Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mediavine is a full service advertising management company that helps content publishers monetise their websites through display, video and native ads. The platform deploys a JavaScript wrapper, runs header bidding auctions across many Supply Side Platforms and Demand Side Platforms, sets first and third party cookies and fires tracking pixels. Because Mediavine orchestrates a wide bid stream, it qualifies as a tracking technology under the ePrivacy Directive and as a personal data joint controller under the GDPR.
Mediavine is a managed advertising platform that helps content publishers, primarily food, lifestyle and travel bloggers, monetise their websites through display, video and native ads. The product injects a JavaScript wrapper that orchestrates header bidding across multiple Supply Side Platforms, integrates with Google Ad Manager and provides analytics dashboards for publishers.
When the Mediavine wrapper loads, it sets a Mediavine first party identifier cookie and triggers cookie syncs with dozens of partner SSPs and DSPs, each of which may set its own third party cookie. The platform collects the IP address, the user agent, the page URL, viewport metrics, ad placement performance and the bid responses. Through partners, the bid stream may also include precise geolocation if the publisher allows it.
Mediavine writes and reads identifiers on the user device, which falls within Article 5(3) of the ePrivacy Directive. Prior, free, specific, informed and unambiguous consent is required before the wrapper loads. Because the bid stream involves many vendors, the publisher must use a CMP certified for IAB TCF v2.2, allow the user to choose granular purposes and vendors and pass the resulting TC string to Mediavine. The publisher and Mediavine are likely joint controllers for the audience flows.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mediavine is based in the United States and most of its bidding partners are also US based. Personal data is therefore transferred to the United States and to other third countries. The transfer relies on the EU US Data Privacy Framework when partners are certified, otherwise on Standard Contractual Clauses combined with a Transfer Impact Assessment. Publishers must inform users of these transfers in the privacy notice and document them in their record of processing activities.
Block the Mediavine wrapper until consent is granted, deploy a CMP certified for IAB TCF v2.2 with a granular vendor and purpose chooser, sign the joint controllership agreement and SCCs proposed by Mediavine, document the integration in your record of processing activities and your privacy notice, and configure the Mediavine dashboard to disable any non essential ad partner where consent is unlikely to be granted in your audience.
Contextual ad networks, EU based monetisation platforms that limit the bid stream to consented vendors, direct sponsorships and affiliate programmes are alternatives that reduce dependence on cross site cookies and on US transfers, lowering the GDPR risk profile.
Websites using Mediavine must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Mediavine orchestrates a wide bid stream involving dozens of SSP and DSP partners, performs cross site profiling, transfers personal data to the United States and to numerous third country recipients. The DPIA must address the legal basis, the data flows through OpenRTB, the role of Mediavine and each partner as joint controller or processor, the SCC framework and the safeguards against access by US authorities.
Sample consent text
We use Mediavine to monetise our content through advertising. Mediavine and its advertising partners store cookies on your device, share pseudonymous identifiers through real time bidding and transfer personal data to the United States. You can accept, refuse or withdraw your consent at any time in our privacy preferences.
Third-party domains contacted
mediavine.comscripts.mediavine.comstatic.mediavine.comanalytics.mediavine.comvideo.mediavine.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _mv_uid | first_party | 13 months | Pseudonymous Mediavine user identifier used to recognise the device and stitch sessions for advertising attribution. |
| mv_session | first_party | Session | Short lived session cookie used to scope the current advertising session on the publisher domain. |
| mv_consent | first_party | 12 months | Stores the user consent state and the IAB TCF v2.2 TC string forwarded to bidding partners. |
| _pubcid | first_party | 13 months | Shared publisher common ID used by the Prebid header bidding wrapper for cross site identification within the bid stream. |
Mediavine places tracking cookies for advertising — comply with GDPR using FlowConsent.
Mediavine sets a first party identifier cookie scoped to the publisher domain and triggers cookie syncs with dozens of partner SSPs and DSPs, each of which sets its own third party cookie holding a pseudonymous identifier. Typical lifetimes range from the browsing session up to 13 months. The exact list depends on the configured ad partners and should be audited via browser developer tools and the Mediavine vendor list.
Yes. The Mediavine wrapper writes and reads identifiers on the user device and triggers numerous third party cookie syncs, all of which require prior, free, specific, informed and unambiguous consent under Article 5(3) of the ePrivacy Directive. The signal must be passed to Mediavine through the IAB TCF v2.2 TC string.
The legal basis is consent under Article 6(1)(a) GDPR. Legitimate interest cannot be relied on for advertising and audience profiling in this context. Consent must be granular per purpose and per vendor and recorded in a TC string forwarded to Mediavine and its partners.
Yes. Mediavine is a US company and most of its bidding partners are also US based. Personal data is transferred to the United States and to other third countries. Transfers rely on the EU US Data Privacy Framework when partners are certified and on Standard Contractual Clauses with a Transfer Impact Assessment otherwise.
Yes. The processing scores high on multiple criteria from the European Data Protection Board guidelines: large scale processing, systematic monitoring, automated decisions in bid logic, profiling and international transfers. A DPIA is therefore mandatory under Article 35 GDPR.
Block the Mediavine wrapper by default, deploy a CMP certified for IAB TCF v2.2 with a granular vendor and purpose chooser, sign the joint controllership agreement and SCCs proposed by Mediavine, document the integration in the privacy notice and the record of processing activities, and disable non essential ad partners through the Mediavine dashboard.
Contextual ad networks, EU based monetisation platforms that limit the bid stream to consented vendors, direct sponsorships and affiliate programmes are alternatives that reduce the reliance on cross site cookies and on US transfers, lowering the GDPR risk profile.
List the Mediavine first party cookie and link to the dynamic vendor list maintained by Mediavine in the cookie policy, with provider, purpose and retention. Mention the role of the IAB TCF, the bid stream and the transfer to the United States. Increment the policy version and prompt for fresh consent so that prior consent is renewed against the new processing.