Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Index Exchange is a Canadian supply side platform (SSP) headquartered in Toronto, founded in 2003 (originally as Casale Media). It runs an open ad exchange that connects publisher inventory with demand side platforms via OpenRTB. Index sets advertising cookies (CMID, CMPS, CMPRO) on casalemedia.com, participates in real time bid auctions, and is a registered vendor in the IAB Europe TCF v2.2 framework. Because it powers programmatic advertising, EU traffic deployments require explicit consent under the GDPR and the ePrivacy Directive.
Index Exchange is one of the largest independent supply side platforms (SSPs) in programmatic advertising. Headquartered in Toronto, Canada, it was founded in 2003 (originally as Casale Media), which is why its cookies still live on the casalemedia.com domain. It serves thousands of publishers worldwide and processes hundreds of billions of bid requests per day.
On publisher websites, Index Exchange is typically integrated via Prebid.js or via a direct tag. Once loaded, it sends bid requests through OpenRTB to demand side platforms and returns winning creative for ad rendering.
Each bid request includes the IP address, User Agent, page URL, page metadata, approximate geolocation, viewport size, ad slot information, the user advertising identifier (CMID), and the TCF v2.2 consent string. Audience segment IDs, content categories, and authenticated user identifiers (UID 2.0, ID5, RampID) may also be transmitted depending on the publisher configuration.
Cookies on casalemedia.com are: CMID (persistent advertising identifier, 1 year), CMPS (sync state, 30 days), CMPRO (preferences, 1 year), CMRUM (real user monitoring). All are third party cookies and are used across the network of Index Exchange partners.
Index Exchange is registered in the IAB Europe TCF v2.2 Global Vendor List. Publishers must transmit a valid TC string with consented purposes 1 to 4 and 7 to 10. Without these purposes consented, Index Exchange must not be loaded or sent bid requests.
The Belgian DPA decision against IAB Europe and the CJEU ruling C 252/21 against legitimate interest for behavioural advertising both apply. Consent is the only safe basis for the audience targeting purposes powered by Index Exchange.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Index Exchange Inc. is a Canadian controller. Canada has a partial EU adequacy decision (PIPEDA, 2001), so EU to Canada transfers do not require additional safeguards for commercial entities covered by PIPEDA. However, Index Exchange routinely sends bid stream data to US based DSPs and partners, which then triggers SCCs and a Transfer Impact Assessment.
List Index Exchange and its downstream DSP recipients in your privacy notice. The TCF v2.2 vendor list helps but is not a substitute for a publisher specific record.
A DPIA is generally required given the systematic monitoring and large scale profiling. It must address the audience categorisation (special category content under Art. 9 GDPR), the OpenRTB fan out, vendor list governance, retention, and any automated decisions triggered by bid outcomes (Art. 22 GDPR).
Recent enforcement and supervisory authority guidance (CNIL, ICO, AEPD) place clear responsibility on the publisher for the full chain, not only for the immediate processor.
Register Index Exchange in your TCF v2.2 CMP. Sign the Index Exchange DPA. Defer casalemedia.com requests until explicit consent. Audit your Prebid configuration to restrict bidders. Document Index Exchange in your privacy notice, including the Canada and US transfer chain.
Implement Global Privacy Control handling and ad slot level consent in Prebid. Exclude Index Exchange entirely on sensitive content pages. Review the configuration and the DPIA at least annually.
Websites using Index Exchange must obtain user consent under GDPR regulations.
DPIA considerations
Index Exchange is a high impact SSP in the programmatic advertising chain. Key DPIA considerations: (1) every bid request includes IP, User Agent, page URL, geolocation, audience segment IDs, and the advertising cookie value, all broadcast to DSPs in real time; (2) the casalemedia.com cookies enable cross site advertising profiling for the duration of the cookie (typically 30 days to 1 year); (3) Canada benefits from EU adequacy, but Index Exchange routinely transfers data to US partners under SCCs and the EU US DPF; (4) audience segments may reflect sensitive content categories (Art. 9 GDPR), requiring explicit consent or exclusion; (5) the Belgian DPA ruling on TCF and CNIL enforcement against ad bid stream practices both apply; (6) automated bid decisions can fall within Art. 22 GDPR scope.
Sample consent text
We use Index Exchange to monetise our advertising inventory through real time auctions. With your consent, Index Exchange sets cookies on casalemedia.com (CMID, CMPS, CMPRO) and shares bid request data with our demand partners. This data is processed on Index Exchange infrastructure in Canada and the United States. You can refuse advertising in our consent banner.
Third-party domains contacted
casalemedia.comas.casalemedia.comssum-sec.casalemedia.comindexexchange.comjs-sec.indexww.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CMID | Marketing | 1 year | Persistent advertising identifier set by Index Exchange on the casalemedia.com domain. Used to recognise visitors and participate in real time bidding. |
| CMPS | Marketing | 30 days | Tracks cookie sync state between Index Exchange and other adtech vendors. |
| CMPRO | Marketing | 1 year | Stores Index Exchange visitor preferences for advertising and frequency capping. |
| CMRUM3 | Analytics | 1 year | Real user monitoring identifier used by Index Exchange to measure technical performance of the ad serving stack. |
Index Exchange places tracking cookies for advertising — comply with GDPR using FlowConsent.
Index Exchange writes third party cookies on casalemedia.com: CMID (persistent advertising identifier, ~1 year), CMPS (cookie sync state, 30 days), CMPRO (preferences, ~1 year), and CMRUM (real user monitoring). All are advertising / marketing cookies and require consent.
Yes for any EU deployment. Index Exchange cookies and the OpenRTB bid request require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG. The CMP must transmit a TCF v2.2 TC string with the correct purposes consented before any casalemedia.com call.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is not available for behavioural advertising after CJEU C 252/21 and EDPB guidance. The TCF v2.2 vendor declaration must match the actual processing.
Yes. Index Exchange is Canadian, so EU Canada transfers are covered by the EU adequacy decision for Canada (PIPEDA). However, bid stream data is routinely forwarded to US based DSPs and partners, which requires SCCs and a Transfer Impact Assessment.
Yes, in most publisher deployments. The DPIA must address audience categorisation (avoiding Art. 9 content without consent), the OpenRTB fan out, vendor list governance, retention, and Art. 22 GDPR considerations for automated bidding.
Register Index Exchange as a vendor in your TCF v2.2 CMP. Sign the Index Exchange DPA. Defer casalemedia.com calls until consent. Restrict your Prebid bidder list. Document the full chain in your privacy notice. Implement Global Privacy Control handling.
Other SSPs: Magnite, PubMatic, OpenX, Sovrn, Google Ad Manager, Xandr (Microsoft). EU based SSPs: Adform (Denmark), Smartclip, Equativ (Smart AdServer, France). Index Exchange differentiator is the independence (not tied to a single tech giant) and the strong header bidding posture.
List the Index Exchange cookies (CMID, CMPS, CMPRO, CMRUM) with provider (Index Exchange Inc., Canada), purpose (programmatic advertising and audience matching), lifetime, and category (Marketing). Disclose the Canada and US transfer chain, the TCF v2.2 vendor registration, and the link to the Index Exchange privacy policy.