GDPR Overview & Resources

About TCF 2.0

The IAB Europe Transparency & Consent Framework (TCF) gives the publishing and advertising industries a common structure to communicate consumer consent for the delivery of online advertising and content in compliance with the EU’s GDPR and ePrivacy Directive.

To learn more:

If you have questions or need more assistant, contact your Customer Success representative.


On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (“GDPR”) took effect in the European Union (“EU”). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on companies that market to, track or handle EU personal data, no matter where a company is located.

GDPR builds upon foundational EU privacy compliance laws for which PubMatic has been involved for years. PubMatic is fully engaged with the GDPR roll-out and is dedicated to ensuring our customers are prepared for the May 25, 2018 start data.

The information and resources below are available to assist your GDPR onboarding efforts with PubMatic.

PubMatic's Role In Processing Data

PubMatic is typically a controller (not a processor) of the personal data it collects and processes in connection with its services. Therefore, PubMatic will be directly responsible for complying with the new obligations under the GDPR.

  • We believe that we are a controller of end-user personal data for a number of reasons, and below are some of the main use cases:
  • To determine the recipients of such data (and we may add new recipients at our discretion). We are also the party that has the responsibility to evaluate the organizational and technical security measures of such recipients.
  • To pre-filter impressions for RTB auctions with third-party buyers for better monetization and fraud prevention.
  • To deliver targeted ads via our Platform based on the user's behavior.
  • To set cookies (and other similar tracking technologies) directly on end-user devices when PubMatic receives a request from a publisher's browser or application.
  • To analyze and track data for ad delivery and reporting across websites,  services, and apps over time, including optimization of location of ad placement, ad performance, reach and frequency metrics, logging the number and type of ads served per day on a device as well as to bill our customers.

The positioning of PubMatic as a controller is consistent with the view of the Article 29 Working Party in its 2010 Opinion on Behavioral Advertising: .

PubMatic Compliance Efforts

With support from EU external advisors, PubMatic has embarked on a compliance project to become GDPR-ready by the May 25, 2018 deadline. Some of the measures PubMatic is taking include:

  • Coordination with Ad Tech Partners - Talking to publishers, advertisers and other ad tech companies to understand how they interpret the GDPR, the steps that they are taking in their compliance efforts and how we can coordinate our compliance efforts.
  • Involvement with Industry Organizations – Active involvement with the IAB Europe, IAB UK, IAB Tech Lab and Network Advertising Initiative (NAI) to help address GDPR and other EU privacy items and initiatives.
  • User Consent - PubMatic is part of the IAB Global Vendor List and supports the IAB consent framework to ingest consent from publisher, their CMP, and related users into our ecosystem. We also support passing consent downstream to DSPs and 3rd parties using the IAB OpenRTB GDPR related extension attributes.
  • Data Mapping - Undertaking a data mapping exercise for the purpose of creating the necessary data processing records.
  • Masking of Geolocation Data - Removing the last octet from the IP address of all EEA end users to de-identify such information and mask latitude/longitude data for EEA end users to the first two decimals to make it de facto imprecise. PubMatic utilizes Digital Envoy to obtain additional imprecise location information generated from complete IP address data and that generated location information will continue to be passed in bid requests for EEA end-users as it has in the past.
  • Data Minimization - Establishing mechanisms to collect only the data that is needed, and pseudonymizing such data wherever possible (including masking geolocation data as discussed above).
  • Data Retention - Implementing a data retention schedule across all our systems so that we routinely delete or anonymize data we do not need.
  • Individual Rights - Formalizing processes around data subject rights to ensure that PubMatic is able to respond comprehensively and within the timeframes required by the GDPR.
  • Transparency - Reviewing and updating its privacy notices and policies for GDPR compliance.
  • Publisher and Advertiser Agreements - Updating arrangements with publishers and advertisers to address GDPR compliance.
  • Vendor Agreements - Updating agreements with third party sub-processors to ensure that they comply with the GDPR and vetting new sub-processors.
  • Security - Ensuring the continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by PubMatic.

PubMatic is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.

Consent Management Under GDPR

Under the GDPR, publishers need consent from their users to collect and target their personal data. This will directly impact any advertising on the page. 

How Consent Is Captured

Publishers need to partner with an IAB EU spec-compliant Consent Management Platform (CMP). This will allow them to receive and pass along user consent with each ad impression.

How Consent Sharing Works 

Step 1: User provides consent: 

Step 2: PubMatic client reads user choice.

Step 3: PubMatic processes consent. 

Step 4: Partners process consent. 

The detailed ecosystem flow provides additional detail whether consent is or is not received:

GDPR Resources

FAQ Resources

External FAQs for Buyers and Publishers linked below are intended to help you address questions that you may have on GDPR compliance:

IAB Resources

  • IAB’s oRTB GDPR Extensions DocumentAdvisory document focuses on how active versions of OpenRTB will signal GDPR applicability and relay the consent string.
  • CMP Framework DocumentTechnical specifications for IAB Europe Transparency and Consent Framework intended to help compliance with GDPR.

Product Updates

In preparation for GDPR, PubMatic is implementing required certain product updates to ensure compliance. 


PubMatic supports the IAB Europe-designed OpenRTB framework that allows our exchange to pass user consent downstream to DSPs/buyers. 

For oRTB  v2.x versions and V3.0 oRTB,  more technical details can be found in the Open RTB Advisory.    

In addition, PubMatic is offering  to :  

  • Support contextual, non-targeted ads for DSPs  
  • Pre-filter traffic based on consent signal at campaign-level  for DSPs  


You can find comprehensive PubMatic product documentation for GDPR compliance here, with summaries provided below:

  • OpenWrap:  Publishers who install Prebid 1.9 are prepared for GDPR, as Prebid 1.9 includes built-in Consent Management support.
  • RTB Platform:  GDPR compliance is applied to all requests coming from EU-region publishers by default. Publishers must pass consent from the user to PubMatic.
  • Publisher Tags (Display, Video, etc.):  All PubMatic client-side tags integrate with any IAB-compliant CMP and support the GDPR flag and Consent String parameters.

 For additional information about GDPR compliance, please contact your account manager and at any time. 

⇧ Top

⇧ Top

Do you have feedback on this document? Let us know: email us.

Table of Contents