is recorded.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis for Monetate's personalisation and tracking cookies. Legitimate interest under Article 6(1)(f) is sometimes argued for basic A/B testing without personal data, but the persistent visitor profiling and cross-session tracking in Monetate's standard implementation go beyond what legitimate interest can cover without a robust balancing test.
Yes. Monetate is a US company (part of Kibo Commerce) and processes all visitor data on US infrastructure with no EU data residency option. Standard Contractual Clauses are the applicable transfer mechanism under GDPR Article 46. All transfers must be documented in your Records of Processing Activities and disclosed in your privacy policy.
A DPIA is strongly recommended when Monetate is used for automated personalisation at scale, particularly when it influences product pricing, content availability, or promotional offers presented to individual users. The combination of persistent profiling, automated decision-making based on behavioural data, and US transfer creates processing that falls within the high-risk categories identified in GDPR Article 35.
Block the Monetate snippet until consent is obtained via your CMP. Categorise Monetate under personalisation or analytics cookies. Update your privacy policy to name Monetate and Kibo Commerce as processors and disclose the US transfer. Sign a DPA with Kibo Commerce. Conduct a DPIA if automated personalisation affects pricing or content. Document the US transfer in your RoPA. Configure consent expiry to ensure personalisation is disabled when consent is not renewed.
Yes. Kameleoon and AB Tasty are European-headquartered personalisation and experimentation platforms with EU data residency. Dynamic Yield (owned by Mastercard) offers EU data residency options. For organisations prioritising data sovereignty, self-hosted A/B testing with GrowthBook combined with server-side personalisation keeps all data on EU infrastructure.
Add an entry for the Monetate visitor identifier cookie in your cookie policy, listing its name, category (personalisation or analytics), duration (up to 2 years), and purpose (cross-session visitor identification for personalised content delivery). Note any localStorage usage separately. Reference Monetate and Kibo Commerce as third-party processors, link to their privacy policy, and disclose the US data transfer with the applicable SCC safeguard.
First party cookies mt.v (visitor identifier, 13 months), mt.s (session, 30 minutes), mt.exp (experiment assignment, 13 months) and mt.recs (recommendations cache, 7 days).
Yes. Monetate stores non essential cookies and profiles visitors for personalisation and A/B testing. Prior consent is required under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy). Special attention to Art. 22 GDPR (automated decisions) when personalisation has legal or significant effects.
Yes. Monetate is operated by Kibo Commerce (US) and processes data in US AWS regions. Transfers rely on EU SCCs and the EU US Data Privacy Framework.
A DPIA is recommended because Monetate profiles visitors. Document the personalisation rules, retention, segments and US transfers.
Sign the Kibo DPA, block the tag behind your CMP, document segments and personalisation rules, limit retention, ensure Art. 13 transparency, and review automated decisions for Art. 22 GDPR concerns.
Personalisation alternatives: Dynamic Yield (Mastercard, US), Optimizely Personalisation (US), Adobe Target (US), AB Tasty (France), Kameleoon (France), Frosmo (Finland), Bloomreach (US/EU). EU first options include AB Tasty, Kameleoon and Frosmo.
List each mt.* cookie with purpose, retention and legal basis (consent). Mention Monetate, the US processing location and the EU US Data Privacy Framework. Provide a link to Monetate's privacy policy.