ActiveCampaign Site Tracking and Data Protection – What Belongs in the Privacy Policy

Website operators use ActiveCampaign Site Tracking to link visits to their website with contacts in their ActiveCampaign CRM system. A JavaScript snippet is embedded on the website and records page views, clicks and user actions. The special feature: as soon as a visitor is identified as a known contact (email address), their anonymous visits are linked to their contact record – this goes beyond simple website statistics and requires a thorough data protection assessment.

A. Purpose and Function of ActiveCampaign Site Tracking

ActiveCampaign is an integrated platform for email marketing, CRM systems and marketing automations. Site Tracking is a specific integration feature that connects separate website visits with the CRM system.

ActiveCampaign as a platform: The system stores contact data (email addresses, names, company information, custom fields) in a central database. Users can send email campaigns, perform lead scoring, define marketing automations and visualise contact histories.

Site Tracking as a feature: The website operator embeds a JavaScript tracking snippet on its website. This snippet is loaded with every page view and records:

• Which pages are visited
• Which clicks occur
• Which predefined conversion goals are reached (e.g. button clicks, form submissions)

The central feature of Site Tracking: linking anonymous visits with known contacts. If a visitor still has their tracking cookie and is known as a contact in the ActiveCampaign system from any source (form, email click, CRM synchronisation), their visit history is assigned to that contact. This enables marketing automations such as: "If contact visits page X, send email Y" or "Lead scoring based on page visits."

Delimitation: Site Tracking is a feature for tracking and profile building. Email marketing, CRM contact management and other automation features of ActiveCampaign are not addressed individually in this article.

B. Mandatory Disclosures in the Privacy Policy

Pursuant to Art. 13(1) GDPR (or Art. 14 for data not collected directly), controllers must inform data subjects comprehensively. For ActiveCampaign Site Tracking, the following mandatory disclosures are central:

• Identity and contact details of the controller (Art. 13(1)(a)): the website operator itself
• Purposes of processing (Art. 13(1)(c)): tracking of page visits, linking with known contacts, marketing automation, lead scoring, personalisation
• Legal basis (Art. 13(1)(e)): regularly consent (Art. 6(1)(a) in conjunction with Section 25(1) TDDDG)
• Recipients/processors (Art. 13(1)(e)): ActiveCampaign, LLC (USA) as processor
• Retention period and erasure (Art. 13(1)(e)): cookie duration, contact erasure, data erasure
• Data subject rights (Art. 13(2)(a)–(f)): access, rectification, erasure, restriction, data portability, objection

A mere generic text template is not sufficient, as the linking of anonymous visits with known contacts represents a special data protection situation and website-specific factors (duration, purposes, settings) must be taken into account.

C. Provider

Name and address:

• ActiveCampaign, LLC
• 1 North Dearborn, Suite 500
• Chicago, Illinois 60602, USA
• Email (data protection): privacy@activecampaign.com
• Website: https://www.activecampaign.com

Jurisdiction and data protection: ActiveCampaign, LLC is a US company without an EU subsidiary. This means that data is transferred to the USA. ActiveCampaign has committed to complying with the EU-U.S. Data Privacy Framework (DPF) and is listed in the DPF participant directory. This allows EU customers to transfer data to the USA without having to set up additional instruments such as Standard Contractual Clauses (SCCs) – the DPF certification is considered an "adequacy decision".

However: The adequacy of the DPF is legally controversial in the EU and has been questioned by supervisory authorities in some cases. The website operator should find out whether additional SCCs or other measures are required.

Privacy policy and documentation:

• General privacy policy: https://www.activecampaign.com/legal/privacy-policy
• GDPR information: https://www.activecampaign.com/legal/gdpr
• Data Privacy Framework: https://www.activecampaign.com/legal/dpf
• Data Processing Addendum (DPA): https://www.activecampaign.com/legal/dpa
• Help Center Site Tracking: https://help.activecampaign.com/hc/en-us/articles/221542267-An-overview-of-Site-Tracking
• GDPR compliance in the Help Center: https://help.activecampaign.com/hc/en-us/articles/360000872064-Site-tracking-and-the-GDPR

D. Data Processing – Sequence

E. Data Collected

ActiveCampaign Site Tracking collects a combination of technical and behavioural data. The central feature is the linking of anonymous page visits with known contacts:

• Visitor ID: Unique identification number from the tracking cookie to track visits across multiple sessions
• Web server log data: Visitor's IP address, timestamps of page views
• Pages visited: URL of the page, page title, possibly additional page parameters
• Referrer: Origin page (where did the visitor come from?)
• Click paths and navigation: Sequence of pages visited, order of user actions
• Device and browser data: Device type (desktop, mobile, tablet), operating system, browser name and version
• Coarse location data: Country, region or city (derived from IP address)
• Conversion events: Predefined goal events (e.g. form submission, purchase, download)
• Custom events: Any events defined by the website operator (e.g. "video started", "shopping cart updated")
• Scroll behaviour and dwell time: How long users stay on a page, how far they scroll (optional)
• Contact assignment: As soon as the visitor is known as a contact in the ActiveCampaign system, a link is established between:
  • The contact's email address
  • The visit history (all previous and future visits)
  • The contact profile in the CRM (name, company, custom fields)

F. Purposes of Use

ActiveCampaign Site Tracking is processed for the following purposes:

• Provision of functionality and operation: Technical tracking of website visits, storage in the system
• Marketing automation: Trigger-based workflows that react to page visits (e.g. email after page visit)
• Lead scoring and prioritisation: Numerical evaluation of leads based on page visits to determine sales priority
• User profile building: Creation or enrichment of contact profiles through behavioural and visit data
• Personalisation: Adaptation of website content or email campaigns based on user behaviour
• Audience segmentation: Subdivision of contacts into groups (e.g. "frequent visitors", "interested in product XYZ") for targeted campaigns
• Analysis and reporting: Evaluation of which pages are frequented, which campaigns convert
• Security and operational stability: Monitoring of system security and prevention of misuse

The website operator should specify in its privacy policy which of these purposes it specifically uses.

G. Legal Bases

The legal basis for the processing of personal data through Site Tracking depends on the specific configuration:

Consent (Art. 6(1)(a) in conjunction with Section 25(1) TDDDG) – the rule: ActiveCampaign Site Tracking sets cookies that are not technically necessary. Under the German Telemedia Act (TDDDG, formerly TTDSG), non-necessary cookies are not permitted without consent. This means: The website operator must display a cookie banner, inform the user about the tracking and the purposes, and obtain their explicit consent (opt-in principle). The consent must be given before the cookie is set.

Technically, this means: The ActiveCampaign tracking code should only be loaded after consent has been given (e.g. via a consent management system such as Consentmanager, Cookiebot, OneTrust).

Legitimate interest (Art. 6(1)(f)) – critically assessed: Some website operators argue that tracking serves website optimisation and thus the legitimate business interest. However, this argument is assessed very critically by supervisory authorities, especially when it comes to linking with contacts and marketing automation. This legal basis is not recommended in practice.

Performance of a contract (Art. 6(1)(b)) – only in B2B: If the website operator has a contract with the user (e.g. SaaS subscription) and tracking is necessary for the performance of the contract, Art. 6(1)(b) could apply. However, this is rare and not applied in B2C contexts.

Conclusion for practice: The safe and most commonly applicable legal basis is consent. The website operator should rely on Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG and implement a consent management system.

H. Special Features and Notes

Processing on behalf and Data Processing Agreement (DPA): ActiveCampaign acts as a processor pursuant to Art. 28 GDPR. The website operator as controller must conclude a written Data Processing Agreement (DPA) with ActiveCampaign. The DPA must contain the following content:

• Subject matter and scope of processing
• Nature, context, scope and purposes of the processing
• Guarantees for technical and organisational measures
• Provisions on sub-processors (if ActiveCampaign engages third parties)
• Procedures in the event of personal data breaches

The DPA is available at https://www.activecampaign.com/legal/dpa and can be requested via the ActiveCampaign account or via privacy@activecampaign.com.

Third-country transfer and Data Privacy Framework: ActiveCampaign is based in the USA (Chicago, Illinois). This means a third-country transfer of personal data to the USA pursuant to Art. 44 et seq. GDPR. ActiveCampaign has committed to complying with the EU-U.S. Data Privacy Framework (DPF) and is listed in the DPF participant directory (https://www.dataprivacyframework.gov). The DPF certification is legally considered an "adequacy decision" and enables data transfers without additional instruments.

Note: The legal validity of the DPF is controversial in the EU and within the supervisory authorities. Some authorities and data protection officers additionally recommend reviewing Standard Contractual Clauses (SCCs) or other measures. The website operator should consult its local supervisory authority or a lawyer.

Activation and GDPR tools in ActiveCampaign:

• Site Tracking is not active by default in ActiveCampaign and must be explicitly activated.
• The JavaScript tracking code must be embedded on the website.
• ActiveCampaign offers GDPR configurations in the account, e.g. for deactivating tracking or setting privacy flags.
• The website operator should review and configure these settings.

Settings and control options:

• Activate/deactivate tracking: The website operator can manage tracking in its ActiveCampaign account under "Tracking" → "Site Tracking".
• Cookie consent mode: ActiveCampaign waits (with correct configuration) until a user has accepted cookies before tracking starts.
• Opt-out options: Users should have the option to deactivate tracking (e.g. via an opt-out iFrame or cookie manager setting).
• Data subject rights: Users can request access (Art. 15), rectification (Art. 16), erasure (Art. 17) of their data.

Special feature: identification through contact linking: Site Tracking has a special feature: A visitor must first have a tracking cookie, AND be identified as a known contact in the CRM system, for a link to be established. Isolated anonymous visits initially remain anonymous – only when the user fills in a form or clicks on an email link and becomes known as a contact does the link occur. This should be explained in the privacy policy.

I. Frequently Asked Questions about ActiveCampaign Site Tracking and Data Protection

J. Conclusion

ActiveCampaign Site Tracking is a powerful marketing tool, but the linking of anonymous website visits with known contacts requires careful data protection documentation. The most important points for the privacy policy are:

1. Identity of ActiveCampaign, LLC (Chicago, USA) and contact details (privacy@activecampaign.com)
2. Specific purposes: Site Tracking, marketing automation, lead scoring, contact profile building
3. Data collected: Visitor IDs, page views, click paths, device data, conversion events, link with contact email address
4. Legal basis: Consent (Art. 6(1)(a) + Section 25(1) TDDDG)
5. Processor and DPA: ActiveCampaign as processor, written DPA required
6. Third-country transfer: USA, DPF certification (review whether SCCs are additionally required)
7. Retention period: Cookie lifetime (e.g. 365 days), contact storage according to ActiveCampaign policy
8. Data subject rights: Access, rectification, erasure, restriction, data portability, objection
9. Consent management: Integration with cookie banner and consent system, opt-in principle
10. Special feature: Explain how anonymous visits are linked with known contacts

A generic text template is not sufficient – the website-specific and topic-oriented approach is legally cleaner and more transparent.