Salesforce Pardot

Overview

Salesforce Pardot (now officially named Marketing Cloud Account Engagement) is a B2B marketing automation platform deeply integrated with Salesforce CRM. When its tracking code is present on a website, it identifies and monitors visitor behavior to score leads, trigger automated marketing workflows, and sync prospect activity data with Salesforce for sales follow-up. It is one of the most widely deployed B2B marketing automation tools, particularly on SaaS, technology, and professional services websites.

What This Script Does

Pardot deploys a first-party JavaScript tracker (pd.js or the newer pi.pardot.com tracking code) that fires on every page load. The script records visitor activity and transmits it to Pardot's servers, where it is associated with a prospect record.

Key cookies set:

• visitor_id[accountID] — the primary Pardot visitor identification cookie, a first-party persistent cookie. Stores a unique visitor ID that ties browsing activity to a Pardot prospect record. 10-year expiry (one of the longest cookie durations in the marketing automation space).
• visitor_id[accountID]-hash — a hash of the visitor ID used for validation. Same 10-year expiry.
• pi_opt_in[accountID] — records whether the visitor has opted in to tracking (when Pardot's optional first-party tracking opt-in is enabled). 10-year expiry.
• lpv[campaignID] — tracks the last page view within a specific Pardot campaign for landing page view deduplication. Session-scoped.

The tracker contacts Pardot's servers (typically pi.pardot.com or a custom tracking domain configured by the organization) to transmit page view events. Data collected includes: page URLs visited, referrer information, UTM parameters, form submission data (when Pardot forms or form handlers are used), IP address, and browser metadata.

When a visitor submits a Pardot form, clicks a Pardot-tracked email link, or is otherwise identified, the anonymous visitor cookie is linked to a known prospect record in Pardot. From that point, all historical and future browsing activity is attributed to the identified individual. This data feeds Pardot's lead scoring engine, which assigns point values to page views, form submissions, email interactions, and other engagement signals. High-scoring leads are flagged for sales follow-up in Salesforce CRM.

Pardot forms (form handlers or embedded Pardot forms) may also load on pages, adding form-specific tracking, progressive profiling, and validation scripts.

Consent & Compliance

Salesforce Pardot spans both marketing and analytics categories. It collects analytics-grade behavioral data, but its primary purpose is marketing automation — lead identification, scoring, nurturing, and sales enablement.

Under the GDPR, Pardot processes personal data extensively. The visitor_id cookie's 10-year expiry is particularly notable — it is among the longest-lived tracking cookies in common use. Once a visitor is identified (via form submission), their complete browsing history is linked to a named individual record. This creates a detailed personal data profile that requires explicit consent.

The ePrivacy Directive requires consent for the Pardot tracking cookies. A 10-year visitor identification cookie used for marketing automation is definitively outside the "strictly necessary" exemption. There is no technical justification for this duration that would survive regulatory scrutiny.

Under CCPA/CPRA, Pardot collects personal information and uses it for B2B marketing purposes. The linking of anonymous browsing history to identified individuals when they submit a form constitutes profiling. If Pardot data syncs to Salesforce CRM and is used for targeted outreach, the CPRA's profiling provisions may apply. The visitor's browsing history constitutes personal information regardless of whether the visitor has been identified yet.

Should You Block This Without Consent?

Yes. Pardot sets a 10-year visitor identification cookie, tracks detailed browsing behavior, and feeds this data into marketing automation and sales workflows. It is not essential for website functionality. Its exceptionally long cookie duration makes the consent requirement unambiguous under EU privacy regulations.