Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Connexity is a US based shopping and performance marketing platform owned by Taboola. It drives product traffic to retailers via comparison shopping search and places tracking pixels and third party cookies on merchant sites to attribute clicks and conversions.
Connexity is a US based shopping and performance marketing network that connects retailers with shoppers through comparison shopping engines, product listings and affiliate style placements. Originally Shopzilla then rebranded Connexity, the company was acquired by Taboola in 2020 and now operates as part of the Taboola group. Connexity is the data controller or processor depending on the deployment, and infrastructure is hosted primarily in the United States on AWS.
When a shopper clicks a Connexity placement, the click is tagged with an identifier and forwarded to the retailer. A JavaScript pixel or tag deployed on the merchant site fires on order confirmation pages and reports the conversion back. Third party cookies set on the connexity.net domain (and related subdomains) tie the click to the order. A server side postback API is also available so merchants can confirm conversions without relying on cookies in the browser.
Connexity processes IP address, user agent, click identifier, referring URL, landing page, order value, order identifier, product identifier and a cookie identifier persisted in the browser. Combined across many retailer properties this can amount to a behavioural profile of shopping intent and purchases, which is why the activity is treated as non essential marketing under GDPR and ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The storage of and access to information on the user device requires prior consent under Art 5(3) of the ePrivacy Directive, transposed by TTDSG in Germany, the LCEN/CNIL guidelines in France and the LSSI in Spain. The underlying processing of the resulting personal data relies on Art 6(1)(a) GDPR consent. Legitimate interest under Art 6(1)(f) is not a safe basis for setting marketing cookies, although it can support narrow downstream attribution analytics performed on data already lawfully collected.
Connexity transfers personal data to the United States. Where Taboola/Connexity is certified under the EU US Data Privacy Framework, transfers may rely on the adequacy decision of July 2023. Otherwise Standard Contractual Clauses with a transfer impact assessment apply. Document the transfer tool in your records of processing and inform users in the privacy notice.
Gate the Connexity pixel and conversion tag behind a certified consent management platform. Default to no tracking until the user opts in. Use Google Consent Mode v2 or an equivalent signal so that pageviews fire only when ad_storage and ad_user_data are granted. Provide a granular reject all option, log proof of consent, refresh consent at least every twelve months and document the choice of legal basis, retention and transfer mechanism in your privacy notice and DPIA.
Websites using Connexity must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended where Connexity is deployed at scale across multiple retailer properties. Key risks include third country transfers to the United States, cross site attribution that may amount to large scale profiling under Art 35(3)(b) GDPR, and reliance on third party cookies that face increasing browser restrictions. Document the lawful basis, retention periods, and CMP configuration.
Sample consent text
We use Connexity (Taboola) marketing cookies to measure clicks and purchases that result from shopping comparison ads. These cookies share data with Connexity in the United States. You can accept, refuse or change your choice at any time in cookie settings.
Third-party domains contacted
connexity.nettracking.connexity.compixel.connexity.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cnx_uid | marketing | 1 year | Persistent user identifier set on the connexity.net domain to recognise the visitor across retailer sites for attribution and frequency capping. |
| cnx_click | marketing | 30 days | Stores the most recent click identifier used to attribute a subsequent conversion to the originating Connexity placement. |
| _cnx_session | technical | session | Short lived session cookie used by the Connexity tracking script to maintain state during a single browsing session. |
Connexity places tracking cookies for advertising — comply with GDPR using FlowConsent.
Connexity sets third party cookies on the connexity.net domain to store a user identifier and a click identifier used for attribution. Typical cookies include cnx_uid for user identification (up to one year), cnx_click for the most recent click (around thirty days), and a session cookie used by the tracking script. Additional cookies may be set by Taboola owned domains when those services are bundled.
Yes. Connexity tracking is non essential marketing activity. Article 5(3) of the ePrivacy Directive and national transpositions (TTDSG in Germany, CNIL guidelines in France, LSSI in Spain) require prior, informed and freely given consent before any Connexity tag fires or any cookie is read or written. Default to no tracking until the user opts in through your CMP.
For setting and reading cookies the only safe basis is Art 6(1)(a) GDPR consent, mirroring the ePrivacy requirement. Legitimate interest under Art 6(1)(f) is not appropriate for marketing cookies. It may support narrow downstream attribution analytics on data already lawfully collected, but it cannot replace consent for the cookie storage step.
Yes. Connexity is a US company and now part of Taboola, with primary hosting in the United States. Transfers rely on the EU US Data Privacy Framework when Taboola/Connexity is certified, otherwise on Standard Contractual Clauses with a transfer impact assessment. The transfer must be disclosed in the privacy notice and documented in the records of processing.
A DPIA is recommended and often required where Connexity is deployed at scale across multiple retailer properties, because the activity involves systematic monitoring and large scale processing for behavioural attribution within the meaning of Article 35(3)(b) GDPR. Document the purposes, data flows, lawful basis, retention periods, third country transfers and mitigations including CMP gating.
Load the Connexity pixel through your tag manager and gate it behind a certified CMP. Use Google Consent Mode v2 or equivalent so the tag only fires when ad_storage and ad_user_data are granted. Provide a reject all option that is as prominent as accept all. Log proof of consent, refresh it at least every twelve months, and document the choice of legal basis, retention and transfer mechanism.
Alternatives include Skimlinks and Sovrn Commerce for content monetisation, Awin for traditional affiliate marketing, and first party affiliate tracking using UTM parameters with a server side measurement endpoint you control. None of these remove the need for consent when third party cookies are involved, but first party UTM based tracking can reduce the reliance on cross domain identifiers.
Update the cookie policy whenever you add or remove Connexity, when cookie names, durations or purposes change, when Connexity updates its sub processors or transfer mechanism, and at least annually as part of a documented review. Notify users of material changes and refresh consent in your CMP so previously collected choices are revalidated.