Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ezoic is a US programmatic advertising and site optimisation platform operated by Ezoic Inc. (Carlsbad, California) that combines AI driven ad mediation, A/B layout testing and a CDN. When publishers integrate Ezoic, dozens of ad tech partners load on the website, setting and reading numerous identifiers used for behavioural advertising. Ezoic transfers personal data to the United States and to many sub processors, triggering full consent obligations under the GDPR and the ePrivacy Directive and material Schrems II risk.
Ezoic is a programmatic advertising and site optimisation platform operated by Ezoic Inc., headquartered in Carlsbad, California. The product bundles ad mediation across more than fifty supply side platforms, A/B layout testing, a content delivery network and an analytics suite called Big Data Analytics. Publishers integrate Ezoic by changing their nameservers or by adding a JavaScript tag, which routes traffic through Ezoic edge servers in the United States and in regional points of presence. Because Ezoic monetises through behavioural advertising, the platform connects each visitor to a wide ecosystem of ad tech sub processors.
Ezoic and its partners set a large number of cookies and identifiers. Typical first party cookies include ezosuibasgeneris (a pseudonymous user identifier), ezds, ezohw, ezoab and ezovuuid. Third party advertising cookies come from Google, OpenX, Magnite, PubMatic, Index Exchange, Criteo, AppNexus and many others. The platform processes IP addresses, user agent strings, screen resolution, device type, page URLs, scroll and click events, geographic region and pseudonymous IDs, plus the technical signals used to build advertising profiles under the IAB Europe Transparency and Consent Framework v2.2.
The publisher is the controller for the data processed through Ezoic, while Ezoic Inc. and each ad partner act as a controller or joint controller for their own advertising purposes. All non essential cookies must be blocked under Art. 5(3) ePrivacy until the visitor consents, and the consent must satisfy Art. 4(11) and Art. 7 GDPR: freely given, specific, informed, unambiguous and revocable. National regulators (CNIL in France, AEPD in Spain, Garante in Italy, DSK in Germany) have repeatedly sanctioned publishers that load ad tech tags before consent or use dark patterns in their cookie banners.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use a Consent Management Platform that is registered with IAB Europe and that passes the TCF v2.2 consent string to Ezoic via __tcfapi. Ezoic must not load behavioural advertising tags before a positive opt in. Provide visitors with a reject all button as prominent as the accept button, a granular per purpose interface for the 11 IAB purposes and the special features, and an easy way to withdraw. Log proof of consent (timestamp, IP, banner version, TC string) and keep it for the limitation period of any related claim, typically at least one year.
Ezoic Inc. is based in the United States and self certifies under the EU US Data Privacy Framework, which currently provides an adequacy basis for transfers from the European Economic Area. EU Standard Contractual Clauses apply as a fallback and for non DPF sub processors. The CJEU Schrems II ruling still requires a Transfer Impact Assessment: assess US surveillance laws (FISA 702, EO 12333), document supplementary measures and verify that each ad tech sub processor offers an equivalent legal basis. Inform users in the privacy notice that data may be transferred to the United States and other third countries.
Sign the Ezoic Data Processing Addendum, list Ezoic and its sub processors in your Art. 30 record, conduct a documented DPIA and a Transfer Impact Assessment, and configure your CMP to block Ezoic scripts before consent. Publish a complete cookie table, a vendors page listing every partner with links to their privacy notices, and clear withdrawal instructions. Re audit the partner list at least every six months because Ezoic frequently adds and removes ad tech vendors. Consider a contextual or cookieless monetisation mode for users who refuse tracking.
Websites using Ezoic must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment under Art. 35 GDPR is strongly recommended for any deployment of Ezoic. The platform performs systematic large scale processing for behavioural advertising, combines numerous identifiers (cookies, fingerprinting signals, IDs from ad partners), transfers data to the United States and to many sub processors, and shares data through the IAB Europe TCF v2.2. The DPIA should assess necessity and proportionality, document Standard Contractual Clauses and the EU US Data Privacy Framework status of each partner, evaluate the risk of profiling for data subjects, and define safeguards such as IP truncation, restricted purposes and short retention.
Sample consent text
We work with Ezoic and its advertising partners to display ads, measure performance and test page layouts. With your consent, Ezoic and the listed partners can store and read cookies and identifiers on your device, build personalised advertising profiles and share data with third parties, including in the United States. You can accept all, reject all non essential, or set your preferences and withdraw consent at any time from our cookie settings link in the footer.
Third-party domains contacted
ezoic.comezoic.netezodn.comezojs.comezoiccdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ezosuibasgeneris | Persistent | 1 year | Pseudonymous user identifier used by Ezoic to recognise a visitor across pages and sessions for ad mediation, A/B testing and audience profiling. |
| ezds | Persistent | 1 year | Device session signal storing technical attributes about the visitor device that Ezoic uses to optimise ad delivery and layout tests. |
| ezohw | Persistent | 1 year | Hardware identification cookie storing device hardware characteristics used to classify the visitor for advertising decisions. |
| ezoab | Persistent | 1 year | A/B testing cookie that stores the layout or experience variant assigned to the visitor by Ezoic. |
| ezovuuid | Persistent | 1 year | Unique visitor UUID used for analytics, frequency capping and identity stitching across the Ezoic platform. |
| ezopvc | Persistent | 1 year | Page view counter cookie used by Ezoic Big Data Analytics to measure browsing depth and behavioural patterns. |
| IDE | Persistent | 13 months | Google DoubleClick advertising cookie loaded through Ezoic ad mediation to measure ad effectiveness and serve personalised ads. |
Ezoic places tracking cookies for advertising — comply with GDPR using FlowConsent.
Ezoic sets first party cookies such as ezosuibasgeneris (pseudonymous user ID), ezoab (A/B test variant), ezohw (hardware), ezds (device session), ezovuuid (visitor UUID) and ezopvc (page view counter). Through its ad mediation it also loads third party cookies from Google Ad Manager, OpenX, Magnite, PubMatic, Index Exchange, Criteo, AppNexus and similar partners. Ezoic processes IP addresses, user agent, device characteristics, page URLs, scroll and click events, region, and the IAB TCF v2.2 consent string used by the partners.
Yes. Almost everything Ezoic does (behavioural advertising, A/B testing tied to identifiers, audience profiling, sharing with ad tech partners) falls under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR. Ezoic and its partners must be blocked until the visitor opts in. The consent banner must offer a reject all button as prominent as the accept button, must be granular per purpose and partner, and must allow easy withdrawal. CNIL and AEPD have fined publishers heavily for loading ad tech tags before consent.
For the publisher, the legal basis is consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy for storage and access on the terminal. Ezoic and its ad tech partners typically claim consent and, for some signals, legitimate interest under Art. 6(1)(f) GDPR, but European authorities and the IAB Europe TCF v2.2 itself now require consent for purposes 1 to 4 (storage and access, personalised advertising, profile creation, ad selection). Document the basis in your record of processing and your cookie policy.
Yes. Ezoic Inc. is based in California and operates its core infrastructure in the United States. Personal data is therefore transferred under the EU US Data Privacy Framework where Ezoic is self certified, and otherwise under EU Standard Contractual Clauses. Schrems II requires a Transfer Impact Assessment covering FISA 702 and EO 12333 risks, plus supplementary measures. Many ad tech partners also process data in the United States, the United Kingdom, Singapore and other third countries, so each partner must be checked individually.
A DPIA is strongly recommended and, in most cases, mandatory under Art. 35 GDPR. Ezoic involves systematic and extensive evaluation of personal aspects (profiling), large scale processing for behavioural advertising, combination of multiple identifiers and transfers to third countries. Several supervisory authorities list these criteria as triggers for a DPIA. The DPIA should cover necessity, proportionality, risks for data subjects, supplementary measures for international transfers, and a clear retention policy for each category of data.
Sign the Ezoic Data Processing Addendum, connect a TCF v2.2 registered Consent Management Platform, conduct a DPIA and a Transfer Impact Assessment, and configure the CMP so Ezoic and its partner tags load only after a positive opt in. Publish a complete cookie table and a public vendors list with links to each partner privacy notice. Set short cookie lifetimes where possible, enable IP truncation where the partner allows it, and re audit the active partner list at least every six months.
Lower risk monetisation approaches include contextual advertising platforms such as Seedtag, Adagio, Weborama Contextual, Nexta, or direct deals with EU publishers. EU based ad tech like Smart AdServer (Equativ) and Adverity offer GDPR aligned options. For analytics and A/B testing without third party ad tech, consider Matomo on Premise, Plausible, Fathom or AB Tasty hosted in the EU. None remove the consent obligation, but they significantly reduce the Schrems II exposure and the size of your vendors list.
List every first party Ezoic cookie (ezosuibasgeneris, ezds, ezohw, ezoab, ezovuuid, ezopvc) with purpose and duration, and provide a complete table of third party advertising cookies set by Ezoic partners. Disclose that Ezoic Inc. is based in the United States, that data is transferred under the EU US Data Privacy Framework and Standard Contractual Clauses, and that the partner list can change. Link to Ezoic privacy policy and to your vendors page. Refresh the policy whenever the CMP detects new vendors, at least quarterly.