Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AddShoppers is a US based identity resolution and email marketing cooperative that links anonymous website visitors to known email addresses using a shared graph of hundreds of retailers, then enables email retargeting, abandoned cart recovery and on site personalization. Because the service performs cross site identification without prior knowledge by the data subject, it carries a very high privacy risk and requires explicit, informed opt in consent under GDPR Article 7 and ePrivacy Article 5(3).
AddShoppers is a US based ecommerce technology company headquartered in Charlotte, North Carolina, that operates a cooperative identity resolution and email retargeting network. When a visitor lands on a participating retailer site, AddShoppers drops a pixel and reads a shared cooperative cookie. If the visitor has ever entered an email address on any of the hundreds of retailers in the network, AddShoppers can re identify the anonymous browser, attach the known email address, and trigger personalized emails, abandoned cart messages or on site offers. This is fundamentally different from a single brand email service provider: AddShoppers pools first party identifiers across many controllers and uses them for cross site targeting, which is exactly the practice that the EDPB, the CNIL, the AEPD and the ICO have flagged as high risk.
GDPR Article 7 requires consent to be freely given, specific, informed and unambiguous, with the controller able to demonstrate it (Article 7(1)). The EDPB Guidelines 05/2020 on consent and the EDPB Opinion 28/2024 on legitimate interest make clear that an opt in buried in a privacy policy or a generic cookie banner does not meet that bar. Identity resolution is a paradigmatic case where consent must be granular, layered and unbundled from other purposes. ePrivacy Article 5(3) further requires consent before any reading or writing on the terminal of the user, including the pixel and cooperative cookie. Without an explicit, separate opt in, deploying AddShoppers is almost certainly unlawful in the EEA and the UK.
AddShoppers processes data in the United States. Following Schrems II (CJEU C 311/18), transfers to the US require a valid transfer mechanism (EU US Data Privacy Framework adequacy decision adopted 10 July 2023, or Standard Contractual Clauses with a Transfer Impact Assessment and supplementary measures). Controllers must verify that AddShoppers is self certified under the DPF, document the TIA, and inform data subjects that their browsing data, email and inferred attributes leave the EEA for the United States. Email addresses combined with browsing history can constitute a sensitive identifier that triggers heightened scrutiny under FISA 702 and Executive Order 12333.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The French CNIL has repeatedly fined adtech and identity graph providers (decisions on Criteo, Voodoo, Tagadamedia) and has issued guidelines requiring symmetrical accept and reject buttons. The Spanish AEPD has specifically warned about identity graphs that link offline email lists with online behavior. The UK ICO opinion on adtech and the report on the use of personal data in online advertising directly question the lawfulness of cooperative identity sharing. In the United States, the FTC has taken enforcement against companies engaged in undisclosed data sharing and identity stitching (matters such as InMarket Media and X Mode), and the FTC Act Section 5 prohibits unfair or deceptive practices, including failing to honor consumer choices about cross site tracking.
A compliant deployment requires: (1) a full DPIA under Article 35, (2) a separate, granular opt in for identity resolution and cooperative data sharing, distinct from the cookie banner, (3) a joint controllership agreement under Article 26 that clearly allocates responsibilities between the publisher, AddShoppers and the cooperative members, (4) a documented Transfer Impact Assessment for US transfers, (5) updated Article 13/14 notices that name AddShoppers, list cooperative members or categories of recipients, and explain re identification, (6) a working withdrawal mechanism that propagates the opt out to the cooperative and triggers email and graph deletion, (7) retention limits (24 months maximum recommended), (8) honoring Global Privacy Control and CCPA opt out of sale and share signals, (9) blocking the script by default until consent is captured. Where these conditions cannot be met, the lawful answer is to not deploy AddShoppers in the EEA or UK.
Websites using AddShoppers must obtain user consent under GDPR regulations.
DPIA considerations
AddShoppers triggers a high impact Data Protection Impact Assessment (DPIA) under GDPR Article 35 because it combines: (1) systematic monitoring across many websites via a cooperative identity graph, (2) re identification of anonymous visitors to email addresses they never knowingly shared with the publisher, (3) automated decisioning for marketing targeting (Article 22 considerations where significant effects apply), (4) large scale processing of contact data potentially including special categories inferred from browsing (Article 9), (5) systematic transfers to the United States after Schrems II requiring supplementary technical, contractual and organizational measures. The DPIA must assess: lawful basis (consent is the only realistic basis), proportionality and necessity, data minimization, joint controllership analysis with the cooperative under Article 26, transfer impact assessment, retention (max 24 months recommended), data subject rights including the right to object under Article 21 and the right not to be subject to automated profiling. The EDPB Opinion 28/2024 on legitimate interest, the CNIL guidelines on cookies and trackers, the AEPD guidance on identity graphs and the ICO opinion on adtech all conclude that identity resolution cannot rely on legitimate interest. A second, granular opt in is required for the cooperative pooling of data with other retailers.
Sample consent text
We use AddShoppers, a US based identity resolution and email retargeting cooperative, to recognize you across our site and to send you personalized emails (including abandoned cart reminders) using your email address shared by other retailers in the AddShoppers network. This means your browsing data and email address are transferred to the United States and pooled with hundreds of other retailers. The legal basis is your explicit consent under GDPR Article 7 and ePrivacy Article 5(3). You can withdraw consent at any time without affecting prior processing, and you can object under Article 21. Do you consent to identity resolution and email retargeting by AddShoppers and its retailer cooperative?
Third-party domains contacted
addshoppers.comwww.addshoppers.comfastapi.addshoppers.comapi.addshoppers.comshop.pecdn.shop.pestatic.shop.petags.shop.pepixel.addshoppers.comrum.addshoppers.comedge.addshoppers.comcollect.addshoppers.comoptout.addshoppers.comprivacy.addshoppers.comcdn.addshoppers.comsafeoptr.comcdn.safeoptr.comsafeopt.coma.safeopt.comaddshoppers-prod.s3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _AddShoppers | http_cookie | 1 year | Primary AddShoppers identifier used to track the visitor across participating retailer sites in the cooperative network. This is the cornerstone of the identity graph: the same value is read on every member site, enabling cross site re identification. Requires explicit consent under ePrivacy Article 5(3) and is the cookie that triggers the very high risk classification under GDPR. |
| _as_visit | http_cookie | Session | Session level cookie used by AddShoppers to track a single browsing session on the publisher site (page views, products viewed, cart events). Feeds the cooperative identity graph in real time and supports abandoned cart recovery emails. Consent required under ePrivacy 5(3). |
| _asuid | http_cookie | 2 years | AddShoppers user identifier persisted across sessions. Once the user has been re identified via the cooperative graph and matched to an email address, this cookie binds the email to the browser. Highly intrusive: enables long term cross site tracking and email retargeting. Triggers Article 7 informed consent and Article 26 joint controllership analysis. |
| _as_consent | http_cookie | 1 year | AddShoppers consent state cookie. Records whether the visitor has opted in or opted out of identity resolution and email retargeting. Must reflect the actual choice expressed via the publisher CMP and be respected by the cooperative. |
| _AddShoppers_session | http_cookie | 30 minutes | Short lived session cookie used to deduplicate events and to bind page views to the cooperative identifier. Loaded only after consent is granted. Used in conjunction with the AddShoppers pixel and server to server postback for identity resolution. |
| as_email_match | http_cookie | 24 months | Cookie that stores a hashed email identifier once the cooperative graph has matched the anonymous browser to a known email address. Allows email retargeting and personalization on subsequent visits. Constitutes personal data under GDPR (a hashed email remains identifying when linked back to a browser). |
| _as_attribution | http_cookie | 90 days | Attribution cookie used to credit AddShoppers triggered emails (abandoned cart, browse abandonment, post purchase) when the visitor returns to the site and completes a transaction. Supports closed loop reporting back to the cooperative network. Personal data; consent required. |
| _as_seg | http_cookie | 12 months | Segmentation cookie that stores derived audience labels assigned by the AddShoppers cooperative (high intent buyer, cart abandoner, lifecycle stage, product affinity). Used for on site personalization and email targeting. Inferred attributes from this cookie can constitute special category data under GDPR Article 9 if they reveal sensitive information. |
| as_optout | http_cookie | 10 years | Opt out cookie that records a withdrawal of consent. Long lived to prevent re prompting users who have refused. Must be honored by the AddShoppers pixel and propagated to the cooperative graph for deletion of derived data. |
| _as_dpf | http_cookie | 6 months | Cookie used to record acknowledgement that the visitor has been informed of the US transfer under the EU US Data Privacy Framework and Schrems II. Used as part of the controller documentation of the transfer impact assessment. |
| local_storage_as_id | local_storage | Persistent until cleared | Local storage entry that mirrors the AddShoppers cooperative identifier. Used as a fallback in browsers that restrict third party cookies (Safari ITP, Firefox ETP). Subject to ePrivacy Article 5(3) consent because writing to local storage is treated equivalently to setting a cookie. |
| as_pixel_fp | fingerprint | 6 months | Device and browser fingerprint signal computed by the AddShoppers pixel (user agent, screen, fonts, canvas, language). Used to strengthen cross device matching in the cooperative graph. The CNIL and EDPB consider device fingerprinting an Article 5(3) ePrivacy access to terminal information requiring consent. |
AddShoppers places tracking cookies for advertising — comply with GDPR using FlowConsent.
AddShoppers is a US based identity resolution and email marketing technology operated by AddShoppers, Inc. (Charlotte, North Carolina). It installs a pixel and a cooperative cookie on participating retailer websites. When a visitor arrives, AddShoppers attempts to re identify the anonymous browser by matching it against a shared identity graph fed by hundreds of other retailers. If a match is found, the visitor's email address (collected previously by another retailer in the cooperative) is attached to the session, enabling personalized emails, abandoned cart messages and on site offers. In privacy terms it performs cross site tracking, identity resolution and email retargeting, which the EDPB, the French CNIL, the Spanish AEPD and the UK ICO consider very high risk processing requiring explicit informed consent.
Yes. Two layers of consent are required and they cannot be bundled. First, ePrivacy Directive Article 5(3) requires consent before reading or writing on the user's device (the AddShoppers pixel and cooperative cookie). Second, GDPR Article 6(1)(a) and Article 7 require freely given, specific, informed and unambiguous consent for the underlying processing (identity resolution, cross site tracking, email retargeting and cooperative data sharing). The EDPB Guidelines 05/2020 on consent and Opinion 28/2024 on legitimate interest exclude legitimate interest as a basis for this type of intrusive profiling. A separate, granular opt in is required for the cooperative pooling of data with other retailers.
AddShoppers processes data in the United States. After Schrems II (CJEU C 311/18), transfers to the US are not based on adequacy alone unless the importer self certifies under the EU US Data Privacy Framework (Commission decision of 10 July 2023). If AddShoppers is not DPF certified, transfers must rely on Standard Contractual Clauses plus supplementary measures and a Transfer Impact Assessment documenting the risk from FISA 702 and Executive Order 12333. Controllers must verify the certification status in the official DPF list, document the TIA, and inform data subjects of the transfer under Articles 13/14 and Article 44 49.
AddShoppers processes online identifiers (cookie IDs, IP address, device and browser fingerprint), navigation events (pages viewed, products viewed, cart events), and once re identified, the corresponding email address from the cooperative graph and inferred attributes (purchase intent, product affinity, lifecycle stage). The cooperative pooling means data flows in both directions: the publisher contributes signals to the graph and receives matches sourced from other retailers. From a GDPR perspective this is a joint controllership relationship under Article 26 that must be governed by a written arrangement and disclosed to data subjects.
Risk level: very high. Applicable regulations: GDPR (Articles 5, 6, 7, 9, 13, 14, 22, 26, 44 49), ePrivacy Directive Article 5(3), EDPB Guidelines 05/2020 on consent, EDPB Opinion 28/2024 on legitimate interest, Schrems II, EU US Data Privacy Framework, CCPA/CPRA (sale and share of personal information, Global Privacy Control), FTC Act Section 5, CAN SPAM Act, CNIL guidelines on cookies and trackers, AEPD guidance on identity graphs, UK ICO opinion on adtech and real time bidding.
Users have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), as well as the right to withdraw consent at any time (Art. 7(3)). Practically: the publisher must provide a working opt out that propagates the withdrawal to AddShoppers and triggers deletion of the email and graph entries; AddShoppers must also offer a direct opt out via its privacy portal. The CCPA/CPRA right to opt out of sale and share applies, and the Global Privacy Control signal must be honored. Subject access requests should retrieve both the publisher level data and the cooperative graph entries.
A maximum retention period of 24 months is recommended for the identity graph and behavioral data, with shorter retention (6 to 12 months) for raw event data. Email engagement data should be retained only as long as the underlying marketing consent is valid. Deletion must propagate from the publisher through AddShoppers to all cooperative members holding derived data. Article 5(1)(e) of the GDPR (storage limitation) and Article 5(1)(c) (data minimization) require documented justification for any longer retention.
A compliant implementation requires: (1) a full DPIA under Article 35 documenting the high risk processing, (2) a granular two layer opt in (ePrivacy plus GDPR) outside the standard cookie banner, distinct from analytics and from other marketing tools, (3) a written joint controllership agreement under Article 26 with AddShoppers, (4) a documented Transfer Impact Assessment for US transfers, (5) updated Article 13/14 notices that name AddShoppers and explain re identification and cooperative sharing, (6) honoring GPC, CCPA opt out, and a propagated withdrawal mechanism, (7) script blocking by default until consent. If these conditions cannot be met, the lawful alternative is to rely on first party email marketing with native consent capture and standard ESPs, without identity resolution or cooperative data sharing.