Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bidmatic is a header bidding wrapper and SSP that helps publishers monetise their inventory by connecting them to dozens of DSPs in real time. It places third party cookies on bidmatic.io and synchronises cookies with multiple ad partners, enabling cross site auctions and audience targeting. Because it relies on third party advertising cookies and cookie syncing, prior consent is mandatory under GDPR and the ePrivacy Directive in Europe.
Bidmatic is a header bidding wrapper, supply side platform (SSP) and ad ops partner for publishers worldwide. It exposes publisher inventory simultaneously to dozens of DSPs and SSPs (Google AdX, Index Exchange, OpenX, Pubmatic, Magnite, Criteo) through Prebid or Bidmatic proprietary client and server side bidding. Publishers use Bidmatic to maximise programmatic yield with minimal latency.
Bidmatic places third party cookies (bm_uid, bm_session) on bidmatic.io and triggers cookie syncing with each connected DSP or SSP, propagating pseudonymous identifiers across dozens of advertising domains. The wrapper sends bid requests including IP address, user agent, geolocation, page URL, page categories, IAB TCF consent string and audience segments where consented.
Header bidding is one of the most regulated advertising mechanisms under GDPR. The Belgian DPA APD ruled in 2022 that the IAB TCF was not GDPR compliant in its previous form, prompting TCF v2.2. Bidmatic must propagate a valid TC string for every bid request and respect signal in real time. Without consent, no bid request can be sent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use a TCF v2.2 certified CMP, gate the Bidmatic wrapper behind consent for purposes 1, 2, 3, 4, 7, 9 and 10 and the relevant vendors. Configure the wrapper to send TCF strings in the OpenRTB bid request and propagate gdpr=1, gdpr_consent=<TC string> on cookie sync calls. The CMP must offer reject as easily as accept.
Bidmatic operates from the US with EU edge nodes and routes bid requests to global DSPs. Transfers rely on the EU US Data Privacy Framework where Bidmatic and partners are certified, and on SCCs as fallback. A Transfer Impact Assessment is recommended given exposure to US surveillance laws.
Sign the Bidmatic DPA, register Bidmatic and its connected vendors in your record of processing, configure CMP for vendor list, gate the wrapper behind consent, monitor for bid requests fired without TC string and run a yearly DPIA review on cookie sync risks. Maintain a fallback path for users who refuse consent (contextual or no ad delivery).
Websites using Bidmatic must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is mandatory. Header bidding cookie syncing distributes pseudonymous identifiers to dozens of DSPs and SSPs, generating systematic large scale monitoring of behaviour under Article 35 GDPR.
Sample consent text
We use Bidmatic and partner ad networks to monetise our content. With your consent, this places third party cookies and shares pseudonymous identifiers with our advertising partners for personalised ads and frequency capping. You can manage your preferences in the cookie settings.
Third-party domains contacted
bidmatic.iocdn.bidmatic.iosync.bidmatic.iortb.bidmatic.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| bm_uid | persistent | 12 months | Persistent third party identifier set by Bidmatic on bidmatic.io used for cross site auctions and cookie syncing with connected DSPs and SSPs. |
| bm_session | session | Session | Session level cookie tying ad auction context to the visitor browser while the Bidmatic wrapper is active on a page. |
| bm_cap | persistent | 6 months | Frequency capping cookie limiting how often a creative is delivered to the browser within a campaign window. |
Bidmatic places tracking cookies for advertising — comply with GDPR using FlowConsent.
Bidmatic places persistent third party cookies on bidmatic.io (bm_uid, bm_session) and triggers cookie syncing with each DSP and SSP it connects to, propagating pseudonymous identifiers across many ad domains.
Yes. Header bidding wrappers write non essential third party cookies and share identifiers with multiple advertising vendors. Article 5(3) ePrivacy and Article 6(1)(a) GDPR require prior, granular and informed consent.
Consent is the only valid basis for Bidmatic and the connected DSPs/SSPs. Legitimate interest is excluded for advertising cookies and cookie syncing per EDPB and CNIL guidance.
Yes. Bidmatic operates from the US with EU edge nodes. Bid requests are routed globally to DSPs. Transfers rely on the EU US Data Privacy Framework when Bidmatic and partners are certified, and SCCs otherwise.
Yes. Header bidding distributes pseudonymous identifiers across dozens of vendors, qualifying as systematic large scale monitoring of behaviour under Article 35 GDPR.
Use a TCF v2.2 certified CMP, gate the wrapper on consent for relevant purposes and vendors, propagate the TC string in OpenRTB requests and cookie sync calls, sign the Bidmatic DPA, document vendors in your record of processing.
Alternatives include Prebid.js (open source, deployable on EU servers), Magnite, Pubmatic, OpenX, AdNuntius (NO), Smart AdServer (FR). EU based wrappers reduce US transfer exposure.
List Bidmatic as a header bidding processor, name cookies bm_uid and bm_session, retention up to 12 months, IAB TCF vendor reference, list of connected DSPs/SSPs, US data residency, EU US DPF and SCC reference, and link to the Bidmatic privacy policy.