Segment is a Customer Data Platform that routes behavioral data from your website to dozens or hundreds of downstream tools. Disclosing Segment accurately in a privacy policy requires describing both Segment itself and every downstream destination that receives data through the pipeline, since each has independent disclosure obligations.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Anonymous visitor identifier (anonymous_id) from Segment's analytics.js cookie
User identity when identify() is called: user ID, email, name, custom traits
Page calls: URL, referrer, title, and custom page properties
Track calls: named events with custom properties (e.g., Order Completed, Button Clicked)
Screen calls for mobile apps
All data routed to downstream destinations: analytics, advertising, email, and CRM tools
Device and browser metadata
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Segment.
Centralizing behavioral and identity data collection across web and mobile
Routing user data to analytics, advertising, CRM, and marketing automation tools
Creating unified customer profiles across channels
Enabling personalization and audience segmentation
Supporting attribution and campaign measurement
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Segment routes data to multiple downstream destinations. Under the CCPA and CPRA, each downstream destination that uses data for cross-context behavioral advertising may constitute a "sale" or "sharing." Your policy must list the downstream categories receiving data and provide opt-out rights. If Segment's consent wrapper is not correctly configured per destination, opt-out compliance may fail even when Segment records a rejection.
EU and UK (GDPR)
Segment requires consent under the GDPR as a non-essential analytics and data routing tool. Segment acts as a data processor under a data processing agreement. Your policy must describe Segment's role as a data pipeline, list the categories of downstream destinations receiving data, and disclose data transfers to Twilio Inc. in the United States under Standard Contractual Clauses.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Analytics infrastructure table row
Segment (Twilio Inc.): A Customer Data Platform that collects behavioral and identity data from this website and routes it to connected analytics, advertising, and marketing tools. Acts as a data processor under a data processing agreement. Category: Analytics and tracking infrastructure.
Full CDP and data pipeline disclosure paragraph
We use Segment, a Customer Data Platform provided by Twilio Inc., to collect behavioral data from this website and route it to the analytics, advertising, CRM, and marketing tools listed in this privacy notice. Segment's analytics.js library loads on our website and collects page views, user interactions, and, when you identify yourself to us (for example, by logging in or submitting a form), your user identifier and associated profile attributes. Segment forwards this data to our connected downstream tools, each of which may process it for the purposes described in their respective sections of this notice. Segment acts as a data processor under a data processing agreement and does not use the data it processes for its own commercial purposes. Where consent is required by applicable law, Segment and its downstream destinations will only receive data after you have provided consent through our consent management platform for the relevant processing categories.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Segment.
Configure Segment's consent wrapper or Protocols consent management integration to gate each downstream destination individually based on CMP consent category.
Test consent enforcement per destination, not just for Segment overall. A visitor who rejects advertising cookies should see Segment continue to route data to analytics destinations while blocking advertising destinations.
Ensure that the Segment analytics.js snippet does not initialize before the CMP has recorded a decision in opt-in markets. Some Segment configurations load the snippet as Strictly Necessary infrastructure, but downstream destinations are not Strictly Necessary.
Audit the Segment workspace for all active destinations. Destinations added without a corresponding consent category are a compliance gap. Each destination should be mapped to a CMP category.
In California, Segment's routing to advertising destinations must stop when a GPC signal is detected or when the visitor opts out of sale and sharing. This requires per-destination GPC checks in the Segment consent configuration.
Policy vs practice
These are common gaps between Segment privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies describe Segment as an analytics tool that collects data for website performance measurement.
Policies list Segment's downstream destinations in a general category table but do not confirm that each destination respects the consent category assigned to it.
Policies describe the opt-out mechanism and state that visitors can stop behavioral data collection via the consent center.
What Lokker validates
Segment routes data to many downstream destinations, including advertising and marketing tools that have independent disclosure obligations. Lokker identifies all network endpoints contacted by Segment's library and its destination integrations, revealing the full pipeline rather than just the analytics facade.
Consent enforcement in Segment depends on correctly wiring each destination to CMP consent categories. Lokker validates which destination endpoints are actually called in the reject state, confirming whether per-destination consent gating is working.
Lokker runs a reject flow and checks whether Segment's analytics.js still calls any downstream destinations. A preference recorded in Segment's consent wrapper is only effective if each downstream destination's firing condition is correctly implemented.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Segment loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
Explore further
Same category
Validate technical compliance
Verify that Segment and its downstream destinations stop receiving data when visitors decline consent, not just that Segment's consent wrapper records a preference.