An overview of GDPR and the required considerations when using the Conversion pixel and forms
Note: This is intended as general implementation guidance and is not legal advice. We recommend working with a qualified data protection professional to validate your compliance status.
GDPR Regulations
The General Data Protection Regulation (GDPR) is an EU law governing how organizations collect, store, and use the personal data of individuals in the EU. It applies to any company handling EU residents’ data, regardless of where that company is based.
For marketing teams, GDPR matters because almost everything you do involves personal data: tracking visitors, capturing leads, running ad campaigns, sending emails. Each of these activities requires a legal justification, and some require explicit consent from the user.
Lawful Basis
Under GDPR, you must have a lawful basis before processing personal data. For marketing, two are most relevant:
Consent: The user actively opts in. Required for non-essential tracking like page visits, ad pixels, or UTM tracking.
Legitimate Interests: You have a proportionate business reason and the user would reasonably expect it. Applies to following up on a demo request or storing a form submission to fulfill a request.
Tracking in Conversion
There are two primary ways user behavior is tracked in Conversion.
Tracking Pixel
The tracking pixel captures website activity including UTM parameters, page visits, referral sources, and behavioral signals. Because visitors haven’t explicitly requested anything when this data is collected, it is considered non-essential under GDPR and the ePrivacy Directive, meaning explicit user consent is required before it fires.
The Forms SDK or iframe captures form submissions and stores them in the database. Because visitors are actively requesting something when they fill out a form, whether that’s a demo, a download, or a quote, this is considered an essential function. That means it does not require separate cookie consent. However, a Privacy Notice must still be visible on the form so users understand how their data will be used.
Implementation
To stay compliant, the pixel and the Forms SDK need to be loaded differently on the page. The key is making sure the pixel is gated behind user consent while the SDK loads freely.
Tracking Pixel
The tracking pixel should be placed behind your cookie manager under the non-essential or analytics category. This means it will only fire after a visitor has actively accepted tracking through your consent banner. Most cookie managers like OneTrust, Cookiebot, or CookieYes handle this by wrapping non-essential scripts so they are blocked by default and released only upon consent.
The Forms SDK should be hardcoded directly on the page or set as an essential cookie in your cookie manager. This ensures it loads for every visitor regardless of their consent choices, which is appropriate given its functional role in capturing form submissions. 
