Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OneTag is a UK based programmatic advertising platform offering header bidding, supply side and demand side capabilities. It is a registered IAB TCF v2.2 vendor that runs in browser auctions, syncs cookies with DSP partners and shares bid stream data with the broader programmatic ecosystem. As a behavioural advertising vendor, it requires prior consent under the GDPR and the ePrivacy Directive and a properly forwarded TCF consent string.
OneTag is a London based programmatic advertising platform founded in 2017 by ex Yahoo and AppNexus engineers. It offers a header bidding wrapper, an in browser SSP and demand side capabilities, and is registered as IAB TCF v2.2 vendor. Many European publishers rely on OneTag to monetise display, video and native inventory, sometimes inside Prebid configurations alongside other adtech partners.
OneTag sets the onetag_uid cookie on onetag-sys.com (and matching pixels on onetagads.com) for cross site recognition and bid optimisation. During cookie sync calls, partner DSP cookies (Trade Desk, Xandr, OpenX) are also dropped, and the IAB TCF and Additional Consent strings are read from the publisher CMP.
OneTag and its DSP partners process IP addresses, device identifiers, advertising IDs and inferred interests, all of which are personal data. Article 5(3) ePrivacy requires prior consent before any cookie is read or written, and the Belgian APD ruling on the IAB TCF (2022) confirmed that publishers participating in TCF auctions are joint controllers with their adtech partners.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the OneTag wrapper through your CMP until the visitor accepts the marketing category. Use a TCF v2.2 certified CMP, ensure OneTag is listed as a vendor and that the consent string is forwarded with every auction call. If consent is refused, the wrapper must not run or must run in a strictly cookieless mode without bid stream data sharing.
Bid stream data is shared with DSPs, many of them established in the United States. OneTag itself is established in the UK (covered by the EU UK adequacy decision) and runs production in EU and US regions. US transfers to DSPs rely on the EU U.S. Data Privacy Framework or Standard Contractual Clauses, listed in the OneTag vendor sheet.
Sign the OneTag DPA, gate the wrapper on the TCF consent signal, document OneTag and its DSP partners in your records of processing, formalise the joint controllership under Article 26 GDPR, set retention on bid logs and update the privacy policy with the list of programmatic vendors.
Websites using OneTag must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because OneTag enables real time auctions involving large numbers of DSPs, transfers bid stream data to third countries and uses unique identifiers across publishers. The Belgian APD ruling on the IAB TCF directly affects this kind of vendor.
Sample consent text
We use OneTag for programmatic advertising. With your consent, OneTag and its DSP partners may store advertising cookies on your device, build profiles of your interests and transfer bid stream data to partners established in the United States and other countries. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
onetag-sys.comonetagads.comcdn.onetag-sys.comsync.onetag-sys.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| onetag_uid | third_party | 13 months | Persistent identifier set on onetag-sys.com to recognise the visitor across publishers and optimise programmatic bids. |
| onetag_sid | third_party | session | Session identifier used by OneTag to correlate page views and auctions during the same browsing session. |
| onetag_sync | third_party | 90 days | Records the cookie sync state with partner DSPs to avoid repeating the synchronisation calls on every page view. |
OneTag places tracking cookies for advertising — comply with GDPR using FlowConsent.
OneTag sets the onetag_uid third party cookie on onetag-sys.com for cross site recognition, plus partner DSP cookies (Trade Desk, Xandr, OpenX) during cookie sync calls.
Yes. OneTag is a registered IAB TCF v2.2 vendor performing behavioural advertising; prior, specific and informed consent is required under Article 5(3) ePrivacy and Article 6(1)(a) GDPR before any auction is fired.
Consent is the only suitable legal basis. The Belgian APD ruling on the IAB TCF expressly rejected legitimate interests for cross site programmatic advertising.
Yes. Bid stream data is shared with DSPs based in the United States and other countries. Transfers rely on the EU U.S. Data Privacy Framework or Standard Contractual Clauses listed in the OneTag vendor sheet.
A DPIA is recommended due to the scale of programmatic auctions, the data sharing with multiple DSPs and the use of unique identifiers. The joint controllership with OneTag and its partners must also be assessed.
Sign the OneTag DPA, gate the wrapper on the TCF signal, document the joint controllership under Article 26 GDPR, set retention on bid logs and update the privacy policy with the vendor list.
Other header bidding wrappers include Prebid.js native, OpenWrap (PubMatic), Sovrn or simply direct Google Ad Manager auctions. Privacy first alternatives include contextual ad servers like Kevel.
Add a section that names OneTag, lists the cookie onetag_uid with purpose and duration, mentions the cookie sync with DSP partners and discloses the transfers to United States based partners.