GDPR compliance FAQ for DSPs/Buyers


The General Data Protection Regulation (GDPR) is the European Union (EU) data protection law that began on May 25, 2018, replacing the previous Data Protection Directive. The GDPR is a comprehensive overhaul of the previous law.

This FAQ below is intended to help you address buy-side questions that you may have on this topic.

How does the GDPR change EU privacy law?

GDPR aims to streamline and modernize existing EU privacy law to reflect technology advances while giving individuals more control over their personal data. One significant update (particularly for the ad-tech industry), is a heightened standard for consent, which places more responsibility on organizations to demonstrate compliance, such as by maintaining auditable data processing records. Any organizations engaging third-party service providers (such as PubMatic) to collect and process data on their behalf also need appropriate contracts in place to comply with the stricter contracting requirements introduced by the GDPR.

Are non-EU companies subject to the GDPR?

Yes. Any company that processes personal data of individuals located in the European Economic Area (which includes the EU countries and Iceland, Liechtenstein and Norway) ("EEA"), including delivering them online ads or tracking their online activities, is within the scope of the GDPR, regardless of whether the company has a physical presence in the EEA or engages in direct business with any EEA companies.

Who is PubMatic?

PubMatic provides a publisher-focused sell-side digital advertising management platform ("Platform") that connects media sellers (publishers) with media buyers (advertisers) looking to buy publisher inventory. Publishers use the Platform to automate the buying and selling of advertising inventory across different sales channels. PubMatic also provides various programmatic tools for media buyers.

Does GDPR affect PubMatic even though our platform doesn’t process data points like names, phone numbers, and email addresses?

The GDPR applies to the collection, use, and disclosure of “personal data” from the EEA. Personal data, as defined in the GDPR, includes all data relating to an identified or identifiable individual, which includes personally identifiable information like names, phone numbers, etc. (which PubMatic does not currently process through the Platform), in addition to device-related identifiers like unique device IDs and IP addresses (which the GDPR describes as “pseudonymous” forms of personal data, and which PubMatic does collect from end-users who interact with publisher websites and other digital media properties that use PubMatic's technology).

What is PubMatic's role when it processes personal data?

PubMatic is typically a controller (not processor) of the personal data it collects and processes in connection with its services. Therefore, PubMatic will be directly responsible for complying with the new obligations under the GDPR.

  • We believe that we are a controller of end-user personal data for a number of reasons, and below are some of the main use cases:
  • To determine the recipients of such data (and we may add new recipients at our discretion). We are also the party that has the responsibility to evaluate the organizational and technical security measures of such recipients.
  • To pre-filter impressions for RTB auctions with third-party buyers for better monetization and fraud prevention.
  • To deliver targeted ads via our Platform based on the user's behavior.
  • To set cookies (and other similar tracking technologies) directly on end-user devices when PubMatic receives a request from a publisher's browser or application.
  • To analyze and track data for ad delivery and reporting across websites, online services, and apps over time, including optimization of the location of ad placement, ad performance, reach and frequency metrics, logging the number and type of ads served per day on a device as well as to bill our customers.

The positioning of PubMatic as a controller is consistent with the view of the Article 29 Working Party in its 2010 Opinion on Behavioral Advertising, which can be found at:

Do we need consent to collect data needed to personalize ads?

No. GDPR itself does not require consent for the collection of data for online advertising (see our comments below for more). However, another EU law – the e-Privacy Directive – requires user consent to access any information stored on an end user's device using tracking technologies (such as cookies, pixels, web beacons and browser caches).

This impacts PubMatic because, as a digital advertising platform, PubMatic needs to set cookies and similar tracking technologies on end-users’ devices to gather information in order to deliver such end users more relevant ads from PubMatic’s network of advertisers. However, because advertising platforms (like PubMatic) have no direct relationship with the end-users of the digital properties displaying such ads, PubMatic is actively working with its network of publishers to ensure that PubMatic can collect and use data via its Platform.

Publishers should likewise revisit their cookie consent mechanisms to ensure they will meet the GDPR standard of consent. Note that although the e-Privacy Directive is currently under revision, the requirement for consent to use tracking technologies is likely to remain.

What does GDPR say about profiling?

The GDPR definition of “profiling” includes the collection of data over time to deliver targeted ads to end-users located in the EEA based on their history and behavior. GDPR requires opt-in consent only for profiling that produces a “legal effect” (or similarly, "significantly affects" an individual), such as, for example, an automated credit reference denying an individual a loan. Whether or not someone is served a more relevant ad should not trigger this obligation. As recent regulatory guidance suggests, the available lawful grounds that apply to such profiling can extend to legitimate interests – an alternative to consent.

PubMatic is also keeping abreast on the regulatory and industry developments in this area, including the progress of the new (but still draft) e-Privacy Regulation (which once finalized, will replace the existing e-Privacy Directive).

Does PubMatic transfer data internationally?

Yes. PubMatic is a global company headquartered in the United States and may gather information about end users in the EEA when they interact with publishers’ websites and digital media properties that use PubMatic technology. Therefore, PubMatic will process personal data that originates from the EEA in its datacenters in the EEA (Netherlands) and the United States.

The GDPR replicates the existing Data Protection Directive restrictions on transferring data outside the EEA. Transfers are permitted only if certain safeguards are in place, such as by self-certifying to the EU-US Privacy Shield. PubMatic has therefore self-certified to the Swiss-US and EU-US Privacy Shield to protect all EEA end user data when it transfers such data to PubMatic in the U.S.

What is PubMatic doing to comply with the GDPR?

With support from EU external advisors, PubMatic has embarked on a compliance project to become GDPR-ready by the May 25, 2018 deadline. Some of the measures PubMatic is taking include:

  • Coordination with Ad Tech Partners - Talking to publishers, advertisers and other ad tech companies to understand how they interpret the GDPR, the steps that they are taking in their compliance efforts and how we can coordinate our compliance efforts.
  • Involvement with Industry Organizations – Active involvement with the IAB Europe, IAB UK, IAB Tech Lab and Network Advertising Initiative (NAI) to help address GDPR and other EU privacy items and initiatives.
  • User Consent - PubMatic is part of the IAB Global Vendor List and supports the IAB consent framework to ingest consent from publisher, their CMP and related users into our ecosystem. We also support passing consent downstream to DSPs and 3rd parties using the IAB OpenRTB GDPR related extension attributes.
  • Data Mapping - Undertaking a data mapping exercise for the purpose of creating the necessary data processing records.
  • Masking of Geolocation Data - Removing the last octet from the IP address of all EEA end users to de-identify such information and mask latitude/longitude data for EEA end users to the first two decimals to make it de facto imprecise. PubMatic utilizes Digital Envoy to obtain additional imprecise location information generated from complete IP address data and that generated location information will continue to be passed in bid requests for EEA end users as it has in the past.
  • Data Minimization - Establishing mechanisms to collect only the data that is needed, and pseudonymizing such data wherever possible (including masking geolocation data as discussed above).
  • Data Retention - Implementing a data retention schedule across all our systems so that we routinely delete or anonymize data we do not need.
    Individual Rights - Formalizing processes around data subject rights to ensure that PubMatic is able to respond comprehensively and within the timeframes required by the GDPR.
  • Transparency - Reviewing and updating its privacy notices and policies for GDPR compliance.
  • Publisher and Advertiser Agreements - Updating arrangements with publishers and advertisers to address GDPR compliance.
  • Vendor Agreements - Updating agreements with third party sub-processors to ensure that they comply with the GDPR and vetting new sub-processors.
  • Security - Ensuring the continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by PubMatic.
    PubMatic is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.

How does IAB approach consent?

The OpenRTB GDPR Advisory details how to pass user consent via the OpenRTB protocol. This enables digital advertising companies to share user consent information among publishers, buyers, and data companies in a real-time bidding transaction. The OpenRTB GDPR Advisory is compatible with OpenRTB version 2.1 to 2.5 and also details how to pass user consent in the upcoming release of the OpenRTB 3.0 specification.

Does GDPR impact bid requests?

Yes. PubMatic is adopting the IAB Europe designed OpenRTB framework that allows our exchange to pass user consent downstream to DSPs and buyers. There are two new GDPR related extension attributes being added to objects “User” and “Regs” which PubMatic is using to signal consent in bid requests:



Data type

Possible values




0 or 1

This says if request is GDPR regulated
 e.g gdpr=1



Base64 encoded consent string

This is consent string which has information about All vendor consent (including PubMatic)


The objects signal if consent has been given to the exchange by the user and publisher of opt-in. Additionally, Documentation with tech instructions for oRTB spec is available for V2.x oRTB and V3.0 oRTB.

Where can I get more information?

If you have any questions, need GDPR consent object information or otherwise require assistance, please contact by email at

⇧ Top

⇧ Top

Do you have feedback on this document? Let us know: email us.

Table of Contents