Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Advertising is Amazon's suite of advertising products for brands and sellers. It covers Sponsored Ads on Amazon.com, the Amazon DSP for programmatic display and video advertising, and the Amazon Advertising Pixel deployed on advertisers' websites for conversion tracking and audience building. The pixel sets persistent cookies and transmits user behaviour to Amazon Advertising LLC in the United States. It requires consent under GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3).
Amazon Advertising is the umbrella name for Amazon''s family of advertising products, operated by Amazon Advertising LLC in the United States with EU operations through Amazon EU SARL in Luxembourg. The main components are: Sponsored Ads (search and product placements inside Amazon.com), Amazon DSP (programmatic demand side platform for buying display and video inventory across Amazon owned and partner sites), Amazon Attribution (cross channel measurement of ad performance, also used outside Amazon properties), and the Amazon Advertising Pixel (also called Amazon Tag or Amazon Conversions Pixel), a JavaScript tracker that advertisers place on their own website to measure conversions and build audiences.
The Amazon Advertising Pixel writes the ad-id cookie (Amazon Advertising Cookie ID, 13 month lifetime) on the visitor''s device, the ad-privacy cookie (consent and TCF signal mirror, 13 months), and reads the visitor''s Amazon account session cookie when available. On each page load it transmits the URL, referer, user agent, page type (product, cart, purchase), product identifiers, transaction value and any custom conversion parameters configured by the advertiser. The pixel uses a fetch() or img request to amazon-adsystem.com or s.amazon-adsystem.com. When the visitor is logged into Amazon, the events are joined to the Amazon account identity for cross device tracking.
Because the pixel writes cookies that are not strictly necessary, ePrivacy Directive Art. 5(3) requires prior informed consent before the script may run. Under the GDPR, the same processing requires a valid lawful basis, which in the consumer web context is consent under Art. 6(1)(a). The Amazon Advertising Cookie ID is a persistent online identifier and is personal data within the GDPR scope. The data transfer to Amazon Advertising LLC in the US must be supported by a transfer mechanism (EU US Data Privacy Framework or Standard Contractual Clauses) and a Transfer Impact Assessment under Schrems II. Operators should also be aware that Amazon is designated as a Very Large Online Platform (VLOP) under the EU Digital Services Act, which brings additional transparency obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Amazon operates a global identity graph that links Amazon Advertising Cookie IDs to Amazon account holders and to inferred audience segments. For logged in Amazon shoppers, this means an event on an advertiser''s website can be deterministically attributed to the same person who is logged into Amazon.com or Prime Video. The European Data Protection Board has flagged similar cross device, cross site identity graphs as high risk processing. The EDPB and CNIL also recommend running a DPIA for any large scale online tracking, which clearly applies to Amazon Advertising deployments.
Amazon offers a server side equivalent of the pixel called the Amazon Conversions API. Server side delivery reduces reliance on client side cookies and bypasses some ad blockers, but the underlying personal data still flows to Amazon Advertising LLC, so the legal basis remains consent and the transfer assessment remains required. Server side delivery is a useful complement to the client side pixel, not a replacement for consent. Sites combining the pixel with the Conversions API should use the same consent signal to gate both paths.
Gate the Amazon Advertising Pixel behind a Consent Management Platform with granular advertising consent, no firing before consent. Sign Amazon''s Advertising Data Processing Addendum and Standard Contractual Clauses. Document the pixel in the record of processing, including the Amazon Advertising Cookie ID, the data transferred, the legal basis (consent), the retention period and the transfer mechanism. Run a Transfer Impact Assessment focused on US CLOUD Act and FISA 702 exposure. List ad-id and ad-privacy cookies in the cookie policy under marketing/advertising. Update the privacy notice to reflect Amazon as a recipient and the VLOP transparency obligation.
Websites using Amazon Advertising must obtain user consent under GDPR regulations.
DPIA considerations
The Amazon Advertising Pixel writes the ad-id cookie (Amazon Advertising Cookie ID) and ad-privacy cookie (TCF and consent state) on the operator's domain or directly on amazon-adsystem.com depending on configuration. DPIA considerations: (1) the Amazon Advertising Cookie ID is a persistent online identifier under the GDPR and is linked to the visitor's Amazon account when the visitor is logged in to Amazon, enabling cross device and cross site profiling; (2) data is transferred to Amazon Advertising LLC in the United States for audience syncing and identity resolution, requiring a Schrems II Transfer Impact Assessment; (3) Amazon operates a global identity graph that joins advertising signals with Amazon.com shopping behaviour, which is a sensitive data combination from a profiling perspective; (4) the pixel can be deployed in server side mode (Amazon Conversions API) which reduces client side cookie reliance but still transfers personal data to Amazon; (5) under the EU Digital Services Act, very large online platforms (Amazon is a designated VLOP) must provide additional transparency on advertising algorithms, which advertisers should reference in their own privacy notices. A DPIA is recommended for any non trivial deployment.
Sample consent text
We use the Amazon Advertising Pixel from Amazon Advertising LLC to measure the effectiveness of our advertising on Amazon and to build audiences for retargeting. The pixel places persistent cookies on your device (ad-id, ad-privacy) and shares your interaction with Amazon in the United States. If you are logged in to your Amazon account, the data may be associated with your account for personalisation. We rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via our cookie settings.
Third-party domains contacted
amazon-adsystem.coms.amazon-adsystem.comaax.amazon-adsystem.comadvertising.amazon.comfls-eu.amazon.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ad-id | Marketing / Advertising | 13 months | Set by the Amazon Advertising Pixel. The Amazon Advertising Cookie ID, a persistent online identifier used to recognise the visitor across sessions and across sites for conversion tracking, audience building and ad targeting. |
| ad-privacy | Marketing / Advertising | 13 months | Set by the Amazon Advertising Pixel. Mirrors the visitor's consent and TCF v2.2 signal so that the pixel can decide whether to fire and Amazon downstream services can read the consent state. |
| session-id | Marketing / Advertising | 1 day | Set by Amazon when the visitor is logged into an Amazon property. Links activity on the advertiser's site to the visitor's Amazon account identity for cross device measurement. |
| ubid-acbXX | Marketing / Advertising | 20 years | Set by Amazon. Persistent Amazon device identifier, used to recognise the same browser across very long periods. Often surfaces in cookie scans of pages that load Amazon scripts. |
| aws-target-data | Marketing / Advertising | 13 months | Set by the Amazon Advertising Pixel. Stores targeting parameters and audience segment associations used by Amazon DSP for retargeting campaigns. |
Amazon Advertising places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Amazon Advertising Pixel sets the ad-id cookie (Amazon Advertising Cookie ID, 13 month lifetime), the ad-privacy cookie mirroring the consent and TCF state (13 months), and may set additional cookies for conversion deduplication. Cookies can be first party on the operator's domain (server side mode) or third party on amazon-adsystem.com (client side mode).
Yes. The pixel writes cookies that are not strictly necessary, so prior informed consent under ePrivacy Art. 5(3) is required. The Amazon Advertising Cookie ID is a persistent online identifier, so GDPR Art. 6(1)(a) consent applies. No firing of the pixel before consent.
Consent (GDPR Art. 6(1)(a)) for cookies used to track conversions, build audiences and target ads. Legitimate interest under Art. 6(1)(f) is not available for cross site behavioural tracking under EDPB and CNIL guidance.
Yes. Personal data is transferred to Amazon Advertising LLC in the United States. Amazon self certifies under the EU US Data Privacy Framework and offers SCCs for fallback. A Transfer Impact Assessment is required, particularly because Amazon is exposed to US CLOUD Act and FISA 702.
A DPIA is strongly recommended. The processing combines persistent online identifiers, behavioural profiling, cross device tracking through Amazon account binding, and US data transfer. All four factors are flagged as high risk by EDPB guidance, and the DPIA threshold under GDPR Art. 35 is typically met.
Gate the pixel behind a Consent Management Platform with granular advertising consent, no firing before consent. Use server side delivery (Amazon Conversions API) for improved measurement but apply the same consent gate. Sign Amazon's Advertising DPA and SCCs. Document the processing in the record of processing. Run a Transfer Impact Assessment. List ad-id and ad-privacy cookies under marketing/advertising in the cookie policy.
Other advertising and conversion tracking products include Google Ads (Google), Meta Ads (Meta Pixel), Microsoft Advertising, TikTok Ads, Pinterest Ads, Snapchat Ads, Criteo, Outbrain and Taboola. EU based alternatives include AdAlliance, Yieldlove, GroupM and various TCF compliant SSPs and DSPs. All have similar consent and transfer requirements; the choice is more about ad effectiveness than privacy posture.
List ad-id and ad-privacy cookies under marketing/advertising cookies, with their 13 month duration. Name Amazon Advertising LLC as the data recipient in the privacy notice, declare the US transfer under the EU US Data Privacy Framework or SCCs, and mention Amazon's VLOP transparency obligation under the Digital Services Act. Provide a working withdrawal link in the footer that reopens the consent banner.