Start Free
Tracking & Pixels

How Skims Tracks Every Visitor With 10 Pixels, 38 Cookies & a Privacy Lawsuit

Complete audit of every cookie, tracking pixel, and third-party script loaded on skims.com — including the Meta Pixel lawsuit that put Kim Kardashian's brand under legal scrutiny.

Get This Report For Your Brand Continue reading
Data as of March 20, 2026 ~38 cookies estimated 10 pixels · 30+ domains
Listen to this article
0:00 / 0:00
10
Tracking pixels
~38
Est. cookies
30+
External domains
$250K+
Est. annual stack cost
5 things you'll learn in this report:
How many cookies does skims.com drop — and why did it lead to a lawsuit? Which 10 tracking pixels fire on every Skims page load? What does Skims' consent implementation look like after the Meta Pixel settlement? How does Skims' tracker count compare to the average ecommerce site? What 5 tracking improvements can you implement from Skims' data architecture today?

First: Why Should You Care About Skims' Tracking Setup?

Technology profiling, Permissions-Policy header analysis, and privacy lawsuit filings

Because Skims is one of the few DTC brands that's been legally tested on its tracking practices. A class-action lawsuit over its Meta Pixel deployment gives us a rare window into what happens when tracking goes wrong. Understanding their setup shows you what to do — and what to avoid (see also our full tech stack breakdown):

10

Skims runs 10 distinct tracking pixels and analytics tags across its Shopify storefront. Meta, Google, TikTok, Pinterest, Snapchat, Bing, and Criteo all fire on every page load — feeding data to Skims' multi-platform ad strategy.

Source: Technology profiling via BuiltWith and source code analysis of skims.com
$5M+

Skims was sued for $5M+ in damages over its Meta Pixel deployment. The lawsuit alleged that the pixel tracked users browsing intimate apparel and transmitted data to Meta without adequate consent — violating California's Invasion of Privacy Act. The case was settled and dismissed with prejudice in February 2025.

Source: The Fashion Law & RetailBoss
30+

Your browser contacts 30+ external domains on a single skims.com page load. Each one is a potential GDPR/CCPA liability, a performance hit, and a data leak. For a brand already sued over tracking, this is a lot of exposure.

Source: Technology profiling via BuiltWith & Permissions-Policy header analysis of skims.com (confirmed Singular SDK via ch-ua-model delegation)

The Cookie Breakdown

We estimate ~38 cookies based on Skims' detected technology stack

Skims' detected technology stack suggests approximately 38 cookies on a typical page load. This estimate is based on standard cookies set by each detected platform (Meta Pixel, GA4, TikTok, Pinterest, Snapchat, Bing, Criteo, Klaviyo, Dynamic Yield, Shopify, and OneTrust). The split: we estimate ~22 first-party cookies and ~16 third-party cookies — with some advertising cookies persisting for up to 2 years.

42% of all estimated cookies are advertising trackers. Meta, Google, TikTok, Pinterest, Snapchat, Bing, and Criteo each drop their own cookies to build cross-site behavioral profiles. The longest-lived standard cookie? _ga from Google Analytics and __kla_id from Klaviyo — both set to persist for 2 years.

Notable Cookies (Based on Detected Platforms)

Cookie Name Domain Type Category Expiry Purpose
_ga .skims.com 1st Analytics 2 years Google Analytics client ID — distinguishes unique users
_ga_* .skims.com 1st Analytics 2 years GA4 measurement session persistence
_gid .skims.com 1st Analytics 24 hours Google Analytics session grouping
_fbp .skims.com 1st Advertising 3 months Meta Pixel — tracks visitors for Facebook/Instagram ad targeting (the cookie at the center of the CIPA lawsuit)
_fbc .skims.com 1st Advertising 3 months Meta Pixel — stores click identifier from Facebook ads
fr .facebook.com 3rd Advertising 3 months Facebook cross-site ad delivery and retargeting
_gcl_au .skims.com 1st Advertising 3 months Google Ads conversion linker — ties clicks to conversions
_ttp .skims.com 1st Advertising 13 months TikTok Pixel — measures ad effectiveness
_pin_unauth .skims.com 1st Advertising 1 year Pinterest Tag — tracks unauthenticated visitors
_scid .skims.com 1st Advertising 13 months Snapchat Pixel — cross-site tracking for ad optimization
MUID .bing.com 3rd Advertising 13 months Microsoft/Bing UET — ad conversion tracking
cto_bundle .skims.com 1st Advertising 13 months Criteo — behavioral retargeting identifier
IDE .doubleclick.net 3rd Advertising 13 months Google DoubleClick — serves and measures display ads
__kla_id .skims.com 1st Personalization 2 years Klaviyo — email/SMS marketing user identification
_dy_c_exps .skims.com 1st Personalization Session Dynamic Yield — experiment and personalization data
OptanonConsent .skims.com 1st Necessary 1 year OneTrust — stores user consent preferences
_shopify_y .skims.com 1st Functional 2 years Shopify — persistent visitor analytics
_shopify_s .skims.com 1st Functional 30 min Shopify — session tracking
Key Finding

Skims' Klaviyo cookie (__kla_id) persists for 2 years, enabling long-term visitor recognition for their email and SMS marketing flows. Combined with the Meta Pixel's _fbp cookie — the very tracker that triggered the CIPA lawsuit — Skims can build behavioral profiles that span months of browsing activity across intimate apparel categories.

This cookie audit is exactly the kind of analysis LeadMaxxing generates automatically for any ecommerce site — cookie inventory, category breakdown, expiry audit, and compliance gaps — delivered to your inbox in under 60 seconds.

Tracking Pixels & Tags

10 distinct pixels covering every major ad platform plus attribution and retargeting

Skims runs 10 distinct tracking pixels and analytics tags, covering every major ad platform plus mobile attribution and display retargeting. Each one fires on page load, sending data about your visit to its respective platform. Here's what we detected via technology profiling and source code analysis:

Google Analytics (GA4) Meta Pixel Google Ads TikTok Pixel Pinterest Tag Snapchat Pixel Bing/Microsoft UET Criteo Elevar OneTrust
f
Meta Pixel
Advertising
Meta Pixel detected — ID redacted for privacy
Tracks page views, add-to-cart, purchase, and custom events. Sends data to Meta for Facebook/Instagram ad retargeting and lookalike audiences. This is the pixel at the center of Skims' CIPA class-action lawsuit.
Fires: PageView on every load • AddToCart • Purchase • ViewContent
G
Google Analytics 4
Analytics
Google Analytics 4 property detected
Core web analytics. Tracks sessions, page views, scroll depth, outbound clicks, and ecommerce events. Feeds into Skims' marketing attribution dashboards.
Fires: page_view • scroll • click • purchase • view_item
G
Google Ads Conversion
Advertising
Google Ads conversion tag detected
Measures Google Ads conversions — links ad clicks to on-site purchases. Powers automated bidding (tROAS, tCPA) across Search, Shopping, and YouTube campaigns.
Fires: conversion on purchase • remarketing on all pages
T
TikTok Pixel
Advertising
TikTok Pixel detected — ID redacted for privacy
Tracks visitor actions for TikTok ad optimization. Enables retargeting of site visitors with TikTok In-Feed and Spark Ads. Critical for Skims' Gen Z audience strategy on the platform.
Fires: PageView • AddToCart • CompletePayment
P
Pinterest Tag
Advertising
Pinterest Tag detected — ID redacted for privacy
Powers Pinterest's conversion API and audience matching. Skims' visual-first brand and intimate apparel categories align well with Pinterest's discovery-driven shopping audience.
Fires: pagevisit • addtocart • checkout
S
Snapchat Pixel
Advertising
Snapchat Pixel detected — ID redacted for privacy
Measures Snapchat ad conversions and builds custom audiences for retargeting. Targets Skims' core demographic on the platform.
Fires: PAGE_VIEW • ADD_CART • PURCHASE
B
Microsoft/Bing UET
Advertising
Bing UET tag detected — ID redacted for privacy
Universal Event Tracking for Microsoft Advertising. Measures conversions from Bing search ads, Microsoft Audience Network, and LinkedIn-powered audiences.
Fires: pageLoad • purchase conversion
Criteo
Retargeting
Criteo retargeting pixel detected
Display retargeting across the Criteo publisher network. Shows Skims product ads to visitors who browsed but didn't purchase — across thousands of third-party sites.
Fires: viewHome • viewItem • viewBasket • trackTransaction
E
Elevar
Analytics / Attribution
Elevar server-side tracking detected
Server-side analytics and attribution layer purpose-built for Shopify. Elevar improves data accuracy by routing events server-to-server to Google Analytics, Meta, and other platforms — reducing data loss from ad blockers and iOS privacy restrictions.
Fires: all ecommerce events routed server-side
OneTrust
Consent Management
OneTrust consent management detected
Manages cookie consent banner and preference center. Categorizes cookies by purpose per GDPR/CCPA requirements. Especially important for Skims after the Meta Pixel lawsuit settlement.
Fires: on page load (before all other scripts)

What would YOUR pixel audit look like?

Skims runs 10 separate pixels and got sued over one of them. Most brands don't know what's actually firing on their site. LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have compliance gaps — then gives you a single script that handles visitor identification, lead scoring, and platform syncing automatically. Starting at $29/month.

Get this report for your brand →

Third-Party Script Audit

30+ external domains contacted on a single page load

Loading skims.com triggers requests to 30+ unique external domains. Your browser downloads scripts, pixels, fonts, and data from dozens of different companies before the page finishes loading. Here's the breakdown by category:

Third-Party Requests by Category (skims.com homepage)
Advertising 12 domains
Analytics / Attribution 5 domains
Personalization / Search 4 domains
CRM / Engagement 3 domains
CDN / Infrastructure 3 domains
Consent / Privacy 2 domains

Network Waterfall: What Loads and When

Here's the approximate load order when your browser requests skims.com. Notice how many third-party scripts fire in the first 2 seconds — before most users have even scrolled:

Estimated Network Request Timeline (skims.com homepage)
skims.com (Shopify)
140ms
cdn.onetrust.com
300ms
googletagmanager.com
350ms
getelevar.com
420ms
connect.facebook.net
520ms
analytics.tiktok.com
480ms
a.klaviyo.com
400ms
s.pinimg.com
380ms
sc-static.net
430ms
cdn.dynamicyield.com
720ms
static.criteo.net
510ms
cdn.shopify.com
1.6s
How we detected these scripts

We used two methods: (1) technology profiling of skims.com via BuiltWith and source code analysis to identify all detected vendor platforms, and (2) parsing Skims' Permissions-Policy HTTP header, which explicitly delegates client hints to sdk-api-v1.singular.net — confirming Singular as a mobile attribution vendor. Unlike some competitors, Skims does not set a Content-Security-Policy header, meaning any third-party script can load without CSP restriction. See our Tech Stack report for the full security header analysis.

Curious how many third-party domains YOUR site contacts? LeadMaxxing's free report runs this same audit on your domain and shows you exactly which vendors are loading, how they impact page speed, and which ones you can cut.

Key External Domains Contacted

ADS connect.facebook.net
ADS www.facebook.com
ADS googleads.g.doubleclick.net
ADS www.googleadservices.com
ADS analytics.tiktok.com
ADS s.pinimg.com
ADS ct.pinterest.com
ADS sc-static.net
ADS tr.snapchat.com
ADS static.criteo.net
ADS dis.criteo.com
ADS bat.bing.com
ANALYTICS www.googletagmanager.com
ANALYTICS www.google-analytics.com
ANALYTICS region1.google-analytics.com
ANALYTICS getelevar.com
ANALYTICS sdk-api-v1.singular.net
CRM a.klaviyo.com
CRM cdn.attn.tv
CRM sdk.iad-01.braze.com
PERSONAL cdn.dynamicyield.com
PERSONAL st.dynamicyield.com
PERSONAL *.algolia.net
PERSONAL cdn.okendo.io
CDN cdn.shopify.com
CDN fonts.googleapis.com
CDN fonts.gstatic.com
CONSENT cdn.onetrust.com
CONSENT geolocation.onetrust.com
ML api.blackcrow.ai
ERROR browser.sentry-cdn.com

Consent & Compliance Analysis

OneTrust consent management with CCPA mechanisms — post-lawsuit

Skims uses OneTrust for cookie consent — the same enterprise platform used by Nike, Gymshark, and ASOS. But Skims' consent story is unique: they were sued in a class-action for how their Meta Pixel tracked visitors. Here's how their current consent implementation works:

Consent Platform

OneTrust
Enterprise-tier consent management platform with privacy banner, cookie categorization, and data subject request handling

CCPA Compliance

Active
California Privacy Notice page, "Do Not Sell or Share My Personal Information" link in footer, and data request mechanism

GTM Container

GTM-P3LJS3J
Google Tag Manager container detected via source code analysis — orchestrates pixel firing and consent-gated tag deployment

Legal History

Lawsuit Settled
Sued under CIPA for Meta Pixel deployment without adequate consent. Case settled April 2024, dismissed with prejudice February 2025

The Meta Pixel Lawsuit: What Happened

In 2023, Skims was hit with a class-action lawsuit in California's Northern District Court. The complaint alleged that Skims' Meta Pixel acted as "spyware" — tracking users browsing intimate apparel categories and transmitting that data to Meta (Facebook) without meaningful consent. The lawsuit cited violations of California's Invasion of Privacy Act (CIPA), Sections 631(a) and 632, seeking $5M+ in damages. The case was settled in April 2024 and dismissed with prejudice in February 2025. Settlement terms remain undisclosed.

What Happens When You Visit skims.com

Here's the estimated sequence from the moment your browser hits skims.com:

0ms — Pre-Consent
Shopify platform loads + OneTrust initializes
The Shopify storefront begins rendering. OneTrust's consent script loads and pings geolocation.onetrust.com to determine if you're in the EU, California, or elsewhere. This decides which consent banner (if any) you see.
80ms — Pre-Consent
Google Tag Manager fires (GTM-P3LJS3J)
GTM container loads and evaluates consent state. In "consent mode," it sends consent_default: denied for EU visitors and granted for US visitors. GA4 begins collecting anonymized pings.
120ms — Pre-Consent
Elevar + Klaviyo initialize
Elevar's server-side analytics layer begins queuing events. Klaviyo loads to capture email/SMS signup interactions and identify returning subscribers via the __kla_id cookie.
200ms — Pre-Consent
Dynamic Yield and Black Crow AI load
Dynamic Yield initializes for page personalization. Black Crow AI's predictive modeling script begins evaluating visitor intent scores.
~600ms — Consent Banner Appears
OneTrust privacy banner renders
Applicable visitors see a consent banner with cookie preferences. The footer maintains "Do Not Sell or Share My Personal Information" and "Cookie Policy" links year-round per CCPA requirements.
~800ms — Post-Consent (Accept)
All ad pixels fire simultaneously
Meta Pixel, TikTok, Pinterest, Snapchat, Bing, Google Ads, and Criteo all initialize. Each sends a PageView event with your session data. Elevar begins routing events server-side for improved data accuracy.
~1200ms — Ongoing
Full tracking active
All ~38 cookies are now set. Every click, scroll, and product view generates events routed to 10 different platforms. Your browser maintains persistent connections to 30+ external domains.
Notable Finding

No Content-Security-Policy header. Unlike competitors who use CSP headers to explicitly whitelist allowed script sources, Skims runs without a CSP header entirely. This means any injected third-party script could execute without browser-level restriction. Combined with a "D" security header grade (3/6 headers present), Skims has room for improvement on the security side. Their Permissions-Policy header does delegate client hints to sdk-api-v1.singular.net, confirming Singular as a mobile attribution vendor.

Not sure what fires before consent on your own site? LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator or plaintiff's lawyer does.

How Skims Compares

Above the ecommerce average across most tracking metrics — with a lawsuit to show for it

Is Skims' tracking footprint unusual? We compared their estimated setup against averages from Cookiebot's 2024 ecommerce compliance report and HTTP Archive data:

Metric Skims (est.) Avg. Ecommerce Difference
Total Cookies ~38 24 +58% above avg
Third-Party Cookies ~16 11 +45% above avg
Tracking Pixels 10 5 +100% above avg
External Domains 30+ 22 +36% above avg
Consent Platform OneTrust Basic / None Enterprise tier
Privacy Lawsuit Settled (CIPA) None Above avg risk exposure

Skims' tracking footprint is above the industry average across every metric — and they've already paid the legal price for it. With an estimated valuation near $4B and advertising across 7 platforms, they need granular attribution data to allocate ad spend. But the CIPA lawsuit shows the risk: one misconfigured consent flow can turn a tracking pixel into a multi-million-dollar liability. Elevar's server-side approach shows Skims is investing in smarter data collection that's more resilient to privacy restrictions.

Takeaway

Skims' tracking stack is what a $4B DTC brand's marketing infrastructure looks like after a privacy lawsuit. 10 pixels, OneTrust consent, and server-side attribution via Elevar isn't excessive — it's the post-iOS 14 reality. The question isn't whether to track, but whether your consent implementation can survive legal scrutiny. Skims learned that lesson the hard way.

Key Findings

  • → Skims runs 10 distinct tracking pixels across its Shopify storefront, covering Meta, Google, TikTok, Pinterest, Snapchat, Bing, and Criteo — double the ecommerce average of 5.
  • → Skims was sued for $5M+ under California's CIPA over its Meta Pixel deployment tracking users browsing intimate apparel — the case was settled and dismissed with prejudice in February 2025.
  • → The site contacts 30+ unique external domains on every page load, with 12 advertising domains alone — 36% above the ecommerce average of 22.
  • → Skims has no Content-Security-Policy header and scores a D (3/6) on security headers — meaning any injected third-party script can execute without browser-level restriction.
  • → Elevar provides server-side analytics routing for Shopify, improving data accuracy after iOS 14+ privacy restrictions reduced client-side pixel reliability by an estimated 30-40%.

What This Data Means for You

Turning Skims' tracking infrastructure into your competitive advantage

Skims' story is a cautionary tale and a playbook wrapped into one. They run a sophisticated tracking stack — but they also got sued for it. The lesson isn't "don't track," it's "track smarter." If you're running Meta Pixel on a site that sells sensitive product categories (intimate apparel, health, finance), your consent implementation is the difference between profitable growth and a class-action lawsuit. And if you're not using server-side tracking yet, Skims' adoption of Elevar shows where the industry is headed.

The good news: you don't need Skims' $250K+ tracking stack to get actionable visitor data. Their setup exists because they advertise across 7 platforms simultaneously (see our social media analysis). If you're running 2-3 platforms, you need 2-3 pixels — plus a consent layer and one unified tracking solution to tie it together.

LeadMaxxing Automates This Tracking Audit Playbook

Skims spends $250K+/year on their tracking stack with 10 pixels and enterprise consent management. LeadMaxxing scans your site, shows you exactly which pixels are firing and where you have compliance gaps, then gives you unified tracking with a single script — starting at $29/month.

Get your free tracking audit →

5 Things You Can Implement Today

Actionable lessons from Skims' tracking playbook

Run an automated cookie and pixel audit

LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have compliance gaps — the same audit you just read, generated for your domain in under 60 seconds.

Audit your consent implementation before a lawyer does

Skims' CIPA lawsuit cost them millions. LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly which pixels fire before users consent and where your legal exposure is.

Adopt server-side tracking for iOS accuracy

Skims uses Elevar for server-side event routing on Shopify. LeadMaxxing identifies anonymous visitors and scores leads server-side — so you don't lose 30-40% of your conversion data to ad blockers and iOS privacy restrictions.

Benchmark your tracking against competitors

Skims runs 2x the industry average in tracking pixels. LeadMaxxing's competitive reports show you how your tracking compares to direct competitors — cookie counts, pixel coverage, consent implementation, and third-party overhead.

Supercharge Your Leads with LeadMaxxing

Get a free LeadMaxxing account and start supercharging your leads. Start free →

Free — No credit card required

Get This Analysis For Your Brand FREE
When You Create A Free LeadMaxxing Account

Create a free LeadMaxxing account and we'll generate a full competitive analysis for YOUR brand. The same intelligence you just read — comparison with competitors, actionable strategies, and AI-powered recommendations.

Auto-generated brand report Competitor comparison Strategy recommendations AI-powered insights Free LeadMaxxing account to supercharge your leads
Get Free Report + Account → Free plan includes visitor tracking, lead scoring, and AI chat. Paid plan $29/month for full access.

More Skims Intelligence

Tracking & Privacy for Similar Brands

Frequently Asked Questions

How many tracking pixels does Skims use on skims.com?
Skims runs approximately 10 distinct tracking pixels and tags including Meta Pixel, Google Analytics 4, Google Ads, TikTok Pixel, Pinterest Tag, Snapchat Pixel, Microsoft/Bing UET, and Criteo. These were detected via technology profiling and source code analysis of skims.com.
Was Skims sued for its tracking practices?
Yes, Skims was sued in a class-action lawsuit in California's Northern District Court for deploying Meta's tracking pixel without adequate consent, violating California's Invasion of Privacy Act (CIPA). Plaintiffs alleged the Meta Pixel tracked users browsing intimate apparel and transmitted data to Meta without proper disclosure. The case was settled and dismissed with prejudice in February 2025.
What consent management platform does Skims use?
Skims uses OneTrust for cookie consent management, with a privacy banner implementation on their site. The footer includes links to Cookie Policy, Do Not Sell or Share My Personal Information (CCPA requirement), and a Data Request mechanism for consumer rights requests.
Does Skims use Google Tag Manager?
Yes, Skims uses Google Tag Manager with container ID GTM-P3LJS3J as their primary tag orchestration system, detected via source code analysis of skims.com. GTM manages the deployment of GA4, Google Ads conversion tracking, and coordinates pixel firing across platforms.
What email and SMS marketing platform does Skims use?
Skims uses Klaviyo as their primary email and SMS marketing platform, and Attentive for additional SMS messaging capabilities. Both were detected via technology profiling of skims.com and confirmed across multiple third-party analysis sources.
What personalization technology does Skims use on their website?
Skims uses Dynamic Yield for website personalization, Algolia for search functionality, and Black Crow AI for machine learning-based targeting and predictions. These platforms enable personalized product recommendations, intelligent search results, and predictive customer behavior modeling.
Does skims.com comply with GDPR and CCPA privacy regulations?
Skims has CCPA compliance mechanisms including a California Privacy Notice page, Do Not Sell or Share My Personal Information link, and a data request form. They use OneTrust for consent management. However, the 2023 Meta Pixel lawsuit alleged inadequate consent for tracking. The case was settled in 2024 and dismissed with prejudice in February 2025.
How many third-party vendors does Skims load on their website?
Skims loads approximately 30+ third-party vendor domains on skims.com, including advertising platforms (Meta, Google, TikTok, Pinterest, Snapchat, Bing, Criteo), analytics tools (GA4, Elevar, Singular), CRM platforms (Klaviyo, Attentive, Braze), personalization engines (Dynamic Yield, Algolia), and infrastructure services (Shopify, OneTrust, Sentry).

Sources & References

The Fashion Law — Original reporting on the CIPA class-action lawsuit against Skims for Meta Pixel deployment without adequate consent.
thefashionlaw.com
RetailBoss — Reporting on the settlement and dismissal of the Skims Meta Pixel spyware lawsuit.
retailboss.co
Enzuzo Privacy Teardown — Independent analysis of Skims' data privacy practices, cookie consent implementation, and OneTrust usage.
enzuzo.com
BuiltWith Technology Profile — Technology detection and profiling of skims.com's third-party vendor stack, tracking pixels, and infrastructure.
builtwith.com
Skims Privacy Policy — Official privacy policy page detailing data collection practices, third-party sharing, and consumer rights.
skims.com
Skims California Privacy Notice — CCPA-specific privacy disclosure for California residents, including categories of personal information collected.
skims.com
Permissions-Policy Header Analysis — Skims' HTTP Permissions-Policy header delegates client hints to sdk-api-v1.singular.net, confirming Singular as a mobile attribution vendor. Scraped March 20, 2026.
Compiled by LeadMaxxing — we track how brands build, test, and optimize their marketing so you can learn from the best.