Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DoubleClick Ad Exchange (AdX), now part of Google Ad Manager, is Google's premium real time bidding marketplace that connects publishers with thousands of advertisers and demand side platforms through programmatic auctions. AdX uses third party advertising cookies on doubleclick.net (IDE, id, test_cookie, 1P_JAR, DSID) to target ads, cap frequency, measure conversions and build remarketing audiences. Because it relies on profiling cookies, prior explicit consent through a TCF v2.2 compliant CMP and Google Consent Mode v2 is required.
DoubleClick Ad Exchange (AdX) is Google''s premium programmatic advertising marketplace, now operated as part of Google Ad Manager (GAM). It is the supply side ad exchange where publishers expose their inventory to thousands of advertisers, demand side platforms (DSPs) and agency trading desks through real time bidding auctions. Each ad impression is auctioned in milliseconds while the page loads, and the winning advertiser''s creative is served to the user. AdX is distinct from the legacy DoubleClick for Publishers (DFP) ad server and from the umbrella DoubleClick brand.
AdX relies on third party advertising cookies set on doubleclick.net. The IDE cookie (about 13 months) is the main advertising identifier used to measure ad performance, cap frequency and personalize creatives. The id cookie performs similar functions on doubleclick.net. test_cookie (15 minutes) checks whether the browser accepts cookies. 1P_JAR is a Google cross product cookie linking activity for ad measurement. DSID associates browsing activity with a signed in Google account on non Google sites. Bid requests also transmit IP address, approximate location, device, user agent and TCF consent strings to participating bidders.
Because AdX uses profiling cookies and builds cross site audience segments, the publisher must obtain prior, freely given, specific, informed and unambiguous consent under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR before any AdX tag fires. Legitimate interest is not a valid basis for advertising cookies or personalized advertising. The publisher and Google operate as joint controllers for certain processing under the Google Ad Manager terms, which requires a joint controller arrangement under Article 26 GDPR and transparent information to users.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Personal data is transferred to Google LLC in the United States. Google is certified under the EU US Data Privacy Framework (DPF), which constitutes a valid transfer mechanism for EU and UK personal data. For jurisdictions outside DPF coverage, Standard Contractual Clauses and a Transfer Impact Assessment apply. RTB bid requests can also reach bidders located in third countries, which requires additional contractual safeguards and disclosure in the privacy notice.
Google Ad Manager and AdX integrate with the IAB Transparency and Consent Framework v2.2 and require Google Consent Mode v2 signals (ad_storage, ad_user_data, ad_personalization, analytics_storage). Publishers must deploy a Google certified CMP, pass a valid TC string to ad calls, and forward consent state through gtag or GTM. Without explicit consent, AdX falls back to non personalized advertising (NPA) where available, but many advanced features such as remarketing and audience targeting are disabled.
Key risks include unlawful processing without valid consent (significant CNIL and EU regulator fines), bid stream data leakage to unvetted bidders, profiling of minors, and inadequate transparency. Mitigations include a robust CMP, strict tag gating until consent is captured, a documented DPIA, joint controller agreements with Google, transparent disclosure in the cookie policy, granular purpose level consent, regular vendor audits and consideration of contextual or server side alternatives for non consenting traffic.
Websites using DoubleClick Ad Exchange (AdX) must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is strongly recommended under Art 35 GDPR. AdX involves large scale systematic profiling of website visitors, real time auction broadcasting of bid request signals (URL, device, approximate location, IP) to thousands of bidders, cross site behavioral tracking and international transfers to the United States. The DPIA must cover RTB bid stream leakage, joint controllership with Google (Google Ad Manager terms), retention of advertising identifiers, lawful basis for non consenting users and safeguards for special category inferences.
Sample consent text
We use DoubleClick Ad Exchange (Google Ad Manager) to display personalized advertising and measure campaign performance. This sets third party advertising cookies (IDE, id, 1P_JAR, DSID) on doubleclick.net and transmits your IP address, browsing context and pseudonymous identifiers to Google LLC in the United States and to participating advertisers and demand side platforms. Data may be used to build cross site profiles and audience segments. Do you accept these advertising cookies?
Third-party domains contacted
securepubads.g.doubleclick.netdoubleclick.netgoogleads.g.doubleclick.netpagead2.googlesyndication.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDE | marketing | 1 year | Primary DoubleClick advertising identifier used to measure ad performance, personalize creatives, cap frequency and build remarketing audiences across the Google Ad Manager and AdX network |
| id | marketing | 1 year | Advertising cookie on doubleclick.net used for ad targeting, frequency capping and conversion measurement within the AdX programmatic marketplace |
| test_cookie | technical | 15 minutes | Short lived cookie that checks whether the user's browser supports cookies before AdX tags attempt to set persistent identifiers |
| 1P_JAR | marketing | 1 month | Google cross product cookie that collects website statistics and tracks conversion rates, used to personalize ads served through Google Ad Manager and AdX |
| DSID | marketing | 2 weeks | Associates the user's browsing activity on non Google sites with their signed in Google Account to deliver personalized ads consistent with their Google preferences |
DoubleClick Ad Exchange (AdX) places tracking cookies for advertising — comply with GDPR using FlowConsent.
AdX sets several advertising cookies on doubleclick.net: IDE (about 13 months, main ad identifier for measurement, personalization and frequency capping), id (about 13 months, similar advertising role), test_cookie (15 minutes, browser capability check), 1P_JAR (about 1 month, cross product ad measurement) and DSID (about 2 weeks, links activity to a signed in Google account on non Google sites). All are classified as marketing cookies and require prior consent.
Yes. AdX uses third party advertising cookies and conducts behavioral profiling, so prior explicit consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR. Tags must be blocked until the user makes an affirmative choice. Legitimate interest is not an acceptable basis for personalized advertising under EDPB guidance.
The legal basis is the data subject's consent under Article 6(1)(a) GDPR, combined with ePrivacy Article 5(3) consent for cookie storage. Google and the publisher act as joint controllers for certain processing under Google Ad Manager terms, which requires an Article 26 GDPR joint controller arrangement and clear allocation of duties in the privacy notice.
Personal data is transferred to Google LLC in the United States. Google is certified under the EU US Data Privacy Framework (DPF), which provides a valid transfer mechanism for EU and UK personal data. Standard Contractual Clauses apply for jurisdictions outside DPF coverage, supported by a Transfer Impact Assessment to evaluate US surveillance law risks.
Yes. AdX combines large scale profiling, systematic monitoring of public behavior, real time broadcasting of bid signals and international transfers, all of which trigger the Article 35 GDPR DPIA criteria. The risk level is high. The DPIA should document data flows, bid stream exposure, retention, joint controllership and mitigations such as consent gating and contextual fallbacks.
Deploy a Google certified CMP that implements IAB TCF v2.2 and Google Consent Mode v2. Block all GAM and AdX tags until the user provides consent. Pass valid TC strings and consent signals (ad_storage, ad_user_data, ad_personalization, analytics_storage) to every ad call. Document the joint controller arrangement, disclose AdX in the cookie policy and privacy notice and provide an easy withdrawal mechanism.
Alternatives include contextual advertising based on page content only, server side ad delivery, and emerging Privacy Sandbox APIs such as Topics and Protected Audience (formerly FLEDGE). Google's own non personalized ads (NPA) option can also serve non consenting users without behavioral targeting. Many publishers run a hybrid model: AdX with consent, contextual without.
The cookie policy must list each AdX cookie (IDE, id, test_cookie, 1P_JAR, DSID), its purpose, duration and the third party (Google LLC). It should disclose joint controllership, US transfers under the DPF, IAB TCF v2.2 vendor list participation, recipients (advertisers and DSPs), and provide links to Google's privacy policy and to the user's consent and withdrawal controls.