Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AppNexus is a programmatic advertising platform combining an ad exchange, an SSP for publishers, and a DSP for advertisers. After being acquired by AT&T in 2018 and merged into Xandr, it was sold to Microsoft in 2022 and now operates as part of Microsoft Advertising (Xandr). It participates in the OpenRTB bid stream, sets advertising identifier cookies (anj, uuid2), and matches user IDs with hundreds of partners. Because it powers real time advertising auctions with user data, deploying AppNexus tags on EU traffic requires explicit consent under the GDPR, the ePrivacy Directive and the IAB TCF v2.2 framework.
AppNexus is a programmatic advertising technology stack founded in 2007. It was acquired by AT&T in 2018, rebranded as Xandr in 2019, and sold to Microsoft in 2022. Today it operates as the technical core of Microsoft Advertising, providing an ad exchange (the Xandr Monetize SSP), a demand side platform (Xandr Invest DSP), and identity and audience services.
On publisher websites, AppNexus is loaded through the prebid wrapper or directly via a JavaScript pixel from secure.adnxs.com. Bid requests are then sent through OpenRTB to participating buyers in real time auctions.
Each bid request contains the user IP, User Agent, page URL, page metadata, ad slot information, approximate geolocation, the user advertising ID (anj cookie, uuid2 cookie or device ID on apps), and the TCF v2.2 consent string. Audience segment IDs, custom data points and authenticated user IDs (UID 2.0) may also be included depending on the publisher configuration.
Cookies are set on the third party domain adnxs.com: anj (advertising ID, ~3 months), uuid2 (cross site ID, ~3 months), uids (cookie sync state). These cookies are exposed across the network of partners using AppNexus, enabling cross site profiling.
AppNexus is registered in the IAB Europe TCF v2.2 Global Vendor List. Publishers must transmit a valid TC string covering the purposes 1 to 4 and 7 to 10, plus the special features the vendor declares. Without consent for these purposes, AppNexus must not be loaded or sent bid requests.
The Belgian Data Protection Authority ruled in 2022 that the TCF mechanism is itself a processing of personal data under GDPR, leading IAB Europe to update the framework to v2.2 in 2023. Compliance still requires careful vendor selection and clear, granular consent UX.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
AppNexus and Xandr are part of Microsoft, a US controller. Bid request data is sent to Microsoft servers in the United States under Standard Contractual Clauses and the EU US Data Privacy Framework. Microsoft is a certified DPF participant, which provides a partial safeguard, but a Transfer Impact Assessment under Schrems II remains required for the publisher.
Onward transfers to bidding partners in the OpenRTB chain often involve multiple US, UK and EU recipients. The publisher remains responsible for documenting this chain in the privacy notice and the records of processing.
A DPIA is required given the systematic monitoring, scale, and high risk profiling involved in programmatic advertising. The DPIA must address audience segment categorisation (avoid Art. 9 content unless explicit consent is collected), the OpenRTB fan out, the vendor list management, and the cross border transfer chain.
Recent enforcement (CNIL Criteo decision, ICO investigations into AdTech) shows that DPAs are actively scrutinising programmatic ad chains and expect publishers to take responsibility for downstream practices.
Register AppNexus (Xandr) in your TCF v2.2 CMP. Sign the Microsoft Online Services DPA. Defer adnxs.com requests until explicit consent. Audit your prebid configuration to limit the list of bidders to those strictly necessary. Disclose AppNexus in the privacy notice with purposes, lifetimes, and US transfer information.
Implement Global Privacy Control signal handling, configure ad slot level consent in prebid, and review the DPIA at least annually. For sensitive content categories, exclude AppNexus loading entirely on those pages.
Websites using AppNexus must obtain user consent under GDPR regulations.
DPIA considerations
AppNexus, operating as part of Microsoft Advertising, is a high impact processor in the programmatic advertising chain. Key DPIA considerations: (1) the OpenRTB bid request includes the visitor IP address, User Agent, page URL, viewport, geolocation, and any audience segments shared by the publisher; this data is broadcast to dozens or hundreds of bidders in real time, creating a fan out problem documented by the IAB Europe TCF complaints; (2) the anj cookie is a third party advertising cookie that enables cross site tracking across the AppNexus network; (3) audience activation may involve special category content (Art. 9 GDPR), which is prohibited under standard consent without an Art. 9(2) basis; (4) US storage triggers Schrems II requirements; (5) the recent Belgian DPA decision against IAB Europe and the CNIL enforcement against bid stream practices must be considered when defining the legal basis; (6) automated bid decisions may fall within Art. 22 GDPR for high value or repeated transactions.
Sample consent text
We use AppNexus (Xandr, part of Microsoft Advertising) to deliver and measure advertising on this site. With your consent, AppNexus sets advertising cookies on your device (anj, uuid2) and shares bid request data with our advertising partners through real time auctions. Some of this data is transferred to Microsoft servers in the United States under Standard Contractual Clauses. You can refuse advertising in our consent banner.
Third-party domains contacted
adnxs.comsecure.adnxs.comib.adnxs.comxandr.comappnexus.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| anj | Marketing | 3 months | Persistent advertising identifier set on the third party adnxs.com domain. Used to recognise visitors across the AppNexus network and to participate in real time advertising auctions. |
| uuid2 | Marketing | 3 months | Cross site visitor identifier used for audience matching, frequency capping, and bid stream participation. |
| uids | Marketing | 3 months | Stores the state of cookie sync operations performed with other adtech vendors as part of cookie matching tables. |
| icu | Marketing | 3 months | Used for impression and conversion tracking within the AppNexus / Xandr platform. |
| usersync | Marketing | 3 months | Helper cookie used during the cookie matching handshake with partner SSPs and DSPs. |
AppNexus places tracking cookies for advertising — comply with GDPR using FlowConsent.
AppNexus sets third party cookies on adnxs.com, the most common being anj (advertising identifier, ~3 months), uuid2 (cross site visitor identifier, ~3 months), and uids (cookie sync state with other adtech vendors). On mobile apps the equivalent is the device advertising ID. None of these are strictly necessary and all require consent.
Yes, in any EU deployment. AppNexus cookies and the OpenRTB bid request both qualify as advertising profiling under Art. 5(3) ePrivacy and §25 TTDSG. The TCF v2.2 framework requires explicit consent for purposes 1 to 4 and 7 to 10 before any data is shared. The CJEU ruling C 252/21 confirmed that legitimate interest is not available for behavioural advertising.
Consent (Art. 6(1)(a) GDPR) is the only safe basis. Contractual necessity does not apply because advertising is not necessary to perform the website service. Legitimate interest has been rejected by multiple DPAs for ad targeting. The CMP must transmit a TC string with purposes consented before any AppNexus call.
Yes. As part of Microsoft, AppNexus processes data in the United States under SCCs and the EU US Data Privacy Framework. Microsoft Corporation is a certified DPF participant. Onward transfers in the OpenRTB chain often include US, UK and EU recipients, all of which must be documented by the publisher.
Yes, in nearly all cases. Programmatic advertising involves large scale systematic monitoring and profiling, meeting EDPB criteria for high risk. The DPIA must cover audience segment categories, the OpenRTB fan out, vendor list management, US transfers, and Art. 22 GDPR considerations for automated bidding.
Register AppNexus (Xandr) as a vendor in your TCF v2.2 CMP. Sign the Microsoft Online Services DPA. Defer adnxs.com calls until consent. Limit your prebid bidder list to those strictly necessary. Configure ad slot level consent and honour Global Privacy Control. Document the full chain of recipients in your privacy notice.
Major SSPs and exchanges: Google Ad Manager, Magnite, PubMatic, Index Exchange, OpenX, Sovrn. DSPs: The Trade Desk, MediaMath, DV360, Adform. EU based: Adform (Denmark), Smartclip, AppNexus is closely tied to Microsoft Advertising, so consider Microsoft Advertising directly as the default replacement.
List the AppNexus cookies (anj, uuid2, uids) with provider (Xandr Inc., a Microsoft company, United States), purpose (programmatic advertising and audience matching), lifetime (~3 months), and category (Marketing). Disclose the US transfer, the TCF v2.2 consent mechanism, and the downstream OpenRTB partners. Link the Xandr privacy policy.