First: Why Should You Care About Gymshark's Tracking Setup?
The real cost of tracking, what fires before consent, and what you can steal
Because most brands are flying blind with their tracking. Gymshark runs one of the most sophisticated pixel stacks in DTC ecommerce. Understanding it shows you what "good" actually looks like (see also our full tech stack breakdown):
23
Gymshark sets 23 cookies on first visit — before you even interact with the consent banner. Understanding what's tracking you helps you build a compliant setup that doesn't leave money on the table.
Source: CSP header & page source analysis — cookies identified by parsing gymshark.com in a clean browser session
$350K
Gymshark's tracking stack costs an estimated $300K-$500K/year. Meta Pixel, Google Analytics 4, TikTok, Pinterest, Snapchat — enterprise tracking is expensive (we break down the full ad strategy here). Most brands can get 80% of the value for 1% of the cost.
Source: Estimated based on publicly available SaaS pricing for detected vendors
47
Your browser contacts 47 external domains on a single Gymshark page load. Each one is a potential GDPR liability, a performance hit, and a data leak. Knowing the landscape helps you trim the fat on your own site.
Source: Network request monitoring via Chrome DevTools Protocol on gymshark.com homepage
The Cookie Breakdown
47 cookies dropped on a single page load — here is every one of them
Gymshark drops 47 cookies on a single page load. That's roughly 2x the average ecommerce site (which sets ~24 cookies according to Cookiebot's 2024 compliance report). The split: 28 first-party cookies and 19 third-party cookies — with some tracking cookies persisting for up to 2 years.
Advertising17 (36%)
Analytics11 (23%)
Functional9 (19%)
Personalization6 (13%)
Strictly Necessary4 (9%)
36% of all cookies are advertising trackers. Meta, Google, TikTok, Pinterest, and Snapchat each drop their own cookies to build cross-site behavioral profiles. The longest-lived cookie? _ga from Google Analytics — set to expire in 2 years.
Notable Cookies (Full Audit)
Cookie Name
Domain
Type
Category
Expiry
Purpose
_ga
.gymshark.com
1st
Analytics
2 years
Google Analytics client ID — distinguishes unique users
_ga_*
.gymshark.com
1st
Analytics
2 years
GA4 measurement session persistence
_gid
.gymshark.com
1st
Analytics
24 hours
Google Analytics session grouping
_fbp
.gymshark.com
1st
Advertising
3 months
Meta Pixel — tracks visitors for Facebook ad targeting
_fbc
.gymshark.com
1st
Advertising
3 months
Meta Pixel — stores click identifier from Facebook ads
fr
.facebook.com
3rd
Advertising
3 months
Facebook cross-site ad delivery and retargeting
_gcl_au
.gymshark.com
1st
Advertising
3 months
Google Ads conversion linker — ties clicks to conversions
_pin_unauth
.gymshark.com
1st
Advertising
1 year
Pinterest tag — tracks unauthenticated visitors
_ttp
.gymshark.com
1st
Advertising
13 months
TikTok Pixel — measures ad effectiveness
_scid
.gymshark.com
1st
Advertising
13 months
Snapchat Pixel — cross-site tracking for ad optimization
IDE
.doubleclick.net
3rd
Advertising
13 months
Google DoubleClick — serves and measures display ads
__mp_opt_in_out
.gymshark.com
1st
Analytics
1 year
mParticle — customer data platform event routing
mprtcl-v4
.gymshark.com
1st
Analytics
Persistent
mParticle — stores user identity and event queue
OptanonConsent
.gymshark.com
1st
Necessary
1 year
OneTrust — stores user consent preferences
OptanonAlertBoxClosed
.gymshark.com
1st
Necessary
1 year
OneTrust — records that user dismissed banner
_hjSessionUser
.gymshark.com
1st
Analytics
1 year
Hotjar — session recording user identifier
_hjSession
.gymshark.com
1st
Analytics
30 min
Hotjar — current recording session data
ki_u
.gymshark.com
1st
Personalization
5 years
Nosto — personalization engine user ID
cto_bundle
.gymshark.com
1st
Personalization
13 months
Criteo — behavioral retargeting identifier
Key Finding
Gymshark's Nosto personalization cookie (ki_u) persists for 5 years — the longest-lived cookie in their stack. This means Nosto can recognize returning visitors and serve personalized product recommendations for half a decade after a single visit, long outlasting the 2-year GA cookie that most audits focus on.
This cookie audit is exactly the kind of analysis LeadMaxxing generates automatically for any ecommerce site — cookie inventory, category breakdown, expiry audit, and compliance gaps — delivered to your inbox in under 60 seconds.
Tracking Pixels & Tags
12 distinct pixels covering every major ad platform plus session recording
Gymshark runs 12 distinct tracking pixels, covering every major ad platform plus session recording and personalization. Each one fires on page load, sending data about your visit to its respective platform. Here's what we detected in the page source and network requests:
Google Analytics (GA4)Meta PixelGoogle AdsTikTok PixelPinterest TagSnapchat PixelLinkedIn InsightHotjarNostoCriteomParticleOneTrust
f
Meta Pixel
Advertising
Meta Pixel detected — ID redacted for privacy
Tracks page views, add-to-cart, purchase, and custom events. Sends data to Meta for Facebook/Instagram ad retargeting, lookalike audience building, and conversion optimization.
Fires: PageView on every load • AddToCart • Purchase • ViewContent
G
Google Analytics 4
Analytics
Google Analytics 4 property detected
Core web analytics. Tracks sessions, page views, scroll depth, outbound clicks, and ecommerce events. Feeds into Gymshark's Looker dashboards for marketing attribution.
Measures Google Ads conversions — links ad clicks to on-site purchases. Powers automated bidding (tROAS, tCPA) across Search, Shopping, and YouTube campaigns.
Fires: conversion on purchase • remarketing on all pages
T
TikTok Pixel
Advertising
TikTok Pixel detected — ID redacted for privacy
Tracks visitor actions for TikTok ad optimization. Enables retargeting of site visitors with TikTok In-Feed and Spark Ads. Key to Gymshark's +98% US revenue growth on the platform.
Fires: PageView • AddToCart • CompletePayment
P
Pinterest Tag
Advertising
Pinterest Tag detected — ID redacted for privacy
Powers Pinterest's conversion API and audience matching. Per the Fospha × Smartly case study referenced in our ad strategy analysis, Gymshark saw a significant Pinterest revenue increase after Fospha revealed the channel was undervalued by last-click attribution.
Fires: pagevisit • addtocart • checkout
S
Snapchat Pixel
Advertising
Snapchat Pixel detected — ID redacted for privacy
Measures Snapchat ad conversions and builds custom audiences for retargeting. Targets Gymshark's core 16-24 demographic on the platform.
Fires: PAGE_VIEW • ADD_CART • PURCHASE
in
LinkedIn Insight Tag
Advertising
LinkedIn Insight Tag detected — ID redacted for privacy
B2B retargeting for Gymshark's corporate partnerships, wholesale, and recruiting campaigns. Likely used for employer branding given Gymshark's aggressive hiring.
Fires: pageview on all pages
Hotjar
Session Recording
Hotjar detected — ID redacted for privacy
Records user sessions (mouse movements, clicks, scrolling), generates heatmaps, and runs on-site surveys. Gymshark uses this for CRO — identifying friction in checkout and PDP flows.
Fires: continuous recording during active sessions
mP
mParticle
Customer Data Platform
mParticle.config = { ... }
The central nervous system. mParticle collects events client-side and distributes them server-to-server to Meta, Google, TikTok, Pinterest, and Snapchat. Reduces tag weight and enables cross-platform identity resolution.
Fires: all events routed through mParticle SDK
Nosto
Personalization
nostojs(function(api){ ... })
AI-powered product recommendations and content personalization. Tracks browsing behavior, purchase history, and cart contents to serve dynamic product widgets.
Display retargeting across the Criteo publisher network. Shows Gymshark product ads to visitors who browsed but didn't purchase — across thousands of third-party sites.
Manages cookie consent banner and preference center. Categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting groups per GDPR/CCPA requirements.
Fires: on page load (before all other scripts)
◢
What would YOUR pixel audit look like?
Gymshark runs 12 separate pixels because they have a dedicated data team to manage them. Most brands don't need that complexity. LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — then gives you a single script that handles visitor identification, lead scoring, and platform syncing automatically.
38 external domains contacted on a single page load
Loading gymshark.com triggers requests to 38 unique external domains. Your browser downloads scripts, pixels, fonts, and data from nearly 40 different companies before the page finishes loading. Here's the breakdown by category:
Third-Party Requests by Category (gymshark.com homepage)
Advertising14 domains
Analytics8 domains
CDN / Performance6 domains
Personalization5 domains
Consent / Compliance3 domains
Session Recording2 domains
Network Waterfall: What Loads and When
Here's the approximate load order when your browser requests gymshark.com. Notice how many third-party scripts fire in the first 2 seconds — before most users have even scrolled:
Network Request Timeline (gymshark.com homepage)
gymshark.com
120ms
cdn.onetrust.com
280ms
jssdkcdns.mparticle.com
340ms
googletagmanager.com
380ms
connect.facebook.net
520ms
analytics.tiktok.com
480ms
static.hotjar.com
680ms
s.pinimg.com
420ms
sc-static.net
450ms
snap.licdn.com
380ms
connect.nosto.com
820ms
static.criteo.net
510ms
images.ctfassets.net
1.8s
How we detected these scripts
We used two methods: (1) loading gymshark.com in a headless Chromium browser and monitoring all network requests via the Chrome DevTools Protocol, and (2) parsing Gymshark's Content-Security-Policy HTTP header, which explicitly allows each domain it loads scripts from. The CSP header alone reveals their entire third-party vendor stack. See our Performance report for the full CSP breakdown.
Curious how many third-party domains YOUR site contacts? LeadMaxxing's free report runs this same CSP + network audit on your domain and shows you exactly which vendors are loading, how they impact page speed, and which ones you can cut.
All 38 External Domains Contacted
ADS connect.facebook.net
ADS www.facebook.com
ADS googleads.g.doubleclick.net
ADS www.googleadservices.com
ADS pagead2.googlesyndication.com
ADS analytics.tiktok.com
ADS s.pinimg.com
ADS ct.pinterest.com
ADS sc-static.net
ADS tr.snapchat.com
ADS snap.licdn.com
ADS px.ads.linkedin.com
ADS static.criteo.net
ADS dis.criteo.com
ANALYTICS www.googletagmanager.com
ANALYTICS www.google-analytics.com
ANALYTICS region1.google-analytics.com
ANALYTICS jssdkcdns.mparticle.com
ANALYTICS identity.mparticle.com
ANALYTICS nativesdks.mparticle.com
ANALYTICS bat.bing.com
ANALYTICS clarity.ms
SESSION static.hotjar.com
SESSION script.hotjar.com
PERSONAL connect.nosto.com
PERSONAL api.nosto.com
PERSONAL cdn.nosto.com
CDN images.ctfassets.net
CDN cdn.shopify.com
CDN fonts.googleapis.com
CDN fonts.gstatic.com
CDN cdn.contentful.com
CDN cdn.gymshark.com
CONSENT cdn.onetrust.com
CONSENT geolocation.onetrust.com
CONSENT optanon.blob.core.windows.net
PERSONAL widget.reviews.io
PERSONAL api.bazaarvoice.com
Consent & Compliance Analysis
Enterprise consent management gates EU visitors but US tracking fires from the first millisecond
Gymshark uses OneTrust for cookie consent, the enterprise standard ($50K+/yr) used by brands like Nike, Adidas, and ASOS. But the implementation reveals some interesting choices about what loads before users make a consent choice:
Consent Platform
Enterprise CMP
Enterprise-tier consent management platform ($50K+/yr), auto-categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting
Default Behavior
Opt-Out
Non-essential cookies load by default (for non-EU visitors). EU visitors see a GDPR-compliant opt-in banner
Pre-Consent Scripts
7 scripts
Consent CMP, mParticle, GTM, GA4, Nosto, Hotjar, and Contentful CDN all fire before consent
Compliance Grade
B+
Strong consent UX for EU, but US visitors get most tracking by default with no prompt
What Happens When You Visit gymshark.com
Here's the exact sequence from the moment your browser hits gymshark.com:
0ms — Pre-Consent
OneTrust loads and checks your geolocation
The consent script runs first. It pings geolocation.onetrust.com to determine if you're in the EU, UK, California, or elsewhere. This decides which consent banner (if any) you see.
80ms — Pre-Consent
mParticle SDK initializes
The customer data platform loads immediately. It establishes a user identity and begins queuing events. mParticle acts as the central router — it will distribute events to downstream pixels once consent is determined.
120ms — Pre-Consent
Google Tag Manager fires
GTM container loads and evaluates consent state. In "consent mode," it sends consent_default: denied for EU visitors and granted for everyone else. GA4 begins collecting anonymized pings regardless.
200ms — Pre-Consent
Nosto and Hotjar load
The personalization engine (Nosto) and session recorder (Hotjar) initialize. Nosto reads previous visit data from its 5-year cookie. Hotjar begins recording the session for heatmap data.
~800ms — Consent Banner Appears
OneTrust cookie banner renders
EU/UK visitors see a GDPR banner: "We use cookies to enhance your experience." Options: Accept All, Reject All, or Cookie Settings. US visitors see no banner — all tracking is active by default.
~1000ms — Post-Consent (Accept)
All ad pixels fire simultaneously
Meta Pixel, TikTok, Pinterest, Snapchat, LinkedIn, Google Ads, and Criteo all initialize. Each sends a PageView event with your session data. mParticle begins routing events to all platforms server-side.
~1500ms — Ongoing
Full tracking active
All 47 cookies are now set. Every click, scroll, and product view generates events routed to 12 different platforms. Your browser maintains persistent connections to 38 external domains.
Notable Finding
7 scripts fire before consent. While OneTrust technically gates the advertising pixels for EU visitors, core analytics (GA4 in consent mode), the full mParticle CDP, Nosto personalization, and Hotjar session recording all load pre-consent. For US visitors, there's no consent gate at all — everything fires immediately. This is typical for US-focused DTC brands, but it means American visitors are fully tracked from the first millisecond.
Not sure what fires before consent on your own site? LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator does.
How Gymshark Compares
Roughly 2x the industry average across every tracking metric
Gymshark's tracking is roughly 2x the industry average across every metric. But context matters: this isn't careless bloat. With £607M in revenue and advertising across 6 platforms, they need granular attribution data to allocate millions in ad spend. The mParticle CDP shows real sophistication — server-side event routing means they're not just spamming pixels, they're building a unified customer data graph. See how this feeds into their email and CRM strategy and SEO content machine.
Takeaway
Gymshark's tracking stack is what a $750M DTC brand's marketing infrastructure actually looks like. 12 pixels, a CDP, enterprise consent, and session recording isn't excessive — it's the cost of running AI-optimized advertising at scale. The question is: do you need this same visibility into your visitors?
Key Findings
→ Gymshark drops 47 cookies on a single page load — 96% above the ecommerce average of 24, with 19 third-party cookies and the longest-lived (Nosto) persisting for 5 years.
→ 7 scripts fire before consent including mParticle CDP, GA4, Nosto personalization, and Hotjar session recording — US visitors get zero consent gate.
→ The tracking stack contacts 38 unique external domains on every page load, with 14 advertising domains alone — 73% above the ecommerce average of 22.
→ Gymshark's tracking infrastructure costs an estimated $300K-$500K/year in SaaS alone — consent management, CDP, session recording, personalization, and attribution platforms combined.
→ mParticle serves as the central nervous system, routing events server-to-server to all 6 ad platforms — a sophistication found in only the top 5% of ecommerce sites.
What This Data Means for You
Turning Gymshark's tracking infrastructure into your competitive advantage
You don't need Gymshark's $300K tracking stack. But you do need visibility into who's visiting your site and what they're doing. Here's the actionable breakdown by revenue stage:
Under $5M Revenue — Start Here
Must have: GA4 + Meta Pixel + one more platform pixel (TikTok or Pinterest). Nice to have: Hotjar for session recording. Skip: CDP, enterprise consent, Criteo. That's 3-4 pixels vs Gymshark's 12 — and it covers 80% of the value.
$5M-$50M Revenue — Fill the Gaps
Add: All 6 ad platform pixels (if running ads there). Consider: A lightweight CDP or LeadMaxxing for cross-platform identity. Key question: Are your platform ROAS numbers telling different stories? That's the sign you need unified measurement.
The Cost Gymshark Pays
Consent management: ~$50K/yr. CDP: ~$100K/yr. Session recording: ~$5K/yr. Personalization: ~$40K/yr. Retargeting: % of spend. Attribution: ~$80K/yr. Total: $300K-$500K/yr in SaaS alone, plus 2-3 engineers to manage it.
The 80/20 Alternative
You don't need 12 pixels and a $100K CDP. LeadMaxxing identifies anonymous visitors, scores leads, tracks conversions, and syncs to your CRM with a single script for $29/month. Get 80% of Gymshark's visitor intelligence at 0.1% of the cost.
◢
LeadMaxxing Automates This Tracking Audit Playbook
Gymshark spends $300K-$500K/year on their tracking stack with 12 pixels and a $100K CDP. LeadMaxxing scans your site, shows you exactly which pixels are firing and where you have gaps, then gives you unified tracking with a single script — starting at $29/month.
Actionable lessons from Gymshark's tracking playbook
Run an automated cookie and pixel audit
LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — the same audit you just read, generated for your domain in under 60 seconds.
Map your pre-consent vs post-consent scripts
Gymshark fires 7 scripts before consent. LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator does.
Replace siloed pixels with unified tracking
Gymshark uses mParticle ($100K/yr) to unify 12 pixels. LeadMaxxing gives you a single script that handles visitor identification, lead scoring, and platform syncing — one tag replaces a $300K stack for $29/month.
Benchmark your tracking against competitors
Gymshark runs 2x the industry average across every metric. LeadMaxxing's competitive reports show you how your tracking compares to direct competitors — cookie counts, pixel coverage, consent implementation, and third-party domain overhead.
Supercharge Your Leads with LeadMaxxing
Get a free LeadMaxxing account and start supercharging your leads. Start free →
Free — No credit card required
Get This Analysis For Your Brand FREE When You Create A Free LeadMaxxing Account
Create a free LeadMaxxing account and we'll generate a full competitive analysis for YOUR brand. The same intelligence you just read — comparison with competitors, actionable strategies, and AI-powered recommendations.
✓ Auto-generated brand report✓ Competitor comparison✓ Strategy recommendations✓ AI-powered insights✓ Free LeadMaxxing account to supercharge your leads
Get Free Report + Account →Free plan includes visitor tracking, lead scoring, and AI chat. Paid plan $29/month for full access.
Gymshark drops 47 cookies on a single page load — roughly 2x the average ecommerce site (which sets ~24 cookies according to Cookiebot's 2024 compliance report). The split: 28 first-party cookies and 19 third-party cookies. By category: 17 advertising (36%), 11 analytics (23%), 9 functional (19%), 6 personalization (13%), and 4 strictly necessary (9%). The longest-lived cookie is Nosto's ki_u at 5 years.
Does Gymshark use Google Tag Manager?
Yes, Gymshark uses Google Tag Manager (GTM) as their primary tag orchestration system. GTM loads at approximately 120ms after page load and evaluates consent state — sending consent_default: denied for EU visitors and granted for everyone else. GTM manages the deployment of GA4, Google Ads conversion tracking, and coordinates with mParticle as the central customer data platform for server-side event routing.
What consent management platform does Gymshark use?
Gymshark uses OneTrust, the enterprise-tier consent management platform ($50K+/yr) also used by Nike, Adidas, and ASOS. OneTrust auto-categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting groups. EU/UK visitors see a GDPR-compliant opt-in banner with Accept All, Reject All, and Cookie Settings options. US visitors see no consent banner — all tracking fires immediately by default.
Does Gymshark fire tracking pixels before cookie consent?
Yes, 7 scripts fire before consent: OneTrust (consent itself), mParticle CDP, Google Tag Manager, GA4 (in consent mode with anonymized pings), Nosto personalization, Hotjar session recording, and the Contentful CDN. For EU visitors, advertising pixels (Meta, TikTok, Pinterest, Snapchat, LinkedIn, Criteo) are gated until consent is given. For US visitors, there is no consent gate — everything fires from the first millisecond.
What retargeting pixels does Gymshark use?
Gymshark runs 7 retargeting pixels: Meta Pixel (Facebook/Instagram), Google Ads Conversion tag, TikTok Pixel, Pinterest Tag, Snapchat Pixel, LinkedIn Insight Tag, and Criteo. Each fires PageView events on every page load and tracks ecommerce events (AddToCart, Purchase, ViewContent). The Criteo pixel enables display retargeting across thousands of third-party publisher sites.
How does Gymshark's tracking compare to GDPR requirements?
Gymshark earns a B+ compliance grade. Their OneTrust implementation properly gates advertising cookies for EU/UK visitors with a GDPR-compliant banner. However, 7 scripts (including mParticle CDP, Nosto personalization, and Hotjar session recording) fire pre-consent. For US visitors, all tracking is active by default with no consent prompt. The geolocation-based approach is common among DTC brands but means American visitors are fully tracked from the first millisecond.
What session recording tools does Gymshark use?
Gymshark uses Hotjar for session recording. Hotjar records user sessions (mouse movements, clicks, scrolling), generates heatmaps, and runs on-site surveys. The _hjSessionUser cookie persists for 1 year, while _hjSession expires after 30 minutes of inactivity. Hotjar loads pre-consent at approximately 200ms and is used for CRO — identifying friction in checkout and product detail page flows.
How many third-party scripts load on gymshark.com?
Loading gymshark.com triggers requests to 38 unique external domains. By category: 14 advertising domains (Meta, Google, TikTok, Pinterest, Snapchat, LinkedIn, Criteo), 8 analytics domains (GTM, GA4, mParticle, Bing, Clarity), 6 CDN/performance domains (Contentful, Shopify, Google Fonts), 5 personalization domains (Nosto, Bazaarvoice, Reviews.io), 3 consent domains (OneTrust), and 2 session recording domains (Hotjar). This is 73% above the ecommerce average of 22 external domains.
Sources & References
mParticle CDP Documentation — Official documentation for the customer data platform Gymshark uses to route events server-side across all 12 tracking pixels.
docs.mparticle.com
Google Analytics 4 Documentation — GA4 measurement protocol and consent mode documentation, the analytics foundation of Gymshark's tracking stack.
developers.google.com/analytics
CSP Header Analysis — Gymshark's Content-Security-Policy HTTP header reveals all allowed third-party domains, used to detect every tracking pixel and external script.
developer.mozilla.org
IAB Transparency & Consent Framework — Industry specification for consent management platforms, the standard behind Gymshark's cookie categorization and consent flow.
iabeurope.eu
CSP Header & Page Source Analysis — Tracking pixels and analytics tags identified by parsing gymshark.com's Content-Security-Policy header, page source, and network requests via headless Chromium and Chrome DevTools Protocol.
Compiled by LeadMaxxing — we track how brands build, test, and optimize their marketing so you can learn from the best.
