Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DoubleClick is Google's legacy advertising technology stack, now reorganised under the Google Marketing Platform umbrella which groups Display and Video 360, Campaign Manager 360, Search Ads 360, Google Ad Manager and Studio. The doubleclick.net and g.doubleclick.net domains still serve third party advertising cookies such as IDE, DSID and test_cookie used for ad serving, remarketing audiences, frequency capping, view through and click through conversion tracking, and cross site ad personalisation. Under GDPR, ePrivacy and CNIL guidelines this is a high risk advertising tracker that requires strict prior, free, specific, informed and unambiguous opt in consent before any tag fires.
DoubleClick was historically Google''s flagship advertising technology brand, acquired in 2008. Since 2018 Google retired the DoubleClick consumer brand and reorganised the products into two umbrellas. Google Marketing Platform groups advertiser side tools such as Display and Video 360 (programmatic buying), Campaign Manager 360 (ad serving and measurement), Search Ads 360 (multi engine search bidding) and Studio (rich media). Google Ad Manager groups publisher side ad serving and SSP capabilities. Despite the rebrand, the underlying ad delivery infrastructure still uses the historical doubleclick.net technical domain to serve creatives, fire conversion pixels, store advertising cookies and synchronise audiences with demand side platforms through real time bidding.
The platform sets and reads several third party cookies in the doubleclick.net and google.com domains. IDE is the main remarketing and conversion identifier with a lifetime of around 13 months in the EEA. DSID links a signed in Google account to ad activity across non Google sites for roughly two weeks. 1P_JAR is a rolling first party Google cookie refreshed every visit and used for ad measurement. test_cookie is a short lived (15 minutes) technical probe that checks whether the browser accepts third party cookies. RUL is set when an advertiser uses remarketing audiences. Many of these cookies are paired with invisible 1x1 tracking pixels and JavaScript ad tags that send hashed identifiers, IP address, user agent, referrer, viewport size and consent signals to Google servers.
DoubleClick / Google Marketing Platform processes personal data within the meaning of Article 4 GDPR, including online identifiers (cookie IDs, device IDs), IP addresses, browsing behaviour and inferred interests. Because the cookies are not strictly necessary to provide a service requested by the user, Article 5(3) of the ePrivacy Directive transposed in France through Article 82 of the Loi Informatique et Libertés, in Germany through TTDSG, and in Spain through the LSSI, requires prior consent before any read or write. Google operates as joint controller with the publisher or advertiser for some processing activities and as independent controller for its own ad system improvements, which must be reflected in the privacy notice. The CNIL fined Google 150 million euros in January 2022 for making refusal of advertising cookies harder than acceptance on its own properties, and similar enforcement reasoning applies to any site embedding DoubleClick tags.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Since March 2024 Google requires advertisers and publishers using its advertising products in the EEA, United Kingdom and Switzerland to deploy Consent Mode v2 and to transmit the ad_storage, ad_user_data and ad_personalization signals. The recommended implementation is to plug a Google certified IAB TCF v2.2 Consent Management Platform that surfaces the full vendor list (Google is vendor 755), maps purposes 1 to 11 and special features 1 and 2, and forwards both the TC string and the Google Consent Mode signals to the gtag or Tag Manager container. Tags must remain blocked or fall back to anonymous pings until the user has given an unambiguous opt in. Pre ticked boxes, scroll based consent, legitimate interest for advertising purposes and continued browsing patterns are all invalid.
DoubleClick infrastructure is operated by Google LLC in the United States with a global edge network. Personal data collected through doubleclick.net cookies is transferred to the US under the EU US Data Privacy Framework adequacy decision adopted in July 2023, complemented by Standard Contractual Clauses for jurisdictions not covered by the DPF. Controllers must perform a transfer impact assessment per the EDPB Schrems II recommendations, document Google''s certification on the DPF list, retain the Data Processing Terms and inform users about the third country recipient, the legal basis for transfer and their rights to lodge a complaint with a supervisory authority or the US Data Protection Review Court.
DoubleClick deployments meet at least three of the nine EDPB DPIA criteria: systematic monitoring, processing on a large scale, and matching or combining datasets, which makes a DPIA mandatory under Article 35 GDPR. Practical measures include enabling Restricted Data Processing on Google Ad Manager and Campaign Manager for EEA traffic, activating Consent Mode v2 with conversion modelling, truncating IP addresses where possible, hashing first party identifiers in SHA256 before sending them to Customer Match, configuring frequency caps to limit profile granularity, documenting retention through the Google data retention controls and reviewing the vendor list quarterly to remove auction partners that are not strictly necessary.
Websites using DoubleClick must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is required because DoubleClick and Google Marketing Platform involve large scale processing of behavioural and device data for advertising, systematic monitoring across websites through third party cookies, automated profiling of audiences for retargeting and lookalike modelling, cross border transfers to Google LLC in the United States, and combination of identifiers across many publishers and advertisers. The DPIA must document the legal basis (consent), the necessity and proportionality test, the categories of data shared with Google and onward partners through real time bidding, retention periods for each cookie, the EDPB Schrems II transfer impact assessment, the IAB TCF v2.2 signals propagated, and the technical and organisational measures including Consent Mode v2, restricted data processing, IP truncation and SHA256 hashing for Customer Match uploads.
Sample consent text
We use DoubleClick and Google Marketing Platform cookies (IDE, DSID, 1P_JAR, test_cookie) to deliver personalised advertising, measure campaign performance, retarget visitors and limit how often you see the same ad. These cookies share data with Google LLC in the United States under the EU US Data Privacy Framework. You can accept, refuse or configure these advertising cookies at any time from our preference centre. Refusing has no impact on access to the website.
Third-party domains contacted
doubleclick.netg.doubleclick.netstats.g.doubleclick.netgoogleads.g.doubleclick.netad.doubleclick.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDE | marketing | 1 year | Main DoubleClick remarketing and conversion identifier set on doubleclick.net. Used by Google Marketing Platform to measure ad performance, attribute conversions, build retargeting audiences and personalise ads across sites. |
| id | marketing | 1 year | Generic DoubleClick ad serving identifier used for ad selection, frequency capping and audience grouping across publisher and advertiser properties. |
| test_cookie | technical | 15 minutes | Short lived technical probe set by doubleclick.net to check whether the visitor's browser accepts third party cookies. No personalisation, but still triggered by DoubleClick tags. |
| 1P_JAR | marketing | 1 month | First party Google cookie refreshed on each visit and used to collect aggregated ad measurement information and link Google services to DoubleClick ad delivery. |
| DSID | marketing | 2 weeks | Links a signed in Google account to ad activity on non Google sites for cross device personalisation and conversion attribution under Consent Mode v2. |
| RUL | marketing | 1 year | Set on doubleclick.net when an advertiser activates remarketing audiences. Stores the audience membership identifier for retargeting campaigns. |
DoubleClick places tracking cookies for advertising — comply with GDPR using FlowConsent.
The main DoubleClick / Google Marketing Platform cookies are IDE (around 13 months in the EEA, remarketing and conversion identifier on doubleclick.net), DSID (about 2 weeks, links a signed in Google account to ad activity), 1P_JAR (around 1 month, ad measurement on google.com), test_cookie (15 minutes, technical probe to check third party cookie support), RUL (about 1 year, set when remarketing audiences are active) and id (around 1 year, generic ad serving). All of them, except test_cookie which is purely technical and very short lived, must be classified as marketing cookies subject to prior consent.
Yes, strict prior opt in consent is required. DoubleClick cookies are not strictly necessary to provide a service requested by the user, so Article 5(3) of the ePrivacy Directive (transposed in France via Article 82 LIL, in Germany via TTDSG, in Spain via Article 22.2 LSSI) prohibits reading or writing them without consent. Tags must remain blocked until the visitor performs a clear affirmative action through a CMP. Continued browsing, pre ticked boxes or scrolling cannot be relied upon, as confirmed by the CNIL guidelines and the EDPB Guidelines 05/2020.
The legal basis is consent under Article 6(1)(a) GDPR for the broader personal data processing, combined with Article 5(3) ePrivacy for the cookie storage and reading step. Legitimate interest under Article 6(1)(f) cannot be used for advertising tracking, retargeting or audience profiling, as repeatedly stated by the EDPB and the CNIL. The consent must be freely given, specific, informed, unambiguous and as easy to withdraw as to give. A separate switch for advertising purposes is required in the CMP.
Yes. DoubleClick is operated by Google LLC and data is processed on US infrastructure with global edge nodes. Transfers rely on the EU US Data Privacy Framework adequacy decision adopted on 10 July 2023, with Google certified on the official DPF list, complemented by Standard Contractual Clauses for non DPF jurisdictions. Controllers must perform a Schrems II style Transfer Impact Assessment, document the safeguards, inform users in their privacy notice and explain redress rights including complaint before a supervisory authority or the US Data Protection Review Court.
Yes. DoubleClick deployments meet at least three of the nine EDPB DPIA criteria (systematic monitoring, large scale processing, matching or combining datasets). Article 35 GDPR therefore requires a DPIA before activation. The DPIA must cover the categories of data shared with Google and real time bidding partners, retention by cookie, the Transfer Impact Assessment, the lawful basis review, the proportionality of audience modelling, the consent UX and the technical mitigations such as Consent Mode v2 and Restricted Data Processing.
Use a Google certified CMP that supports IAB TCF v2.2, expose Google in the vendor list (vendor 755), block tags by default and load them only after opt in. Activate Google Consent Mode v2 to forward ad_storage, ad_user_data and ad_personalization signals together with the TC string. Enable Restricted Data Processing on Google Ad Manager and Campaign Manager for EEA traffic, configure data retention controls, anonymise IPs where possible, hash first party data in SHA256 for Customer Match and run a quarterly vendor list review.
Alternatives include contextual advertising based on page content without cookies, first party retargeting through server side Conversions API style integrations with hashed identifiers, EU based DSPs and SSPs hosted in the EEA, privacy preserving APIs from the Privacy Sandbox (Topics, Protected Audience) and clean room measurement solutions. None of them removes the legal obligation to inform users, but they reduce the volume of personal data shared with US ad tech vendors and lower the GDPR risk profile.
List the full set of cookies (IDE, DSID, 1P_JAR, test_cookie, RUL, id) with name, domain (doubleclick.net or google.com), purpose, duration and category. Disclose Google LLC as recipient, mention the EU US Data Privacy Framework as transfer mechanism, link to Google's privacy policy and to the IAB TCF v2.2 vendor list, and indicate that consent can be modified or withdrawn at any time. Update this register at least quarterly and re publish whenever new Google sub processors or auction partners are added.