GDPR Implementation in the RTB Platform


This document explains how the RTB platform implements the General Data Protection Regulation (GDPR) and how to enable the GDPR compliance for different partners.

So far, few Personal Identifiable Information (PII) fields such as user location, IP, age, etc. are being used to deliver targeted ads to users. GDPR regulates the use of such PII fields when the user does not give consent to Ad vendors.

GDPR Impact in the RTB Platform

When the request from a page is a GDPR-regulated impression and the user does not give consent to PubMatic, then all such PII fields are cleared before performing deals and RTB requests. The GDPR-regulated impressions without user consent to PubMatic impact the following areas:

  • Real Time Bidding
    PubMatic does not send any PII fields through bid requests to a demand partner.
  • PMP Deals
    PubMatic does not evaluate any deals that are targeted on such PII fields.
  • User matching
    Cookies will not be shared with demand partners for matching with the user id.
  • Audience Matching
    Audience data will not be collected from data providers for any users that do not give consent to PubMatic. PubMatic does not use any PII fields that are already collected if the user does not give consent to PubMatic. Additionally, those fields will be deleted after 30 days automatically if the user continues to opt out of PubMatic.

GDPR Compliance for Publishers

By default, the GDPR compliance is applied to all requests coming from EU-region publishers. Publishers should get the consent from the user to PubMatic along with other vendors.

In all requests from a Publisher where there is no consent, PubMatic performs the ad serving as if the user has opted out of PubMatic; Publisher can also opt to get pass-back/blank ad in such case.

A Publisher level control is provided to specify the Publisher’s choice.

GDPR Compliance for DSPs

By default, the GDPR compliance is applied to all requests coming from the EU region. A DSP can opt for checking their consent and send the RTB requests only when they have the consent. They can also opt to receive all GDPR-regulated impressions if they are already compliant and can handle such requests on their side.

A campaign level control is provided to specify the DSP choice.

PubMatic sends the following GDPR consent information through RTB request to DSP:

gdpr=1 denoting that the impression is a GDPR regulated information

consent="consent data" - the consent information as received from the publisher page

How to Get Support

For any support related to GDPR implementation in the RTB platform please contact the technical support team at PubMatic.

⇧ Top

⇧ Top

Do you have feedback on this document? Let us know: email us.

Table of Contents