Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pinterest is a social discovery platform whose Save button, board embeds and widgets load tracking scripts from Pinterest Inc. in the United States.
Pinterest is a US based social discovery platform where users save images and links to themed boards. Publishers and merchants embed Pinterest features on their own sites with the Save button, hover pins, board widgets and the Pinterest Tag for conversion tracking. All these integrations rely on JavaScript and iframes served from Pinterest infrastructure.
Pinterest widgets typically write the _pinterest_sess, _routing_id, _b and _epik cookies, plus several local storage entries. Pinterest receives the URL of the page, the referer, the IP address, the user agent, the Pinterest account identifier if the user is logged in, and any pinned image. The Pinterest Tag transmits e commerce events such as PageVisit, AddToCart, Checkout and Lead. This builds a behavioural profile usable for advertising and lookalike audiences.
Loading the Pinterest script reads from and writes to the user device, so Article 5(3) of the ePrivacy Directive requires prior consent. The data flowing back to Pinterest is personal data within the meaning of the GDPR and is used for purposes beyond delivering your content (advertising, profiling, lookalike audiences). Pinterest acts as a controller for its own purposes; the EDPB Fashion ID and Meta judgements apply, you may end up as a joint controller for the collection step.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Pinterest scripts must only load after explicit opt in. The consent must be granular, with separate purposes for social interaction, audience measurement and advertising; consent must be as easy to withdraw as to give, and refusing should be just as visible as accepting. The legal basis for the deposit of cookies is Art. 5(3) ePrivacy plus Art. 6(1)(a) GDPR for the resulting personal data processing.
Pinterest Inc. is headquartered in San Francisco. Pinterest is certified under the EU US Data Privacy Framework and offers Standard Contractual Clauses for jurisdictions not covered. Any embed of a Pinterest widget triggers a transfer that must be disclosed in your privacy policy with reference to the legal mechanism and to the rights provided by the DPF.
Block the Pinterest widget and the Pinterest Tag until consent is granted; use a CMP that maps Pinterest to the right purposes (TCF v2.2 vendor 793). Replace direct embeds with a click to load placeholder. List every cookie and storage entry in the cookie policy. Document the transfer under the EU US Data Privacy Framework. Provide a clear opt out and remove Pinterest immediately when consent is withdrawn.
Websites using Pinterest must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Pinterest Save buttons or board widgets are deployed alongside the Pinterest Tag for conversion tracking, when minors can be expected in the audience, or when combined with retargeting and lookalike audiences.
Sample consent text
We use Pinterest widgets to let you save our content to your Pinterest boards. Pinterest writes cookies on your device and shares your IP address and browsing context with Pinterest Inc. in the United States. We only load these widgets if you accept.
Third-party domains contacted
pinterest.comassets.pinterest.comlog.pinterest.comct.pinterest.coms.pinimg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pinterest_sess | third_party | 1 year | Session and authentication for logged in Pinterest users |
| _routing_id | third_party | 1 day | Routes the user to the correct Pinterest infrastructure node |
| _b | third_party | 1 year | Behavioural cookie used to deliver personalised pins and ads |
| _epik | third_party | 1 year | Conversion tracking cookie used by the Pinterest Tag |
| pin_unauth | third_party | 1 year | Unauthenticated visitor identifier |
Pinterest places tracking cookies for advertising — comply with GDPR using FlowConsent.
Pinterest writes _pinterest_sess (session and authentication), _routing_id and _b (routing and behaviour), _epik (ad measurement), plus pin_unauth and localStorage entries. Some are first party on pinterest.com and others are third party when its scripts run inside your domain.
Yes. Pinterest widgets read and write on the user device and process personal data for marketing purposes. Article 5(3) of the ePrivacy Directive and Article 6 of the GDPR require prior, specific and informed consent before loading the script.
Consent (Art. 6(1)(a) GDPR) is the only valid basis for the cookies set by Pinterest and the downstream personal data processing. Legitimate interest is not acceptable for cross site advertising trackers under EDPB guidance and the CNIL cookie guidelines.
Yes. Pinterest Inc. is US headquartered and Pinterest is certified under the EU US Data Privacy Framework. Standard Contractual Clauses cover transfers to other Pinterest entities not under the DPF. Mention both mechanisms in your privacy policy.
A DPIA is recommended when Pinterest tracking is combined with the Pinterest Tag, when minors may be in the audience, when retargeting or lookalike audiences are activated, or when behavioural data is enriched with first party data.
Use a CMP that blocks the Pinterest script until consent. Implement click to load placeholders for board widgets. Register the consent decision and replay it on each visit. Configure the Pinterest Tag with Enhanced Match disabled unless that purpose was specifically consented to.
For visual bookmarking and inspiration boards, EU first alternatives include Mastodon Pictrs, PixelFed, Sociallinks (EU) and self hosted galleries. None has the audience of Pinterest, but they avoid the consent and transfer burden.
List every cookie (_pinterest_sess, _routing_id, _b, _epik, pin_unauth and any localStorage entries you observe) with purpose, lifetime, controller and a link to Pinterest's privacy policy. State that Pinterest is a separate controller and that transfers to the US rely on the EU US Data Privacy Framework.