What the Pinterest Tag Actually Does
The Pinterest tag is a JavaScript snippet that advertisers place on their websites to track visitor actions - page views, sign-ups, purchases - and report them back to Pinterest for ad measurement and audience building. Once installed, the tag fires on every page load (unless blocked) and sets a series of first-party cookies in your domain.
Pinterest and the advertiser operate as joint controllers under the GDPR for this data processing. Pinterest's Advertising Services Agreement includes a Joint Controller Addendum that defines this relationship. The practical effect: both parties share responsibility for ensuring valid consent before the tag collects data.
That shared responsibility matters because the tag does not just count conversions. It builds user profiles, enables cross-site tracking, and feeds Pinterest's ad targeting algorithms.
Cookies Set by the Pinterest Tag
Every cookie the Pinterest tag creates persists for one year. Most are first-party cookies written to your domain, which means your website - not Pinterest - is technically setting them. Here is a full breakdown.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
_epik | First-party | Caches click data from Pinterest ads for user matching | 1 year |
_derived_epik | First-party | Stores matches identified through enhanced match (without cookies) | 1 year |
_pin_unauth | First-party | Assigns a UUID to group actions for users Pinterest cannot identify | 1 year |
_pinterest_ct | First-party | Stores user ID and timestamp (in-app browser equivalent of session cookie) | 1 year |
_pinterest_ct_rt | First-party | Written when the session cookie is already present on an advertiser site | 1 year |
_pinterest_ct_ua | Third-party | Third-party version of _pin_unauth for cross-domain tracking | 1 year |
_pinterest_sess | First-party | Login cookie containing user IDs and authentication tokens | 1 year |
_routing_id | First-party | Manages rollout of Pinterest website changes | 1 year |
None of these cookies are strictly necessary for your website to function. They exist solely to support Pinterest's advertising and measurement features, which places them firmly in the marketing cookies category.
Why the Pinterest Tag Requires Prior Consent Under GDPR
Article 5(3) of the ePrivacy Directive requires consent before storing or accessing information on a user's device, unless the storage is strictly necessary to provide a service the user requested. Advertising cookies never meet that threshold.
The GDPR adds further requirements through Article 7. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent through continued browsing, and bundled consent statements all fail this standard. The EDPB's guidelines on consent make this explicit.
For your Pinterest tag implementation, this means the tag script must not execute until a visitor actively opts in through your cookie banner. Loading the tag and then deleting cookies after a refusal does not satisfy the law - the storage itself requires prior authorisation.
CCPA and US State Law Requirements
Under the CCPA/CPRA, Pinterest tag cookies constitute a "sale" or "sharing" of personal information when they enable cross-context behavioural advertising. California residents must be able to opt out of this processing through a clear "Do Not Sell or Share My Personal Information" link.
Unlike the GDPR's opt-in model, US state privacy laws generally follow an opt-out approach. The Pinterest tag can fire by default for US visitors, but you must honour opt-out requests promptly. Several states now require recognition of Global Privacy Control (GPC) signals as valid opt-out mechanisms. Colorado, Connecticut, Montana, and Texas all mandate GPC support.
Geo-targeting your consent logic is the practical solution. European visitors see an opt-in banner; US visitors see the tag by default with an accessible opt-out. Kukie.io's geo-detection features on the features page cover this scenario.
How to Block the Pinterest Tag Before Consent
The most reliable method is conditional script loading. Change the tag's type attribute from text/javascript to text/plain so the browser ignores it on page load. Your consent management platform then switches the type back to text/javascript once the visitor accepts marketing cookies.
If you use Google Tag Manager, create a trigger that fires only when your consent variable equals "granted" for the marketing category. The Pinterest tag should sit behind this trigger rather than loading unconditionally. A detailed walkthrough is available in the GTM blocking guide.
Test the implementation. Open Chrome DevTools, reject all cookies in your banner, and check the Application tab. If any _epik, _pin_unauth, or _pinterest_ct cookies appear, the tag is still firing before consent.
The Pinterest Conversions API as a Privacy-Friendly Alternative
The Pinterest Conversions API (CAPI) sends event data server-to-server, bypassing the browser entirely. No JavaScript tag runs on the visitor's device, no cookies are set in the browser, and the data exchange happens on your server infrastructure.
This approach mirrors what Meta offers with its Conversions API and what is covered in the server-side tagging guide. The technical advantage is significant: server-side tracking is not affected by ad blockers, browser cookie restrictions like Safari's Intelligent Tracking Prevention, or script-blocking consent tools.
Consent is still required. The Conversions API accepts consent parameters that tell Pinterest how to process the data. If a visitor has not consented to marketing tracking, you must not send their data to Pinterest through the API either. The legal obligation follows the data processing, not the technology used to transmit it.
When to Use the Tag, the API, or Both
| Scenario | Recommended Approach | Consent Needed |
|---|---|---|
| Full conversion tracking with maximum match rates | Tag + CAPI (deduplication enabled) | Yes - opt-in (GDPR) or opt-out honoured (CCPA) |
| Privacy-first tracking with reduced browser dependency | CAPI only | Yes - server-side consent checks required |
| Simple retargeting without server infrastructure | Tag only (behind consent gate) | Yes - opt-in (GDPR) or opt-out honoured (CCPA) |
| Visitors who reject consent | No tracking permitted | N/A - no data sent |
Classifying Pinterest Cookies in Your Consent Banner
All Pinterest tag cookies belong in the "Marketing" or "Advertising" category. Do not classify them as "Analytics" or "Functional" - regulators have consistently held that advertising tracking cookies require the highest level of consent.
Your cookie policy should list each Pinterest cookie by name, state its purpose, note the one-year duration, and identify Pinterest as the data recipient. Generic descriptions like "third-party advertising cookies" are insufficient. The CNIL and ICO both expect granular disclosure.
If you run a cookie scan on your site, the Pinterest tag cookies should appear in the results. Verify that each one is correctly categorised and that the descriptions match what the cookies actually do.
Frequently Asked Questions
Does the Pinterest tag set cookies before a user interacts with it?
Yes. The Pinterest tag sets cookies like _pin_unauth and _epik on the first page load, before any user interaction. This is why the tag script must be blocked until consent is obtained under GDPR.
Can I use the Pinterest Conversions API without a cookie banner?
No. The Conversions API sends personal data (hashed emails, event data) to Pinterest server-to-server. You still need a lawful basis for this processing, which typically means obtaining consent before collecting and transmitting the data.
Are Pinterest tag cookies first-party or third-party?
Most Pinterest tag cookies are first-party, written to your domain. The exception is _pinterest_ct_ua, which is a third-party cookie. First-party status does not exempt them from consent requirements.
How do I block Pinterest cookies for visitors who decline consent?
Change the Pinterest tag script type to text/plain by default and only switch it to text/javascript after consent. If using Google Tag Manager, set a consent-based trigger that prevents the tag from firing until marketing consent is granted.
What happens to Pinterest ad tracking if a visitor opts out under CCPA?
You must stop sending that visitor's data to Pinterest, whether through the tag or the Conversions API. Pinterest's system accepts consent parameters that allow you to flag opted-out users so their data is not processed for ad targeting.
Is Pinterest a joint controller or a processor under GDPR?
Pinterest and the advertiser are joint controllers for data collected through the Pinterest tag. This is defined in Pinterest's Advertising Services Agreement and its Joint Controller Addendum, covering the collection and transmission of activity data.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
