Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Advally is a programmatic yield optimisation and header bidding platform for publishers that uses cookies to identify users, measure ad performance, and increase advertising revenue.
Advally is a programmatic advertising platform that helps publishers optimise their ad inventory through header bidding, dynamic floor pricing, and yield management. When integrated on a website, Advally injects JavaScript that participates in real time bidding auctions, collects performance signals, and exchanges identifiers with demand side platforms. The result is higher fill rates and improved CPMs, but the technology depends on persistent identifiers and shared user data, which places it firmly inside the scope of the GDPR and the ePrivacy Directive.
Advally relies on first party cookies that store a pseudonymous user identifier, session metadata, and bid history. It also reads and writes third party cookies belonging to its bidding partners, including Google Ad Manager, AppNexus (Xandr), and various supply side platforms. These identifiers are not strictly necessary for the website to function, so they require prior consent under Article 5(3) of the ePrivacy Directive and the case law of the European Court of Justice in Planet49.
Because Advally enables behavioural advertising, profiling, and onward sharing with bidders, the only realistic legal basis is the user''s explicit, granular, freely given consent under Article 6(1)(a) of the GDPR. Legitimate interest is not appropriate because the European Data Protection Board has repeatedly stated that behavioural advertising and tracking cookies cannot rely on Art. 6(1)(f). You must obtain consent before the Advally script is loaded, document that consent, and provide an equally easy way to withdraw it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Bid requests and impression data may be transmitted to demand side platforms hosted in the United States or other third countries. Advally relies on Standard Contractual Clauses and, where applicable, the EU, US Data Privacy Framework to legitimise these transfers. As a controller, you remain responsible for documenting the chain of recipients and informing users that their personal data, including IP address and identifiers, may leave the European Economic Area.
Advally supports the IAB Europe Transparency and Consent Framework (TCF) v2.2. To stay compliant you must integrate a registered Consent Management Platform (CMP), pass the TC string to Advally before any auction starts, and respect global opt out signals such as the Global Privacy Control. Without a valid TC signal, Advally and its partners must default to a no consent state and refrain from setting non essential cookies.
Load the Advally tag only after a positive consent signal, declare every vendor activated through the platform in your cookie policy, keep an up to date record of consent for at least the duration of the cookies, and review the partner list every quarter. Pair Advally with a CMP that supports TCF v2.2, configure cookie expiration in line with the CNIL recommendation of thirteen months, and audit your site regularly with a tool such as Cookiebot scanner or the CNIL Cookieviz utility.
Websites using Advally must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Advally combines advertising identifiers, behavioural profiling, and data flows to numerous demand side platforms. The risks include large scale profiling under GDPR Art. 35(3)(b) and onward sharing with bidders located outside the EEA.
Sample consent text
We use Advally to optimise advertising on our website. With your consent, Advally and our advertising partners may set cookies, read identifiers, and share data with bidders in order to display relevant ads and measure their performance.
Third-party domains contacted
advally.iocdn.advally.iosync.advally.iolog.advally.iosecurepubads.g.doubleclick.netib.adnxs.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _av_uid | first_party | 12 months | Pseudonymous user identifier used for frequency capping and audience matching |
| _av_ssn | first_party | 30 minutes | Session identifier for the current auction window |
| _av_bidh | first_party | 30 days | Bid history and winning floor cache to optimise future auctions |
| _av_syncpid | third_party | 13 months | Cookie sync identifier shared with demand side platform partners |
| _av_tcf | first_party | 12 months | Stores the IAB TCF v2.2 consent string read by Advally before each auction |
| _av_optout | first_party | 5 years | Opt out flag used when the visitor refuses advertising cookies |
Advally places tracking cookies for advertising — comply with GDPR using FlowConsent.
Advally sets first party cookies such as _av_uid (pseudonymous user identifier, twelve months), _av_ssn (session identifier, thirty minutes), and _av_bidh (bid history, thirty days). It also reads third party cookies from header bidding partners including Google Ad Manager and AppNexus (Xandr) that may persist for up to two years.
Yes. Advally cookies and bid request data are not strictly necessary, so prior informed consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) of the GDPR. The Advally script must not load before the user accepts the advertising category in your consent banner.
The only valid legal basis is explicit consent under GDPR Art. 6(1)(a). Legitimate interest cannot be used for behavioural advertising and real time bidding, as confirmed by the European Data Protection Board and the Belgian DPA decision against IAB Europe in February 2022.
Yes. Bid requests and impression data are routinely shared with demand side platforms, many of which are hosted in the United States. Transfers rely on Standard Contractual Clauses and the EU, US Data Privacy Framework where the recipient is self certified. You must list these recipients in your privacy notice.
A Data Protection Impact Assessment is strongly recommended. Advally enables large scale profiling and shares personal data with numerous bidders, both criteria listed in the Article 29 Working Party guidelines on DPIAs and confirmed by national supervisory authorities such as the CNIL.
Pair Advally with a TCF v2.2 compatible Consent Management Platform, block the Advally script until a positive consent signal is received, pass the TC string to every auction, and document consent for the full duration of the cookies. Update the vendor list every quarter.
Contextual advertising tools such as Seedtag or Adnami, server side prebid solutions with minimal data sharing, and direct deals without persistent identifiers reduce the privacy footprint. None match the inventory monetisation of full programmatic, but they avoid the consent friction.
List Advally and every active TCF vendor in your cookie table, describe the purposes (ad delivery, frequency capping, measurement), give expected durations, and link to the Advally privacy policy. Refresh the table each time you change the vendor mix or onboard new SSPs.