Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ExoClick is a Spanish-headquartered programmatic ad network specialising in entertainment, dating, gaming and adult verticals. It serves billions of monthly ad impressions to European publishers, using JavaScript ad tags and real-time bidding integrations. From a GDPR perspective, ExoClick raises the typical ad tech issues: cookies for ad personalisation, IAB TCF signals, bid-stream propagation of personal data to many independent advertisers, and the additional sensitivity that comes with adult content audiences.
ExoClick is a programmatic ad network based in Barcelona, Spain that serves billions of monthly ad impressions across entertainment, dating, gaming and adult verticals. Publishers integrate its JavaScript ad tags on their pages; advertisers bid on impressions in real time through ExoClick''s exchange and partner DSPs.
ExoClick sets cookies such as eot (frequency capping), exads_session (session), ec_visitor (visitor ID), and pulls advertising identifiers from partner cookies. Each ad call sends an OpenRTB bid request containing IP, User-Agent, screen size, geolocation (city level), page URL, content keywords and (with consent) advertising identifiers to ExoClick and its bid-stream partners.
Advertising cookies require prior consent under Art. 5(3) ePrivacy. ExoClick supports IAB TCF v2.2 so publishers can collect consent through a registered CMP and propagate the signal downstream. The Belgian APD''s February 2022 ruling and the subsequent EDPB position have raised concerns about whether IAB TCF as deployed is sufficient to establish a valid legal basis for the entire bid stream. Publishers should not over-rely on TCF alone and should implement complementary controls: block ads on no-consent, limit the partner list, and document the legal basis carefully.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
While ExoClick processes data in Spain, the RTB bid stream sends data to many DSPs and advertisers worldwide, including in the US. Each downstream partner is an independent controller; the publisher and ExoClick are typically joint controllers for the initial bid-stream emission, following the CJEU Fashion ID logic. SCCs and DPF certification apply for US partners individually.
When ExoClick is deployed on adult or dating sites, the page context itself may reveal information about the visitor''s sexual orientation or preferences, which is a special category under Art. 9 GDPR. Even if ExoClick excludes context keywords from the bid request, geolocation + page URL combined with the bid stream remains a high risk. Explicit consent under Art. 9(2)(a) is the only safe basis; publishers should consider a strict consent or paid no-ads model.
1. Use a TCF v2.2 certified CMP. 2. Block ExoClick tags before consent. 3. Run a DPIA covering RTB and content sensitivity. 4. Document joint controllership and downstream partners. 5. For adult content, obtain explicit Art. 9 consent. 6. Set up a consent or pay alternative for non-consenting visitors. 7. Document all sub-processors and transfers in the Record of Processing Activities. 8. Keep TCF strings auditable for 6 months minimum.
Websites using ExoClick must obtain user consent under GDPR regulations.
DPIA considerations
ExoClick processes ad delivery cookies (eot, exads_session, ec_visitor), IP addresses, User-Agent, page context, device identifiers, and (when consent allows) advertising IDs. The RTB bid stream propagates these signals to hundreds of partner DSPs and advertisers, often via the IAB Transparency and Consent Framework. Key DPIA considerations: (1) sensitive verticals (adult, gambling) where browsing may reveal special category data; (2) the Belgian APD ruling of February 2022 found that IAB TCF as deployed lacked a valid legal basis for many uses, prompting a rewrite of TCF v2.2; (3) joint controllership with downstream DSPs without an effective Art. 26 agreement; (4) publishers may inherit non-compliance risk; (5) data minimisation through the bid stream is difficult to achieve. A comprehensive DPIA and an alternative consent-or-pay strategy are recommended.
Sample consent text
This site displays advertising delivered by ExoClick. With your consent, ExoClick and its advertising partners (including bid-stream partners listed in our cookie policy) place cookies and process your data (IP, browsing context, device information) to deliver, measure and personalise ads. Your consent is recorded via the IAB Transparency and Consent Framework. You can refuse all advertising cookies and still browse the site.
Third-party domains contacted
exoclick.comsyndication.exosrv.commain.exoclick.comstatic.exosrv.coma.exdynsrv.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| eot | Marketing / Advertising | 1 year | Frequency capping cookie used to limit how often the same advertisement is shown to a visitor. |
| exads_session | Functional | Session | Session identifier used by ExoClick to attribute ad impressions and clicks within a single browsing session. |
| ec_visitor | Marketing / Advertising | 1 year | Persistent visitor identifier used by ExoClick for behavioural targeting and conversion attribution. |
| exoclick_consent | Strictly necessary | 1 year | Stores the visitor's TCF v2.2 consent string for ExoClick and its partners. |
ExoClick places tracking cookies for advertising — comply with GDPR using FlowConsent.
Typical cookies are eot (frequency capping, 1 year), exads_session (session), ec_visitor (visitor ID, 1 year), and various partner cookies set via the bid stream (DoubleClick, TradeDesk, AppNexus). All require prior consent.
Yes. Advertising cookies and the entire RTB bid stream are non-essential. They require freely given, specific, informed and explicit consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR. Implement a TCF v2.2 certified CMP and block ExoClick tags until consent.
Consent is the only practical legal basis. The Belgian APD ruling (February 2022) confirmed that IAB TCF as historically deployed could not establish a valid legal basis for many RTB uses. TCF v2.2 addresses several gaps but ultimate responsibility lies with the publisher and ExoClick as joint controllers.
ExoClick processes data in Spain. However the RTB bid stream sends signals to many DSPs and advertisers worldwide. Some partners are US-based; the transfer relies on SCCs and EU-US DPF certifications of each partner. Maintain an up-to-date vendor list in your privacy notice.
Yes for any production deployment. The combination of RTB scale, behavioural profiling, and (often) sensitive verticals satisfies multiple Art. 35(3) GDPR criteria. The DPIA must analyse joint controllership with downstream partners and the IAB TCF reliance.
Use a TCF v2.2 certified CMP; block ExoClick before consent; restrict the partner list to those you can document; run a DPIA; if you operate adult content, obtain explicit Art. 9 consent; implement a consent or pay alternative; document downstream partners; ensure SCCs/DPF coverage for all US partners; archive TCF strings for at least 6 months.
For non-adult inventory, alternatives include Google Ad Manager, Criteo (France-headquartered), Magnite, OpenX, Smart AdServer (France) and Adform (Denmark). For adult verticals, TrafficStars and JuicyAds are common alternatives, with similar GDPR complexity. Direct-deal advertising minimises RTB exposure and simplifies compliance.
List eot, exads_session, ec_visitor and the partner cookies you observe in production. In the privacy notice, identify ExoClick S.L. (Spain) as a joint controller, disclose the IAB TCF v2.2 use, link to the vendor list, mention possible US transfers via partners, and provide a working CMP link to withdraw consent.