Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Magnite is a major US-based Supply Side Platform (SSP) in programmatic advertising, formed by the merger of Rubicon Project and Telaria. It sells publisher ad inventory through real-time bidding (RTB), connected TV (CTV) and audio channels, sets identity cookies and participates in the IAB TCF 2.2 vendor list.
Magnite is a US-headquartered Supply Side Platform (SSP) created from the 2020 merger of Rubicon Project and Telaria. It connects publishers (websites, mobile apps, CTV channels, audio streams) with thousands of demand sources (DSPs, ad networks, agencies) through real-time bidding (RTB) auctions based on the OpenRTB protocol. When a user loads a page or starts a video, Magnite receives a bid request enriched with identifiers (cookies, device IDs, IP-derived signals), broadcasts it to bidders, and returns a winning creative within milliseconds.
Magnite processes a broad range of personal data: pseudonymous identifiers stored in cookies (uids, khaos, kuid), IP addresses, user agent strings, device fingerprints, geolocation derived from IP, page URL and referrer, ad interaction events, viewability metrics and signals from identity solutions such as Unified ID 2.0 or RampID. In CTV environments it also processes IFA (advertising IDs) and content metadata. This data is shared with downstream DSPs and partners participating in the auction.
Because Magnite relies on access to and storage of information on the user terminal (cookies, local storage), Article 5(3) of the ePrivacy Directive requires prior informed consent. The lawful basis under Article 6 GDPR for the subsequent processing is consent (Article 6(1)(a)), satisfying the conditions of Article 7 GDPR (freely given, specific, informed, unambiguous, demonstrable, easy to withdraw). Magnite is registered as a vendor in the IAB Transparency and Consent Framework (TCF) 2.2 and expects publishers to deliver a valid TC String alongside each bid request.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Magnite is headquartered in New York with infrastructure in the United States. Transfers from the EEA to the US rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Following the Schrems II ruling (CJEU C-311/18), controllers must conduct a Transfer Impact Assessment evaluating the risk of access by US public authorities under FISA 702 and Executive Order 12333, and implement supplementary measures where necessary. The downstream vendor chain in RTB further multiplies transfer risks.
The EDPB and national authorities (CNIL, Belgian APD, ICO) have repeatedly flagged systemic compliance issues with RTB: lack of granular control over the downstream chain, difficulty exercising data subject rights, and concerns about the validity of TCF-based consent (Belgian APD decision 21/2022 against IAB Europe). Recommended safeguards include strict consent gating before any call to Magnite, server-side bid filtering, contractual controls over downstream partners, short data retention, frequent vendor list reviews, accessible withdrawal of consent and clear user information about the chain of recipients.
Websites using Magnite must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is strongly recommended before deploying Magnite. Programmatic advertising involves large-scale processing of identifiers, real-time bidding broadcasts to many adtech vendors, cross-site tracking, identity resolution, profiling under Article 22 GDPR, and US transfers subject to Schrems II. The EDPB has repeatedly warned about the systemic risks of RTB. Controllers must document legal basis (consent under Article 7 GDPR), assess proportionality, implement Transfer Impact Assessments, and review the full downstream vendor chain.
Sample consent text
We use Magnite, a Supply Side Platform, to sell advertising space on this site through real-time bidding. Magnite and its downstream partners may set identifiers on your device, build advertising profiles and transfer data to the United States. With your consent, this includes sharing identifiers and browsing signals via the IAB TCF 2.2 framework. You can accept, refuse or customise your choices at any time.
Third-party domains contacted
magnite.comrubiconproject.comfastlane.rubiconproject.comeus.rubiconproject.compixel.rubiconproject.comoptimized-by.rubiconproject.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| khaos | third_party | 12 months | Primary Magnite identifier cookie set on rubiconproject.com to identify the browser across publishers participating in Magnite supply, used for ad selection, frequency capping and reporting in RTB. |
| uids | third_party | 12 months | Stores synced user IDs from partner DSPs and identity providers (Unified ID 2.0, RampID, etc.) to enable cookie syncing between Magnite and demand-side platforms during real-time bidding. |
| put_xxxx | third_party | 30 days | Partner-specific user-sync cookies (one per DSP) created during pixel-based cookie matching to map Magnite identifiers to DSP identifiers for cross-platform bidding. |
| rpb | third_party | 90 days | Behavioural and frequency-capping cookie used by Magnite to limit repeated exposure of the same creative and to support audience segmentation features. |
| rpx | third_party | 90 days | Auxiliary identifier and bid-routing cookie used by Magnite Exchange to optimise auction routing and improve match rates between supply and demand partners. |
| lang | third_party | 12 months | Stores language and locale preferences detected from the browser to localise creatives and adapt bid responses across Magnite-served regions. |
| csrf_token | third_party | Session | Security cookie issued by Magnite domains to prevent cross-site request forgery on its internal endpoints and partner-facing APIs. |
Magnite places tracking cookies for advertising — comply with GDPR using FlowConsent.
Magnite is a US-based Supply Side Platform (SSP) that lets publishers (websites, mobile apps, CTV channels, audio streams) sell their advertising inventory programmatically through real-time bidding. It was formed by the merger of Rubicon Project and Telaria and is one of the largest independent SSPs.
Yes. Because Magnite stores and reads identifiers on the user terminal and processes personal data for advertising profiling, Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR require prior, freely given, specific, informed and unambiguous consent, satisfying Article 7 GDPR. Consent must be collected via a TCF 2.2-compliant CMP before any Magnite call.
Magnite processes pseudonymous identifiers (cookies such as uids, khaos, kuid), IP address, user agent, device characteristics, IP-derived geolocation, page URL and referrer, ad interaction and viewability signals, and identifiers from solutions such as Unified ID 2.0 or RampID. In CTV environments it also processes advertising IDs (IFA).
Yes. Magnite is headquartered in the United States and transfers data to US infrastructure as well as to a global chain of adtech vendors. Transfers rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. A Transfer Impact Assessment is required after the Schrems II ruling (CJEU C-311/18).
Magnite identity cookies typically have lifetimes between several days and 12 months (for example uids and khaos around 12 months). Bid request data is retained for short periods for billing and fraud purposes. Controllers should configure retention according to documented purposes and the principle of storage limitation under Article 5(1)(e) GDPR.
Main risks include large-scale broadcasting of personal data through the RTB chain, loss of control over downstream recipients, US transfers under Schrems II, profiling under Article 22 GDPR, difficulty exercising data subject rights, and consent integrity issues highlighted by the Belgian APD decision 21/2022 against IAB Europe.
Users can withdraw consent at any time via the CMP, which signals Magnite and downstream vendors. They can also contact Magnite directly through its privacy portal to exercise access, rectification, erasure, restriction, portability and objection rights. The publisher remains responsible for facilitating these rights as joint or independent controller depending on the configuration.
Publishers should implement strict consent gating, a certified TCF 2.2 CMP, server-side bid filtering, contractual safeguards with Magnite and downstream partners, a documented Transfer Impact Assessment, a Data Protection Impact Assessment, regular vendor list reviews, minimal data sharing, and clear user-facing information on the recipient chain.