Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Monetate is an enterprise personalisation and experimentation platform that delivers individualised website experiences based on visitor behaviour, segments, and machine learning models. It sets persistent cookies and collects browsing data from the first page load. Because Monetate profiles individual users across sessions and transfers data to US servers, its deployment on European websites requires prior consent under GDPR and the ePrivacy Directive.
Monetate is an enterprise-grade personalisation and experimentation platform used by major retailers and e-commerce businesses worldwide. It enables real-time audience segmentation, A/B and multivariate testing, product recommendations, and dynamic content targeting. Now part of Kibo Commerce, Monetate uses machine learning models to analyse visitor behaviour and deliver individualised experiences at scale. When the Monetate snippet loads on a website, it immediately begins collecting visitor data and assigning users to personalisation segments, making it one of the most data-intensive third-party services in the e-commerce space.
Monetate sets persistent cookies including a unique visitor identifier that tracks behaviour across sessions and visits. It collects IP addresses, browser and device information, pages viewed, products clicked, search queries, cart contents, purchase history, geolocation derived from IP, and time spent on each page. When integrated with a CRM or customer data platform, Monetate can link anonymous browsing data to named customer profiles, creating a comprehensive individual behavioural record that spans both online and offline touchpoints.
Monetate's personalisation function involves systematic profiling of individual visitors across sessions, which constitutes high-risk processing under GDPR. The ePrivacy Directive requires prior consent before any non-essential cookies are set. Monetate's persistent visitor identifier and behavioural tracking cookies are not strictly necessary and require consent before the snippet loads. The combination of cross-session profiling, automated content decisions based on individual behaviour, and US data transfer creates a processing activity that may trigger DPIA obligations under GDPR Article 35.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before the Monetate snippet initialises. The consent notice should explain that Monetate is used to personalise content and run website experiments, describe the data collected, and disclose the US data transfer. Visitors who decline must receive the default, non-personalised version of the website without any Monetate tracking. The personalisation engine must be fully suppressed, not just hidden, for users who have not consented. Consent must be refreshable and revocable at any time with immediate effect.
Monetate is a US company and processes all visitor data on US infrastructure with no EU data residency option. This constitutes a third-country transfer under GDPR Chapter V. Standard Contractual Clauses are the applicable transfer mechanism. Organisations using Monetate should document this transfer in their Records of Processing Activities, sign a Data Processing Agreement with Monetate, and list Monetate in their sub-processor disclosure. If Monetate is integrated with a CRM that also processes data in the US, the combined transfer chain must be fully documented.
To deploy Monetate compliantly: block the snippet until consent is obtained; categorise Monetate under analytics or personalisation cookies; update your privacy policy to name Monetate as a processor and disclose the US transfer; sign a Data Processing Agreement with Kibo Commerce; conduct a DPIA if personalisation decisions are automated and affect product pricing or content availability; document the US transfer in your RoPA; and implement consent expiry so that personalisation is disabled when consent is not renewed.
Websites using Monetate must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Monetate is used for large-scale behavioural profiling, automated personalisation decisions, or when combined with CRM or purchase history data. The persistent cross-session visitor profiling, automated content targeting, and US data transfer all contribute to an elevated risk profile requiring formal assessment.
Sample consent text
We use Monetate to personalise your website experience based on your browsing behaviour. Monetate sets cookies and collects data such as pages visited, products viewed, and interaction patterns. This data may be transferred to and processed in the United States. Please accept to enable personalised content and recommendations.
Third-party domains contacted
se.monetate.netengine.monetate.netlocalhost.monetate.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mt | persistent | 2 years | Unique visitor identifier used for cross-session personalisation segment assignment and behavioural tracking |
| mt.v2 | persistent | 2 years | Visitor segment and experience assignment data used to deliver consistent personalised content across sessions |
Monetate collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Monetate sets a persistent first-party visitor identifier cookie valid for up to 2 years that tracks behaviour and segment membership across sessions. It also writes experiment assignment data to localStorage. These are not strictly necessary cookies and require prior consent under the ePrivacy Directive before the snippet is allowed to load.
Yes. Monetate loads on page entry and immediately begins profiling visitor behaviour and assigning personalisation segments before any interaction. This requires prior consent under both the ePrivacy Directive (for cookies) and GDPR (for behavioural profiling). The snippet must be blocked by your CMP until explicit consent is recorded.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis for Monetate's personalisation and tracking cookies. Legitimate interest under Article 6(1)(f) is sometimes argued for basic A/B testing without personal data, but the persistent visitor profiling and cross-session tracking in Monetate's standard implementation go beyond what legitimate interest can cover without a robust balancing test.
Yes. Monetate is a US company (part of Kibo Commerce) and processes all visitor data on US infrastructure with no EU data residency option. Standard Contractual Clauses are the applicable transfer mechanism under GDPR Article 46. All transfers must be documented in your Records of Processing Activities and disclosed in your privacy policy.
A DPIA is strongly recommended when Monetate is used for automated personalisation at scale, particularly when it influences product pricing, content availability, or promotional offers presented to individual users. The combination of persistent profiling, automated decision-making based on behavioural data, and US transfer creates processing that falls within the high-risk categories identified in GDPR Article 35.
Block the Monetate snippet until consent is obtained via your CMP. Categorise Monetate under personalisation or analytics cookies. Update your privacy policy to name Monetate and Kibo Commerce as processors and disclose the US transfer. Sign a DPA with Kibo Commerce. Conduct a DPIA if automated personalisation affects pricing or content. Document the US transfer in your RoPA. Configure consent expiry to ensure personalisation is disabled when consent is not renewed.
Yes. Kameleoon and AB Tasty are European-headquartered personalisation and experimentation platforms with EU data residency. Dynamic Yield (owned by Mastercard) offers EU data residency options. For organisations prioritising data sovereignty, self-hosted A/B testing with GrowthBook combined with server-side personalisation keeps all data on EU infrastructure.
Add an entry for the Monetate visitor identifier cookie in your cookie policy, listing its name, category (personalisation or analytics), duration (up to 2 years), and purpose (cross-session visitor identification for personalised content delivery). Note any localStorage usage separately. Reference Monetate and Kibo Commerce as third-party processors, link to their privacy policy, and disclose the US data transfer with the applicable SCC safeguard.