Does your website use third-party services? Get GDPR compliant in minutes.

DoubleClick Floodlight

What does DoubleClick Floodlight do?

DoubleClick Floodlight is the activity tagging system used by Google Campaign Manager 360 and Display & Video 360 to measure conversions and build remarketing audiences. Each Floodlight tag fires on a defined event (purchase, sign up, page view), writes the IDE cookie on doubleclick.net and reports the event to fls.doubleclick.net, which makes it a third party advertising tracker requiring prior consent in the EU.

What is DoubleClick Floodlight?

DoubleClick Floodlight is the activity tagging framework used by Google Campaign Manager 360 (CM360) and Display & Video 360 (DV360) to measure user actions on advertiser websites. Floodlight tags are pixels, iframes or gtag.js calls that fire on events such as page views (counter tags) or transactions (sales tags). They are a foundational tool of the Google Marketing Platform stack and are usually deployed alongside Google Tag Manager.

Cookies and identifiers

Floodlight relies on the IDE cookie set on doubleclick.net for behavioural attribution and frequency capping. It also writes a test_cookie before each request to detect cookie support and may interact with NID on google.com. Custom u variables can transmit additional context (transaction value, product ID, user identifiers) that easily becomes personal data depending on configuration.

GDPR and ePrivacy implications

Floodlight is a third party advertising tracker. Article 5(3) of the ePrivacy Directive requires prior consent before any cookie is read or written, and Article 6(1)(a) GDPR requires consent for the underlying behavioural advertising processing. Several decisions from European DPAs (CNIL, AEPD, Garante) have applied directly to Floodlight or to its parent stack.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent and Consent Mode v2

Floodlight tags must remain blocked until the visitor accepts the marketing category. When using gtag.js, Consent Mode v2 lets Floodlight degrade to a cookieless ping when ad_storage and ad_user_data are denied. Modelled conversions can fill the gap, but no cookie or identifier may be set without consent.

Data transfers to the United States

Floodlight events, IP addresses, advertising identifiers and any custom variables are sent to Google LLC infrastructure in the United States. Google self certifies under the EU U.S. Data Privacy Framework, which provides a legal mechanism for the transfer that must be documented in your records of processing and disclosed in your privacy policy.

Implementing Floodlight compliantly

Block all Floodlight tags through your tag manager until consent is captured. Activate Consent Mode v2, route Floodlight via Google Tag Manager Server when possible to minimise client side data, and never put raw email addresses, phone numbers or user IDs in Floodlight u variables without explicit consent. Document Floodlight, CM360 and DV360 in your privacy policy and records of processing.

GDPR consent category

Marketing

Websites using DoubleClick Floodlight must obtain user consent under GDPR regulations.

Legal basisPrior consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive: Floodlight is an advertising attribution and remarketing tool that writes the IDE cookie on doubleclick.net and shares behavioural data with Google.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, EU U.S. Data Privacy Framework, IAB TCF v2.2

DPIA considerations

A DPIA is recommended because Floodlight powers cross site behavioural advertising, audience lists, attribution and US transfers. Setups including custom variables (uXX values) carrying personal data need particular scrutiny.

Sample consent text

We use DoubleClick Floodlight to measure ad campaigns and build advertising audiences with Google Campaign Manager 360 and Display & Video 360. With your consent, Google may store advertising cookies on your device, link your activity to a previous ad exposure and transfer data to Google LLC in the United States. You can refuse or withdraw consent at any time from the cookie settings.

Technical details

Tracking methodFloodlight tags (image pixel or iframe) and Floodlight global site tag (gtag.js with config DC-XXXXXX) that send activity events (purchases, sign ups, page views) to fls.doubleclick.net for Campaign Manager 360 and Display & Video 360 attribution.

Server locationUnited States (Google global infrastructure)

Data transferred outside the EUFloodlight events, IP addresses and advertising identifiers are transferred to Google LLC servers in the United States under the EU U.S. Data Privacy Framework.

Third-party domains contacted

fls.doubleclick.netdoubleclick.netgoogleads.g.doubleclick.netwww.googletagmanager.comstats.g.doubleclick.net

Cookies placed

Name	Type	Duration	Purpose
IDE	third_party	13 months	Set on doubleclick.net by Floodlight for behavioural attribution, frequency capping and conversion measurement in Campaign Manager 360 and Display & Video 360.
test_cookie	third_party	15 minutes	Set on doubleclick.net to verify that the browser supports cookies before firing the Floodlight pixel.
NID	third_party	6 months	Set on google.com to store user preferences for Google ads and personalisation, used by Floodlight for cross device matching.

DoubleClick Floodlight places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does DoubleClick Floodlight set?

Floodlight relies primarily on the IDE cookie set on doubleclick.net for behavioural attribution and frequency capping, plus test_cookie before each request and may interact with the NID cookie on google.com used for personalisation.

Does Floodlight require consent?

Yes. Floodlight is a third party advertising tracker that writes non essential cookies, so prior, specific and informed consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR before any tag fires.

What is the legal basis for Floodlight?

Consent is the only suitable legal basis. Legitimate interests cannot be used because the processing is for cross site behavioural advertising and includes US transfers, both of which require an explicit opt in.

Are data transferred to the United States?

Yes. Floodlight events, IP addresses, advertising identifiers and any custom u variables are transferred to Google LLC in the United States. Google self certifies under the EU U.S. Data Privacy Framework, but the transfer must be disclosed in the privacy policy.

Do I need a DPIA for Floodlight?

A DPIA is recommended because Floodlight powers cross site behavioural advertising, audience lists, attribution and US transfers. Setups with custom variables containing personal data require particular scrutiny.

How do I deploy Floodlight compliantly?

Block all Floodlight tags through your CMP until consent, enable Consent Mode v2, prefer Google Tag Manager Server for server side delivery, and never put raw email, phone or user IDs in u variables without explicit consent.

Are there alternatives to Floodlight?

Privacy first alternatives include first party server side conversion measurement (CM360 server side via GTM Server, Adobe Analytics, Matomo Goals) which avoids client side cookies and reduces data shared with Google.

How do I update my cookie policy?

Add a section that names DoubleClick Floodlight, Campaign Manager 360 and Display & Video 360, lists the cookies (IDE, test_cookie, NID) with purpose and duration, mentions the transfer to Google LLC in the United States and links to Google's privacy policy.

Get compliant — Try FlowConsent free

Free plan · 10-min setup