Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Beeswax is a programmatic Demand Side Platform owned by Comcast that enables advertisers and agencies to buy display, video, audio and connected TV inventory through real time bidding. The platform fires tracking pixels, syncs cookies with supply side platforms and reads device identifiers, which qualifies it as both a tracking technology under the ePrivacy Directive and a personal data processor under the GDPR.
Beeswax is a programmatic Demand Side Platform owned by Comcast that enables advertisers, agencies and trading desks to buy display, mobile, video, audio and connected TV inventory through real time bidding auctions. Customers configure campaigns, bid logic, targeting and creatives, then the platform connects to multiple Supply Side Platforms and ad exchanges to acquire impressions on behalf of the brand.
When a Beeswax pixel or creative loads on a publisher page, the platform reads or sets a third party cookie that holds a Beeswax user identifier, performs cookie syncing with partner SSPs, records the IP address, the user agent, the URL of the page, the timestamp and contextual signals about the impression. For mobile inventory it reads the IDFA or AAID device advertising identifier. These identifiers are then used to enrich bidder logic with audience segments, frequency caps and conversion attribution.
The Belgian Data Protection Authority decision against IAB Europe in 2022 confirmed that the TC String of the Transparency and Consent Framework is personal data and that real time bidding participants are joint controllers. Beeswax must therefore receive a valid IAB TCF v2.2 signal that reflects the user choice, and the publisher must obtain prior, specific and informed consent under Article 5(3) of the ePrivacy Directive before any pixel or cookie is set. Without consent, Beeswax must not be loaded.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Beeswax is a Comcast subsidiary headquartered in New York and processes bid stream data on infrastructure located in the United States. The transfer relies on the EU US Data Privacy Framework when the importer is certified, otherwise on the European Commission Standard Contractual Clauses combined with a Transfer Impact Assessment that documents the risk of access by US authorities under FISA 702. Operators must inform users in the privacy notice and document supplementary measures such as encryption in transit and contractual restrictions.
Block all Beeswax pixels and cookie sync calls until consent is granted, route the user signal through a CMP that is certified for IAB TCF v2.2, restrict the list of vendors and purposes to what is strictly necessary, register Beeswax in your record of processing activities and your privacy notice, and verify that downstream partners receive the correct TC string. Define a retention period for advertising cookies, typically no longer than 13 months, and set up a process to honour data subject requests forwarded by Beeswax.
For lower risk programmatic buying, consider contextual demand side platforms that target keywords or page categories rather than user identifiers, EU based DSPs that keep data within the European Economic Area, or direct deals with publishers using server side data clean rooms. These options reduce reliance on cross site cookies and on third country transfers.
Websites using Beeswax must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is required because Beeswax processes large volumes of pseudonymous identifiers, performs cross site profiling for retargeting, integrates with bid stream partners and transfers personal data to the United States. The DPIA must address the legal basis, the data flows through the open RTB ecosystem, the role of Beeswax as processor or joint controller, the SCC framework and the safeguards against US government access requests.
Sample consent text
We use Beeswax to deliver and measure programmatic advertising. Beeswax stores cookies on your device, shares pseudonymous identifiers with advertising partners through real time bidding and transfers personal data to the United States. You can accept, refuse or withdraw your consent at any time in our privacy preferences.
Third-party domains contacted
beeswax.combidr.iodata.bidr.iomatch.bidr.iocdn.bidr.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| bee | third_party | 13 months | Pseudonymous Beeswax user identifier used to recognise the device across publisher sites for retargeting and frequency capping. |
| bid | third_party | 13 months | Bid identifier used to associate impressions with auctions and reconcile attribution across the supply chain. |
| uuid2 | third_party | 90 days | Cookie used during cookie syncing handshakes between Beeswax and partner Supply Side Platforms. |
| _bx_session | third_party | 30 minutes | Short lived session cookie that scopes the current bidding session to a single browsing visit. |
Beeswax places tracking cookies for advertising — comply with GDPR using FlowConsent.
Beeswax sets a third party cookie named bee that holds a pseudonymous user identifier with a typical lifetime of 13 months. It also writes shorter lived cookies for cookie syncing with partner SSPs. On mobile in app inventory, Beeswax reads device advertising identifiers (IDFA, AAID) instead of cookies. The full list of identifiers and durations is available in the Beeswax documentation and can be audited with browser developer tools.
Yes. Beeswax pixels and cookie sync calls store and read identifiers on the user device, which falls within Article 5(3) of the ePrivacy Directive. The 2022 IAB Europe decision also makes the bid stream itself a personal data flow. Prior, free, specific, informed and unambiguous consent must be obtained, signalled to Beeswax through a valid IAB TCF v2.2 TC string, before any pixel fires.
The legal basis is consent under Article 6(1)(a) GDPR. Legitimate interest cannot be relied on for advertising and audience targeting in this context, as confirmed by multiple supervisory authorities and by the Belgian DPA decision against IAB Europe. The consent must be granular per purpose and per vendor, and recorded in a TC string passed to Beeswax through the OpenRTB protocol.
Yes. Beeswax is a Comcast company headquartered in New York and processes bid stream data on US infrastructure. Transfers rely on the EU US Data Privacy Framework when applicable, otherwise on Standard Contractual Clauses combined with a Transfer Impact Assessment that addresses the risk of US government access requests under FISA 702 and Executive Order 12333.
Yes. The processing scores high on multiple criteria from the European Data Protection Board guidelines on DPIA: large scale processing, systematic monitoring through cross site tracking, automated decision making in bid logic, profiling and international transfers. A DPIA is therefore required under Article 35 GDPR.
Block all Beeswax tags by default, integrate a CMP certified for IAB TCF v2.2, route the TC string in every OpenRTB request, sign a Data Processing Agreement and SCCs with Beeswax, restrict purposes and vendors in your CMP configuration, document everything in your record of processing activities and your privacy notice, and set up a process for handling data subject requests forwarded by Beeswax.
Contextual DSPs that target page content rather than user identifiers, EU based programmatic platforms that keep data within the EEA, or direct deals with publishers using server side data clean rooms. These options reduce the dependence on third party cookies, on cross site tracking and on US transfers, lowering the GDPR risk profile.
List the bee cookie and the cookie syncing identifiers in your cookie table with provider, purpose and retention. Mention the role of the IAB TCF and the bid stream, the transfer to the United States and the legal mechanism. Increment the version of the cookie policy and trigger a fresh consent prompt for existing visitors so that previously stored consent is renewed against the new processing.