Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AdRoll is a retargeting and prospecting advertising platform operated by NextRoll, designed to follow visitors across the web with display, video and social ads.
AdRoll is a marketing platform operated by NextRoll Inc., a San Francisco based company. It combines a retargeting demand side platform, an audience extension network and email orchestration into a single dashboard. European DTC ecommerce brands, B2B marketers and growth teams use AdRoll to run display, native, social retargeting and email follow up campaigns.
The AdRoll pixel drops the __adroll first party cookie under the advertiser domain, the __ar_v4 cross site identifier under d.adroll.com, the roundtrip cookie for advertising campaign measurement and various sync identifiers when AdRoll synchronises with third party DSPs. The pixel also reads the IAB Transparency and Consent Framework string when present.
The AdRoll pixel performs cross site behavioural profiling, which falls squarely outside the strictly necessary exemption of Article 5(3) ePrivacy. The CNIL, the Datenschutzkonferenz, the AEPD and the Garante require prior explicit consent. NextRoll Inc. acts as a joint controller with the advertiser for several processing activities, requiring a joint controller arrangement under Article 26 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Advertisers must obtain prior, freely given, specific, informed and unambiguous consent before the AdRoll pixel fires. AdRoll supports the IAB Transparency and Consent Framework version 2.2: the pixel reads the TCF string and gates audience building accordingly. A consent management platform registered as a CMP under the TCF is therefore the most robust integration path.
NextRoll Inc. processes pixel events on US infrastructure (Amazon Web Services and Google Cloud Platform). NextRoll self certifies under the EU US Data Privacy Framework, providing an adequacy basis for transfers from the EEA. Standard Contractual Clauses are included in the NextRoll DPA as an additional safeguard. Advertisers must list this transfer in their record of processing activities.
Sign the NextRoll DPA, agree the Article 26 joint controller arrangement, register a TCF certified consent management platform, gate the AdRoll pixel behind the consent string, document the US transfer under the EU US Data Privacy Framework, and offer easy access to AdRoll opt out mechanisms via the NextRoll Privacy Notice. Run a quarterly cookie audit because audience extension partners can change without notice.
Websites using AdRoll must obtain user consent under GDPR regulations.
DPIA considerations
AdRoll is a high risk processor because it enables cross site behavioural retargeting and audience syncing with hundreds of DSPs and SSPs. A DPIA is required when AdRoll is combined with email matching, when retargeting lists are kept beyond 90 days, or when sensitive verticals are targeted.
Sample consent text
We use AdRoll to show you targeted ads on other websites after your visit. AdRoll drops cookies on your device and shares identifiers with advertising partners in the United States and elsewhere. Without your consent, no AdRoll cookie is set and you do not see our personalised ads.
Third-party domains contacted
d.adroll.comd.adroll.coms.adroll.coms.adroll.comadroll.coma.adroll.comadroll.coma.adroll.comnextroll.comadrollmedia.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __adroll | first_party | 1 year | AdRoll first party identifier set under the advertiser domain by the AdRoll pixel. Identifies the visitor for retargeting and audience extension purposes. |
| __adroll | Marketing | 1 year | AdRoll persistent visitor identifier used for cross site retargeting and conversion attribution. |
| __ar_v4 | third_party | 1 year | AdRoll cross site identifier set under d.adroll.com. Used to recognise the visitor across publisher sites that load the AdRoll pixel for retargeting. |
| __adroll_fpc | Marketing | 1 year | First party fallback cookie set on the publisher domain when ITP or third party cookie blocking restricts adroll.com. |
| roundtrip | third_party | 1 year | AdRoll campaign measurement cookie used to attribute ad impressions and clicks to a single visitor session for reporting. |
| __ar_v4 | Marketing | 1 year | Stores audience segment memberships for the visitor, used to deliver retargeting and lookalike ads. |
| __asc | Marketing | Session | Session level cookie that tracks the current AdRoll browsing session. |
| __adroll_fpc | first_party | 1 year | AdRoll first party cookie used as a fallback identifier when third party cookies are blocked. Set via the AdRoll pixel through CNAME delegation. |
| nx_* | third_party | 30 days | AdRoll cookie sync identifiers exchanged with external DSPs through cookie syncing pixels. |
| __auc | Marketing | 1 year | Set when the AdRoll pixel first identifies a visitor, used to anchor the visitor profile. |
AdRoll places tracking cookies for advertising — comply with GDPR using FlowConsent.
The AdRoll pixel sets __adroll (first party identifier under the advertiser domain, 1 year), __ar_v4 (cross site identifier under d.adroll.com, 1 year), roundtrip (campaign measurement cookie, 1 year) and various sync cookies (xuid, NID) when AdRoll synchronises with third party DSPs.
Yes. The AdRoll pixel performs cross site behavioural profiling and is explicitly out of scope of the strictly necessary exemption. The CNIL, DSK, AEPD and Garante all require prior, freely given, specific, informed and unambiguous consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR.
Consent under Article 6(1)(a) GDPR is the only lawful basis for AdRoll pixel processing. NextRoll Inc. is a joint controller with the advertiser for certain audience activities, requiring an Article 26 GDPR joint controller arrangement that allocates responsibilities and transparency duties.
Yes. NextRoll Inc. is based in the United States and processes pixel events on Amazon Web Services and Google Cloud Platform US regions. NextRoll self certifies under the EU US Data Privacy Framework. Standard Contractual Clauses are included in the NextRoll DPA as an additional safeguard.
A DPIA is recommended whenever AdRoll is used at scale for behavioural retargeting, audience extension, cross device tracking or campaigns targeting sensitive verticals. Document the profiling logic, the IAB TCF supply path, the US transfer and the consent collection mechanism.
Sign the NextRoll DPA, conclude the Article 26 joint controller arrangement, register a TCF certified consent management platform, gate the AdRoll pixel behind the consent string, anonymise IPs where possible, document the US transfer, and provide a public privacy notice that links to the NextRoll Privacy Notice and the AdRoll opt out page.
Alternatives include EU based DSPs (Adform, RTB House Europe, M6 Publicite for video), contextual networks (Seedtag, Outbrain Europe) that rely less on cookies, and first party retargeting via Meta and Google Ads connected through your own consent gated pixels. Server side conversions APIs can also reduce the cookie footprint.
Add a dedicated AdRoll section listing __adroll, __ar_v4, roundtrip and the sync cookies with name, domain, duration and purpose. Disclose the joint controllership with NextRoll Inc., the third country transfer to the United States and the EU US Data Privacy Framework certification, and link to the NextRoll Privacy Notice and the AdRoll opt out page.
AdRoll drops third party cookies on adroll.com: __adroll (visitor ID), __adroll_fpc (fallback first party), __ar_v4 (audience segments, 1 year), __asc (session) and __auc (initial user creation, 1 year). It can also drop helper cookies for ITP workarounds.
Yes. AdRoll is a third party advertising cookie that builds cross site behavioural profiles. Both article 5(3) ePrivacy and article 6 GDPR require prior, opt in consent before loading the AdRoll pixel.
Consent (article 6(1)(a) GDPR). Legitimate interest does not work for cross site behavioural advertising, as confirmed by the EDPB and the CNIL.
NextRoll Inc. is based in the US and runs AdRoll on US AWS infrastructure. Transfers rely on the NextRoll DPA, EU Standard Contractual Clauses and the EU US Data Privacy Framework when NextRoll is DPF certified.
A DPIA is recommended whenever AdRoll is the central retargeting tool, when audiences sync with multiple DSPs and SSPs, when custom audiences contain personal data uploaded from a CRM, or when targeting sensitive verticals.
Block the AdRoll pixel inside your CMP. Forward the IAB TCF v2.2 string. Limit retargeting list retention. Avoid uploading sensitive personal data into custom audiences. Honour opt out via the AdRoll opt out endpoint and via the IAB TCF user signal.
Criteo (Paris, EU based), RTB House (Warsaw), Smartclip, Outbrain Onyx, Taboola, StackAdapt (with EU data residency option), or pure first party retargeting via Meta Conversions API and Google Ads Customer Match limited to consenting users.
List the AdRoll cookies with their domains, durations and purposes. Identify NextRoll Inc. as joint controller in the privacy notice. Describe the US transfers and the safeguards (DPF, EU SCCs). Provide links to the NextRoll privacy notice and to the AdRoll opt out page.