Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Publisher Tag (GPT) is the JavaScript ad serving library that publishers use to request and display ads from Google Ad Manager. It sets third party advertising cookies on doubleclick.net and exchanges identifiers with Google for behavioural targeting, frequency capping and reporting, which makes it a clear cookie consent target under the GDPR and the ePrivacy Directive.
Google Publisher Tag (GPT) is the JavaScript library that publishers add to their pages to request and render ads served by Google Ad Manager. The script is loaded from googletagservices.com, defines ad slots on the page and asks the Google ad server which creative to display. GPT is the technical foundation of programmatic monetisation for thousands of European publishers and is therefore one of the most common third party tags subject to cookie law.
When ads are requested through GPT, Google sets several advertising cookies, including IDE on doubleclick.net, test_cookie for browser support detection, NID on google.com and the publisher side identifiers _gads and _gpi. These cookies are used for behavioural targeting, frequency capping, conversion measurement and fraud prevention. They are not strictly necessary to deliver the page and they fall squarely within the scope of Article 5(3) of the ePrivacy Directive.
GPT processes IP addresses, device identifiers and browsing behaviour, all of which qualify as personal data under the GDPR. Several European supervisory authorities (CNIL, Garante, AEPD, BfDI) have repeatedly ruled that ad tech setups based on Google Ad Manager require prior, specific and informed consent. Personalised advertising, audience segments and remarketing add a further layer of profiling that needs an explicit legal basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
GPT must be blocked until the user has expressed a positive consent signal. Practically, the script tag should not be loaded before the consent management platform has fired its consent event. Publishers monetising with Google Ad Manager are also required to use a Google certified CMP and to forward the IAB TCF v2.2 consent string. If consent is refused, GPT can still serve non personalised ads via the npa=1 parameter, provided no advertising cookies are written without consent.
GPT ad requests are routed to Google LLC infrastructure in the United States. Google self certifies under the EU U.S. Data Privacy Framework, which provides a legal mechanism for the transfer, but the website remains responsible for documenting the transfer in its records of processing and informing visitors in the privacy policy.
Block the GPT script in your tag manager until the visitor accepts the advertising category. List Google Ad Manager and its sub processors in your privacy notice, classify the cookies in the consent banner with their real lifetime, and refresh the consent string when preferences change. Document the legal basis, the retention periods and the data transfers in your records of processing under Article 30 GDPR.
Websites using Google Publisher Tag must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when GPT is used together with personalised advertising, audience segments or remarketing, because of large scale behavioural profiling, transfers to the United States and the use of unique advertising identifiers.
Sample consent text
We use Google Publisher Tag and Google Ad Manager to display ads. With your consent, Google may store and read advertising cookies on your device, build profiles of your interests across websites and transfer data to Google LLC in the United States. You can refuse or withdraw consent at any time from the cookie settings.
Third-party domains contacted
securepubads.g.doubleclick.netgoogletagservices.comdoubleclick.netgoogleads.g.doubleclick.netpagead2.googlesyndication.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDE | third_party | 13 months | Set on doubleclick.net for behavioural targeting, ad performance measurement and frequency capping in Google Ad Manager. |
| test_cookie | third_party | 15 minutes | Set on doubleclick.net to verify that the browser supports cookies before serving an ad. |
| NID | third_party | 6 months | Set on google.com to store user preferences for Google ads and personalisation. |
| gads | first_party | 13 months | Set on the publisher domain to deliver and measure ads served through Google Ad Manager. |
| gpi | first_party | 13 months | Set on the publisher domain to support ad personalisation and identify the user across pages. |
Google Publisher Tag places tracking cookies for advertising — comply with GDPR using FlowConsent.
GPT itself does not directly set cookies, but the ad requests it triggers cause Google Ad Manager to set IDE on doubleclick.net, test_cookie for browser detection, NID on google.com and the publisher side _gads and _gpi cookies used for ad delivery, frequency capping and personalisation.
Yes. GPT loads advertising cookies that are not strictly necessary, so prior, specific and informed consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR before any ad request is fired.
The only suitable legal basis is consent. Legitimate interests cannot be used because the processing involves cross site tracking, behavioural profiling and transfers to the United States, which require an opt in under EU data protection law.
Yes. Ad requests, IP addresses and device identifiers are transferred to Google LLC in the United States. Google self certifies under the EU U.S. Data Privacy Framework, which is the current legal mechanism, but the transfer must still be disclosed in your privacy policy.
A DPIA is recommended whenever GPT is combined with personalised advertising, audience segments or remarketing, because of the large scale behavioural profiling, the use of unique advertising identifiers and the systematic monitoring of visitors.
Block the GPT script through your tag manager until consent is captured, use a Google certified CMP, forward the IAB TCF v2.2 string, classify the cookies in your banner with their real lifetime and document the processing in your records of processing.
Privacy friendlier options include contextual ad servers (Kevel, Ad Plugg), open source ad servers like Revive, or first party direct campaigns served from your own backend, although none provides the same auction depth as Google Ad Manager.
Add a section to the policy that names Google Publisher Tag and Google Ad Manager, lists the cookies (IDE, test_cookie, NID, _gads, _gpi) with purpose and duration, mentions the transfer to Google LLC in the United States and links to Google's privacy policy.