Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DoubleVerify is a US-based digital advertising verification platform that measures ad viewability, brand safety, and fraud detection across programmatic campaigns. It sets third-party tracking cookies and collects ad impression data from individual browsers. As an ad tech tool that tracks users across websites for measurement purposes, its deployment requires prior consent under both GDPR and the ePrivacy Directive, and it is subject to the IAB TCF 2.0 framework.
DoubleVerify is a New York-based digital media verification company that provides ad viewability measurement, brand safety analysis, and invalid traffic (IVT) detection for digital advertising campaigns. Publishers embed the DoubleVerify tag on their pages, and advertisers use DoubleVerify to verify that their ads were seen by real humans in brand-safe environments. DoubleVerify is listed on the NYSE and processes billions of ad impressions daily, making it one of the most widely deployed ad tech tools in programmatic advertising.
DoubleVerify collects IP addresses, device identifiers, browser fingerprinting signals, ad impression data, page context, timestamp and geolocation data for each ad impression observed. It also sets third-party tracking cookies used to detect invalid traffic patterns across multiple sites. The data is used to generate viewability scores, brand safety ratings, and fraud detection signals that are shared with both publishers and advertisers.
DoubleVerify''s cross-site tracking for ad verification purposes requires prior consent under the ePrivacy Directive before any cookies or tracking scripts load. Under GDPR, the systematic collection of IP addresses, device identifiers, and browsing data across publisher sites constitutes large-scale profiling requiring a lawful basis. DoubleVerify participates in the IAB Transparency and Consent Framework (TCF 2.0), which provides a standardised consent signal mechanism for ad tech tools.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before the DoubleVerify tag loads. Using a TCF 2.0-compliant CMP that passes consent signals to DoubleVerify is the standard approach in programmatic advertising. DoubleVerify must only fire when a valid consent signal is present. Publishers must ensure their CMP configuration correctly maps DoubleVerify to the appropriate TCF purposes.
DoubleVerify is a US company and processes all verification data on US infrastructure. Standard Contractual Clauses apply. Sign DoubleVerify''s DPA and document the US transfer in your RoPA.
Use a TCF 2.0-compliant CMP. Configure DoubleVerify to only fire on valid consent. Sign DoubleVerify''s DPA. Conduct a DPIA for large-scale cross-site ad measurement. Update your privacy policy and cookie notice. Document the US transfer in your RoPA.
Websites using DoubleVerify must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for DoubleVerify deployments given the large-scale cross-site tracking of individual users for ad measurement purposes, combined with US data transfers. The systematic collection of browsing behaviour across publisher sites for ad verification meets multiple DPIA trigger criteria under GDPR Article 35.
Sample consent text
We use DoubleVerify to measure the viewability and effectiveness of advertising on this site. DoubleVerify sets cookies and collects browsing data for ad quality measurement. This data is transferred to the United States. Please accept to enable ad measurement.
Third-party domains contacted
doubleverify.comcdn.doubleverify.coms.doubleverify.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| dv_id | persistent | 1 year | DoubleVerify visitor identifier used for ad viewability measurement and invalid traffic detection |
| dv_sess | session | Session | Session identifier used for real-time invalid traffic detection and brand safety verification |
DoubleVerify places tracking cookies for advertising — comply with GDPR using FlowConsent.
DoubleVerify sets measurement cookies to track ad impression viewability and link ad exposure events. These third-party cookies require prior ePrivacy consent before the DV tag loads. DoubleVerify is registered in the IAB TCF and can receive consent signals from compatible CMPs.
Yes. DoubleVerify sets cookies requiring ePrivacy consent before the tag loads. In most deployments this is handled through the IAB Transparency and Consent Framework. Server-side integration without client-side cookies may allow legitimate interest for impression measurement.
Consent (Art. 6(1)(a)) via the IAB TCF for client-side cookie-based measurement. Legitimate interest (Art. 6(1)(f)) may apply to server-side impression verification that does not set cookies or build individual user profiles.
Yes. DoubleVerify is a US company processing all verification data on US infrastructure. Standard Contractual Clauses apply as the transfer mechanism. The transfer should be documented in your Records of Processing Activities.
Generally not for standard ad verification focused on aggregate quality metrics. A DPIA may become relevant if DoubleVerify data is combined with user identity data from other sources to create individual profiles.
Integrate DoubleVerify with your IAB TCF-compliant CMP so the tag only fires after consent. Sign a DPA with DoubleVerify. Document the US transfer in your RoPA. Include DoubleVerify in your privacy policy as an advertising verification processor.
Integral Ad Science (IAS) has EU data processing configurations. Google Ad Manager's built-in viewability measurement uses Google's EU infrastructure options. Server-side IVT filtering using IP reputation databases hosted on EU infrastructure can also reduce reliance on US-based verification vendors.
Add DoubleVerify to your advertising measurement processor list, describe it as an ad verification service measuring viewability and invalid traffic, state that consent via your cookie banner covers DoubleVerify cookies, reference the IAB TCF as the consent framework, and disclose the US data transfer with the applicable SCC safeguard.