Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DoubleClick Campaign Manager (now Google Campaign Manager 360) is Googles enterprise ad serving, tracking and reporting platform. It places third party DoubleClick cookies (IDE on doubleclick.net) and Floodlight tags on advertiser sites to measure impressions, clicks, view through conversions and frequency capping. Because it relies on cross site advertising cookies and processes personal data in the US, it is one of the most strictly regulated tools under GDPR and ePrivacy in Europe.
DoubleClick Campaign Manager (DCM), now branded Google Campaign Manager 360 inside the Google Marketing Platform, is the enterprise grade ad serving and measurement platform used by large advertisers and agencies. It centralises ad creative trafficking, third party verification, view through tracking, conversion attribution and Floodlight tag based site analytics across display, video and rich media inventories.
CM360 sets the third party cookie IDE on doubleclick.net (13 month lifespan) and reads Google Ad cookies. Floodlight tags placed on advertiser sites collect IP, user agent, referrer URL, time on page, conversion value and any custom variables sent to the tag. Audience lists are stored against pseudonymous identifiers tied to the IDE cookie, the Google Advertising Identifier and Google account if logged in.
Floodlight tags and DoubleClick cookies are non essential third party advertising cookies. Article 5(3) ePrivacy and GDPR Article 6(1)(a) require prior consent. EDPB guidance on connected vehicles and CNIL Lake of cookie sanctions targeting Google in 2021 (150 million EUR) confirm the strict interpretation. Cross site profiling for personalised advertising additionally requires CM360 to be loaded only when the IAB TCF v2.2 consent string includes Google as a vendor with purposes 1, 3, 4 and 7.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use Google Consent Mode v2 to gate the loading of CM360 tags. Configure ad_storage and ad_user_data so that no DoubleClick cookies are dropped before consent. The CMP must offer reject as easily as accept and provide vendor level toggles. Maintain consent receipts for at least the retention period of the audience lists.
Google LLC processes CM360 data in the US and other Google data centres globally. Google is certified under the EU US Data Privacy Framework, which provides the primary transfer mechanism. SCCs apply where DPF does not (UK, Switzerland). A transfer impact assessment remains advisable given exposure to FISA 702 and the Cloud Act.
Implement Google Consent Mode v2 in advanced mode, gate Floodlight tags via your CMP, sign the Google Ads Data Processing Terms, list CM360 in your record of processing, document Floodlight variables and avoid sending personally identifying parameters. Restrict CM360 access via IAM, configure audience list expirations and run an annual DPIA review.
Websites using DoubleClick Campaign Manager (DCM) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is mandatory. Floodlight conversion tracking, audience lists and cross site advertising cookies create extensive profiling that qualifies as systematic large scale monitoring of behaviour under GDPR Article 35.
Sample consent text
We use Google Campaign Manager 360 (formerly DoubleClick) with our advertising partners to measure ad effectiveness and personalise the ads you see across the web. This places third party cookies. You can manage your advertising preferences in the cookie settings.
Third-party domains contacted
doubleclick.netfls.doubleclick.netad.doubleclick.netstats.g.doubleclick.netgoogleads.g.doubleclick.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDE | persistent | 13 months | Used by Google DoubleClick to register and report user actions after viewing or clicking ads on advertiser websites. Forms the basis for cross site advertising and conversion measurement. |
| test_cookie | session | 15 minutes | Set on doubleclick.net to verify that the user browser supports cookies before serving DoubleClick advertising tags. |
| FLC | persistent | 12 months | Floodlight session identifier set by Google Campaign Manager 360 to attribute conversions across an advertiser site visit. |
DoubleClick Campaign Manager (DCM) places tracking cookies for advertising — comply with GDPR using FlowConsent.
CM360 sets the IDE cookie on doubleclick.net (13 month lifespan) for cross site advertising and conversion measurement. It also reads Google Ads cookies (NID, ANID, IDE) and any Floodlight session identifiers.
Yes. Floodlight tags and DoubleClick cookies are non essential third party advertising cookies. Article 5(3) ePrivacy and Article 6(1)(a) GDPR require prior, granular and informed consent before any tag fires.
Consent is the only valid basis. Legitimate interest does not justify cross site advertising profiling. The CNIL 150 million EUR sanction against Google clarified this position for the French market.
Yes. Google LLC processes CM360 data in the US. Transfers rely on the EU US Data Privacy Framework (Google is certified) and SCCs as fallback. A Transfer Impact Assessment is recommended.
Yes. Cross site profiling, audience lists and Floodlight conversion tracking constitute systematic large scale monitoring of behaviour, triggering Article 35 GDPR.
Implement Google Consent Mode v2 in advanced mode, gate tags through your CMP, sign the Google Ads Data Processing Terms, document Floodlight variables, restrict identifying parameters and review your DPIA annually.
Alternatives include Adform (DK, EU based), Flashtalking (US), Equativ (FR), Sizmek (now Amazon Ads). Adform is the closest EU sovereign alternative for advertisers wanting reduced US transfer exposure.
List Google Campaign Manager 360 (DoubleClick) as an advertising processor with cookie IDE, retention 13 months, purposes (advertising, measurement, audience), Google as data processor, link to Google Ads Privacy and Data Privacy Framework certification.