Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Ads is the advertising suite of Amazon (Sponsored Products, Sponsored Display, Amazon DSP, Amazon Marketing Cloud). Uses cross site cookies and hashed identifiers to match website visitors with Amazon shoppers for retargeting and measurement. Requires consent under GDPR.
Amazon Ads is the advertising suite of Amazon: Sponsored Products and Sponsored Brands inside the Amazon marketplace, Sponsored Display across Amazon properties and third party sites, Amazon DSP for programmatic media buying, Amazon Marketing Cloud for clean room analytics, and the Amazon Advertising Pixel and Conversion API to import off Amazon events. Together they let advertisers reach and measure Amazon shoppers and lookalike audiences with deep behavioural data.
The Amazon Advertising Pixel writes the ad-id cookie (13 months, advertising identifier) and ad-privacy (consent state), plus session cookies during the matching flow on amazon-adsystem.com. The Conversion API sends server side events containing hashed email, phone, IP and user agent to Amazon. The data feeds the Amazon shopper identity graph, retargeting audiences and Amazon Marketing Cloud clean room. Audience matching exposes the publisher to joint controllership under GDPR art. 26.
Consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is mandatory for the Pixel cookies and for the Conversion API events containing hashed PII. The CJEU Fashion ID line of cases imposes joint controllership between the publisher and Amazon EU SARL for the audience match step. The joint controllership agreement under GDPR art. 26 must be signed and the essence published in the privacy notice. Amazon supports the IAB TCF v2.2 signal and Google Consent Mode.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Although the storefront and pixel endpoints have European fallbacks (eu-west-1 Ireland, eu-central-1 Frankfurt), the Amazon advertising identity graph and the bid signals are processed centrally in the United States. Amazon is certified under the EU US Data Privacy Framework and uses the 2021 Standard Contractual Clauses as fallback. A Transfer Impact Assessment is required, especially because amazon-adsystem.com traffic flows freely to the US.
Load the Amazon Advertising Pixel only after marketing consent, hash all PII before sending to the Conversion API, sign the Amazon Ads joint controllership agreement, document the cooperation in the privacy notice, integrate with your CMP via TCF and Consent Mode, set up the Amazon Privacy Portal flow for data subject requests, document the legal basis for each audience activated, and reduce retention to the minimum needed for attribution.
Websites using Amazon Ads must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Amazon Ads creates behavioural advertising profiles, performs identity matching with the Amazon shopper graph, transfers data to the United States and may trigger automated decisions about ad serving. The DPIA should cover the joint controllership boundary, the hashed PII flowing into the Conversion API, the retention of the audience match, the rights to access and erasure on the Amazon Privacy Portal and the integration with the IAB TCF and Amazon TCF signal.
Sample consent text
We use Amazon Ads to measure the impact of our advertising on Amazon and to show personalised ads. The Amazon Ads Pixel writes cookies on your device (ad-id, ad-privacy) and our server sends Amazon hashed information about purchases or page views via the Conversion API. Amazon may match this data with its own data on Amazon.com to build advertising audiences. Data may be processed in the United States under the EU US Data Privacy Framework. You can accept, refuse or withdraw at any time.
Third-party domains contacted
amazon-adsystem.coms.amazon-adsystem.comaax.amazon-adsystem.comaax-eu.amazon-adsystem.comfls-eu.amazon.comassoc-amazon.comadvertising.amazon.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ad-id | Third party (amazon-adsystem.com) | 13 months | Amazon advertising identifier used to track the visitor across the open web for retargeting, audience matching and conversion attribution |
| ad-privacy | Third party (amazon-adsystem.com) | 5 years | Stores the visitor advertising consent state communicated to Amazon Ads |
| _aaxsc | Third party (amazon-adsystem.com) | 90 days | Session continuity identifier used by Sponsored Display retargeting |
| _abv | Third party (amazon-adsystem.com) | 90 days | Behavioural identifier used by Sponsored Display to build retargeting and lookalike audiences |
| session-id | Third party (amazon.com) | Up to 14 years | Amazon shopper session identifier used in the audience match step on amazon.com |
Amazon Ads places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Amazon Advertising Pixel sets ad-id (13 months, advertising identifier), ad-privacy (consent state), various session cookies on amazon-adsystem.com during matching, plus the Amazon Marketing Cloud identifier when AMC is active. The Sponsored Display retargeting tag sets _aaxsc and _abv (90 days, behavioural identifier).
Yes, mandatory. The pixel cookies and the Conversion API events that send hashed PII are subject to ePrivacy art. 5(3) and GDPR art. 6(1)(a). Legitimate interest cannot be used because Amazon Ads performs behavioural advertising and identity matching.
Consent (GDPR art. 6(1)(a)) for the cookies and matching events. Joint controllership (art. 26) between the publisher and Amazon EU SARL for the audience match per the CJEU Fashion ID case law. Both must be signed and the joint controllership essence published.
Yes. The Amazon advertising identity graph and the bid signals run on AWS US East. Amazon is certified under the EU US Data Privacy Framework. The 2021 SCCs are used as a fallback. A Transfer Impact Assessment must accompany the deployment.
Yes. Profiling for advertising, identity matching with the Amazon shopper graph, transfers to the US and potential automated decisions on ad delivery meet several DPIA criteria in the EDPB list. Document scope, hashing, retention and the rights to access and erasure.
Load the Pixel after marketing consent, hash all PII before Conversion API calls, integrate with your CMP via IAB TCF v2.2 and Google Consent Mode v2, sign the joint controllership agreement, surface it in the privacy notice, route data subject requests via the Amazon Privacy Portal, and configure the strictest data minimisation in Amazon Marketing Cloud.
Other retail media networks: Criteo Retail Media (EU based), Walmart Connect, Carrefour Links (France), Tesco Media (UK), Ahold Delhaize Media. For general programmatic without Amazon dependency: The Trade Desk, Xandr (Microsoft), Google DV360, Adform (Denmark), StackAdapt. None remove the consent obligation under EU law.
List Amazon Ads as a joint controller, declare the ad-id and ad-privacy cookies with retention, mention the Conversion API server side flow and the hashing, disclose the US transfers under the Data Privacy Framework, link to the Amazon Privacy Portal and provide an easy way to withdraw consent.