Cookies created for visitors by Piwik PRO

When visitors come to your website with Piwik PRO installed, Piwik PRO will set cookies in their browser. Which cookies are created depends on the privacy settings and features you use. Although it’s possible to collect data cookie-free, the minimum set of a visitor cookie (_pk_id.*) and a session cookie (_pk_ses.*) will give you optimal data accuracy.

In this article, we’ll describe all the cookies that Piwik PRO may set for visitors.

Cookies created in a visitor’s browser

Here’s a list of all the cookies that may be set in a visitor’s browser. You’ll find their detailed descriptions just below this table.

Cookie	Non-anonymous visitor	Anonymous visitor	Default cookie lifetime	Module	Cookie type
Basic cookies
_pk_id.<appID>.<domainHash>	Always	Always (if the 30-minute cookie option is turned on) Never (if the cookie-free option is turned on)	13 months for non-anonymous visitors 30 minutes for anonymous visitors if the 30-minute cookie option is turned on	Tracker (JS tracking client)	First-party
_pk_ses.<appID>.<domainHash>	Always	Always (if the 30-minute cookie option is turned on) Never (if the cookie-free option is turned on)	30 minutes	Tracker (JS tracking client)	First-party
ppms_privacy_<appID>	Always	Always	12 months	Consent Manager	First-party
Additional cookies
ppms_privacy_bar_<appID>	Optional	Optional	Until the session ends	Consent Manager	First-party
stg_traffic_source_priority	Optional	Optional	30 minutes	Tag Manager	First-party
stg_last_interaction	Optional	Optional	365 days	Tag Manager	First-party
stg_returning_visitor	Optional	Optional	365 days	Tag Manager	First-party
stg_fired__<conditionID>	Optional	Optional	Until the session ends	Tag Manager	First-party
stg_utm_campaign	Optional	Optional	Until the session ends	Tag Manager	First-party
stg_pk_campaign	Optional	Optional	Until the session ends	Tag Manager	First-party
stg_externalReferrer	Optional	Optional	Until the session ends	Tag Manager	First-party
_stg_optout	Optional	Optional	365 days	Tag Manager	First-party
_pk_cvar.<appID>.<domainHash> (deprecated)	Optional	Optional	30 minutes	Tracker (JS tracking client)	First-party
Deprecated cookies used in versions below 16.0.0
stg_global_opt_out (deprecated)	Optional	Optional	365 days	Tag Manager	Third-party

Note: Cookies are not created in mobile apps (Android or iOS). If you use our SDKs, you will not use cookies.

Here’s a detailed description of each cookie.

_pk_id.<appID>.<domainHash>

Cookie: _pk_id.<appID>.<domainHash>
Module: Tracker (JS tracking client)
Expires after: 13 months (can be changed in UI or JS API) or 30 minutes for anonymous visitors if the 30-minute cookie option is turned on
Extends: No
Type: First-party cookie

About: Used to recognize visitors and hold their various properties.

Value: <cookieID>.<cookieCreationTimestamp>.<visitsCount>.<currentVisitTimestamp>.<lastVisitTimestamp>.<lastEcommerceOrderTimestamp>

cookieID: The randomly generated ID (hexadecimal number) used for recognizing visitors. In cross-domain tracking, the cookie ID is passed in the URL parameter and saved in the _pk_id cookie.
cookieCreationTimestamp: The time when the cookie was created.
visitsCount: A counter that counts visits. If 0, it means this is the first visit.
currentVisitTimestamp: The current timestamp of the visit. It is updated with each visitor action.
lastVisitTimestamp: The timestamp of the last visit. If empty, it means this is the first visit. This timestamp is also used to count visits along with the _pk_ses cookie.
lastEcommerceOrderTimestamp: The timestamp of the last ecommerce order. If empty, it means that there were no ecommerce orders.

_pk_ses.<appID>.<domainHash>

Cookie: _pk_ses.<appID>.<domainHash>
Module: Tracker (JS tracking client)
Expires after: 30 minutes after the visitor’s last event (can be changed in UI or JS API)
Extends: Automatically
Type: First-party cookie

About: Shows the visitor’s active session. If the cookie doesn’t exist, it means that the session ended more than 30 minutes ago and was counted in the _pk_id cookie.

Value: * (No data is stored in this cookie)

ppms_privacy_<appID>

Cookie: ppms_privacy_<appID>
Module: Consent Manager
Expires after: 12 months (can be changed)
Extends: Automatically
Type: First-party cookie

About: Stores the visitor’s consent to data collection and usage.

Value: A JSON-encoded object that holds the visitor’s consent to data collection and usage.

-1: The visitor made no decision.
0: The visitor didn’t agree to the use of their data.
1: The visitor agreed to the use of their data.

Created if: You use Consent Manager and display a consent form on your site.

Decoded cookie:

{
   "consents":{
      "analytics":{
         "status":-1,

         "updatedAt":"2020-01-30T12:15:47.283Z"
      },
      "ab_testing_and_personalization":{
         "status":1,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "custom_consent":{
         "status":0,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "user_feedback":{
         "status":0,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "marketing_automation":{
         "status":0,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "remarketing":{
         "status":1,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "conversion_tracking":{
         "status":0,
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },

   },
   "visitorId":"564e3818-27e7-e38f-39dd-569067520af2",
   "domain":{
      "normalized":"client1.piwikpro.test",
      "isWildcard":false,
      "pattern":"client1.piwikpro.test"
   },
   "staleCheckpoint":"2020-01-31T10:56:27.699Z"
}

ppms_privacy_bar_<appID>

Cookie: ppms_privacy_bar_<appID>
Module: Consent Manager
Expires after: The session ends (Fixed idle time or after a browser is closed)
Extends: No
Type: First-party cookie

About: Stores information that the visitor has closed the consent reminder.

Value: A JSON-encoded object that stores information that the visitor has closed the consent reminder.

Created if: You use Consent Manager and a visitor closes the consent reminder on your site.

Decoded cookie:

{
  "status": true,
  "domain": {
    "normalized": "piwikpro.test",
    "isWildcard": false,
    "pattern": "piwikpro.test"
  }
}

stg_traffic_source_priority

Cookie: stg_traffic_source_priority
Module: Tag Manager
Expires after: 30 minutes
Extends: Automatically
Type: First-party cookie

About: Stores the type of traffic source from which the visitor came to your site.

Value:

1: Direct
2: Referral
3: Social media
4: Organic search
5: Campaign

Created if:

You use a traffic source condition in a trigger and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use a traffic source condition in a trigger and these two settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor enters your website and these two settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

stg_last_interaction

Cookie: stg_last_interaction
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Indicates whether the last visitor’s session is still running or a new session has started.

Value: The timestamp of the visitor’s last interaction with your site.

Created if:

You use a multiplicity condition in a trigger and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use a multiplicity condition in a trigger and these two settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor navigates through your website and these two settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

stg_returning_visitor

Cookie: stg_returning_visitor
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Indicates whether the visitor has been to your site before – they are a returning visitor.

Value: The timestamp of the last time the visitor interacted with your site.

Created if:

You use a returning-visitor condition in a trigger and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use a returning-visitor condition in a trigger and these two settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor returns to your website and these two settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

stg_fired__<conditionID>

Cookie: stg_fired__<conditionID>
Module: Tag Manager
Expires after: The session ends (Fixed idle time or after a browser is closed)
Extends: No
Type: First-party cookie

About: Indicates whether the tag and trigger combination was fired during the current visitor session. This cookie can be set multiple times with different condition IDs.

Cookie value: The timestamp of when the tag was fired.

Created if: You use a multiplicity condition in a trigger and the trigger is set to fire the tag once per session. The cookie is created after the tag fires.

stg_utm_campaign

Cookie: stg_utm_campaign
Module: Tag Manager
Expires after: The session ends (Fixed idle time or after a browser is closed)
Extends: No
Type: First-party cookie

About: Stores the name of the campaign that directed the visitor to your site.

Cookie value: The encoded value of the utm_campaign query parameter.

Created if:

You use a campaign condition in a trigger, a visitor enters your site from a campaign with the utm_campaign query parameter and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use a campaign condition in a trigger, and a visitor enters your site from a campaign with the utm_campaign query parameter and these settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor enters your site from a campaign with the utm_campaign query parameter and these settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

stg_pk_campaign

Cookie: stg_pk_campaign
Module: Tag Manager
Expires after: The session ends (Fixed idle time or after a browser is closed)
Extends: No
Type: First-party cookie

About: Stores the name of the campaign that directed the visitor to your site.

Cookie value: The encoded value of the pk_campaign query parameter.

Created if:

You use a campaign condition in a trigger, a visitor enters your site from a campaign with the pk_campaign query parameter and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use a campaign condition in a trigger, and a visitor enters your site from a campaign with the pk_campaign query parameter and these settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor enters your site from a campaign with the pk_campaign query parameter and these settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

stg_externalReferrer

Cookie: stg_externalReferrer
Module: Tag Manager
Expires after: The session ends (Fixed idle time or after a browser is closed)
Extends: No
Type: First-party cookie

About: Stores the URL of the site that referred the visitor to your site.

Cookie value: The value of window.location.origin of the referring site.

Created if:

You use an external referrer condition in a trigger, a visitor comes to your site from a referral site and this setting is turned on: Administration > Sites & apps > Privacy > Ask visitors for consent (on)
You use an external referrer condition in a trigger, a visitor comes to your site from a referral site and these settings are turned off: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off)
A visitor comes to your site from a referral site and these settings are set: Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on)

_stg_optout

Cookie: _stg_optout
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Helps to turn off all tracking tags on your site.

Cookie value:

true: The visitor opts out of tracking.
false: The visitor agrees to tracking.

Created if: A visitor opts out of tracking by using an opt-out form on your site.

_pk_cvar.<appID>.<domainHash> (deprecated)

Cookie: _pk_cvar.<appID>.<domainHash> (deprecated)
Module: Tracker
Expires after: 30 minutes after the visitor’s last event (can be changed in UI or JS API)
Extends: Yes
Type: First-party cookie

About: Stores a custom variable that is part of the visit scope.

Cookie value: Custom variable keys and values.

Created if: You created a custom variable in the visit scope and such a variable was tracked for the visitor. This cookie will only be created if your developer allows it to be created via the storeCustomVariablesInCookie() method in the JS API.

Note: This cookie is deprecated because we plan to remove custom variables from Piwik PRO. We encourage you to use custom dimensions instead as they don’t require cookies to work properly.

stg_global_opt_out (deprecated)

Cookie: stg_global_opt_out (deprecated)
Module: Tag Manager (versions below 16.0.0)
Expires after: 365 days
Extends: Automatically
Type: Third-party cookie

About: Helps to turn off all tracking tags on sites that belong to one Piwik PRO account.

Cookie value:

1: The visitor opts out of tracking.
0: The visitor agrees to tracking.

Created if: A visitor opts out of tracking by using an opt-out form on your site.

Local storage details (deprecated)

Here’s a detailed description of the information stored in local storage. Local storage is used in versions below 18.6.0.

ppms_webstorage (deprecated)

Module: Tracker (JS tracking client), Tag Manager, Consent Manager (versions below 18.6.0)

About: Prevents the possible loss of visitor data caused by certain browser mechanisms, like Safari’s ITP.

Value: A string object that contains information about all cookies created, including key, value, expiration date, path, domain and so on.

Created if: Each time a cookie is set in a visitor’s browser.

Removed if: The ppms_webstorage element is not deleted automatically but a visitor can delete it manually. Individual entries in the object are deleted when the corresponding cookie expires.

ppms_data_store (deprecated)

Module: Tracker (JS client tracker), Audience Manager, Tag Manager (versions below 16.0.0)

About: Stores information from forms on your site. When a visitor submits a form, the data is transferred to Audience Manager. However, if the form redirects the visitor to another page, the data may be lost. That’s why form data is stored in local storage as a backup. (The page where the visitor is redirected must have a form tracker, otherwise Piwik PRO can’t collect form data).

Value: A JSON-encoded object that contains:

payload: AES encrypted form data.
aes: RSA encrypted AES key (for payload)
Iv: initialization vector (for payload)

Removed if: After the tracker sends the form data to the server. This can happen as soon as the visitor submits the form or after a new page loads in the browser.