Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OpenX is one of the world's largest independent Supply Side Platforms (SSPs) for programmatic advertising, headquartered in Pasadena California. Publishers integrate OpenX through a header bidding tag (Prebid.js wrapper or direct OpenX tag) to expose their inventory to demand side platforms. OpenX sets cookies for cross site audience reach, frequency capping and reporting. It is registered as IAB Europe TCF v2.2 Vendor ID 69 and requires consent under GDPR and ePrivacy.
OpenX is a Supply Side Platform (SSP) and ad exchange, operated by OpenX Software Ltd. with headquarters in Pasadena California. Founded in 2008 and one of the largest independent SSPs in the world, OpenX runs server side real time auctions in which publishers expose their advertising inventory to demand side platforms (DSPs), agency trading desks and ad networks. Publishers integrate OpenX through Prebid.js header bidding wrappers, the OpenX RTB tag, or server side header bidding (Prebid Server). OpenX is registered as IAB Europe TCF v2.2 Vendor ID 69.
For each ad request, OpenX receives the visitor''s IP address, user agent, page URL, referrer, device type, viewport, time zone, language, the IAB TCF v2.2 consent string and any user IDs propagated by the publisher (Unified ID 2.0, ID5, LiveRamp ATS, etc.). OpenX writes cookies on the openx.net and op-mobile-ads.com domains including i (OpenX visitor ID, 1 year lifetime), mt_mop (multi touch frequency capping), OX_u (audience graph segments) and OX_sd (subdomain mapping). The full bid request payload is broadcast to dozens of demand side platforms simultaneously, expanding the personal data audience considerably.
Because OpenX writes persistent cookies and processes personal data for advertising, ePrivacy Art. 5(3) requires prior informed consent before the OpenX tag may run. Under the GDPR, consent under Art. 6(1)(a) is the appropriate basis. Publishers using OpenX must rely on a TCF v2.2 CMP that gates Vendor 69 behind the granted purposes, and they should configure the bidding workflow so that no bid requests are issued before consent. The Belgian APD ruling on IAB Europe TCF applies to OpenX by extension, and operators should follow the IAB Europe Action Plan compliance updates.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OpenX maintains an audience graph that links the OpenX cookie ID with third party DSP and DMP identifiers, enabling cross site retargeting and audience extension. The graph is processed primarily on US infrastructure. EU publishers should treat this as a high risk processing activity, with the relevant transfer mechanism (DPF or SCCs) and a Schrems II Transfer Impact Assessment. Cookieless alternatives such as Google''s Topics API and pure contextual targeting are gaining adoption but are not a default in OpenX.
Client side header bidding via Prebid.js loads OpenX tags directly in the visitor''s browser. Server side header bidding via Prebid Server moves the bid logic to the operator''s backend, which reduces client side cookie reliance but does not eliminate the personal data sharing with OpenX (IP, page context, identifiers). Both modes require consent. Operators should pick the mode that best balances revenue, latency and privacy risk.
Configure the publisher CMP so OpenX (TCF Vendor 69) fires only with the granted purposes. Sign the OpenX DPA and SCCs. Run a Transfer Impact Assessment addressing US CLOUD Act and FISA 702 exposure. Document OpenX in the record of processing, including the cookies, the bid request data, the legal basis and the transfer mechanism. List OpenX cookies in the cookie policy under marketing/advertising. Use server side header bidding if it fits the architecture, and consider gradually reducing reliance on user level identifiers in favour of contextual signals.
Websites using OpenX must obtain user consent under GDPR regulations.
DPIA considerations
OpenX writes the i, mt_mop, OX_u, ox_dpid and OX_sd cookies on openx.net and op-mobile-ads.com domains for visitor identification, frequency capping and audience segments. DPIA considerations: (1) the cookies are persistent online identifiers and personal data under the GDPR; (2) OpenX runs server side ad auctions that broadcast the visitor's IP, page URL, referrer, user agent, device type and TCF consent string to demand side platforms, expanding the data exposure significantly beyond OpenX itself; (3) OpenX is a US company with US CLOUD Act exposure, even though EU edges handle the bidding latency; (4) audience graph reconciliation happens on US infrastructure; (5) the Belgian APD ruling on IAB Europe TCF and ongoing EDPB scrutiny apply to OpenX as a TCF vendor. A DPIA is strongly recommended for publishers integrating OpenX, particularly when combined with multiple SSPs and DMPs.
Sample consent text
We use OpenX (OpenX Software Ltd., Pasadena California) as a Supply Side Platform to sell our advertising inventory to demand side bidders. OpenX places cookies on your device for cross site advertising reach, frequency capping and reporting. Personal data is transferred to OpenX in the United States. We rely on your consent expressed through our IAB TCF v2.2 banner (OpenX vendor ID 69), which you can withdraw at any time via our cookie settings.
Third-party domains contacted
openx.netus-u.openx.neteu-u.openx.netop-mobile-ads.comrtb.openx.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| i | Marketing / Advertising | 1 year | Set by OpenX on the openx.net domain. The OpenX visitor identifier (UID) used to recognise the same browser across sites in the OpenX network for cross site audience reach and frequency capping. |
| mt_mop | Marketing / Advertising | 13 months | Set by OpenX. Multi touch frequency capping cookie that tracks how many times the same visitor has been exposed to a given campaign across publishers. |
| OX_u | Marketing / Advertising | 1 year | Set by OpenX. Stores compact audience graph segment memberships used by OpenX campaigns for targeting without sending the full segment list to the page. |
| OX_sd | Marketing / Advertising | 1 year | Set by OpenX. Subdomain mapping cookie used to synchronise the OpenX identifier with publisher subdomains and to manage cross publisher session state. |
| ox_dpid | Marketing / Advertising | 1 year | Set by OpenX during data partner ID syncing. Maps the OpenX cookie ID to third party data provider identifiers so that audience segments can be reused across platforms. |
OpenX places tracking cookies for advertising — comply with GDPR using FlowConsent.
OpenX writes the i cookie (OpenX visitor ID, 1 year), mt_mop (multi touch frequency capping), OX_u (audience graph segments), OX_sd (subdomain mapping) and ox_dpid on the openx.net and op-mobile-ads.com domains. The cookies are persistent online identifiers used for cross site audience reach and reporting.
Yes. OpenX is IAB Europe TCF v2.2 Vendor ID 69. The cookies it sets are not strictly necessary, so ePrivacy Art. 5(3) requires prior informed consent. The publisher CMP must gate OpenX behind the granted TCF purposes.
Consent (GDPR Art. 6(1)(a)). OpenX declares legitimate interest under TCF for some processing, but the safer interpretation under EDPB and CNIL guidance is to rely on consent for all advertising activities.
Yes. OpenX Software Ltd. is a US company, with US primary processing for identity graph and reporting. OpenX self certifies under the EU US Data Privacy Framework and offers SCCs. A Transfer Impact Assessment is required, particularly because of US CLOUD Act and FISA 702 exposure.
A DPIA is strongly recommended for publishers using OpenX. The processing combines persistent online identifiers, cross site audience graph reconciliation, broadcasting of personal data to many DSPs and US data transfer. All four factors are flagged by EDPB guidance as high risk.
Configure the publisher CMP so OpenX (TCF Vendor 69) fires only with granted purposes. Sign the OpenX DPA and SCCs. Run a Transfer Impact Assessment. Document OpenX in the record of processing. List OpenX cookies in the cookie policy. Consider server side header bidding via Prebid Server to reduce client side cookie reliance, and evaluate cookieless contextual strategies.
Other SSPs include Magnite/Rubicon (US), Xandr (Microsoft), PubMatic (US), Index Exchange (Canada/US), Equativ (formerly Smart AdServer, France), Criteo Direct Bidder, and the Google Ad Manager SSP. EU based alternatives like Equativ offer EU primary data processing and TCF support.
List the OpenX cookies (i, mt_mop, OX_u, ox_dpid, OX_sd) under marketing/advertising. Name OpenX Software Ltd. (Pasadena California) as a recipient and reference the IAB TCF v2.2 vendor ID 69. Disclose the US transfer with the appropriate mechanism (EU US Data Privacy Framework or SCCs). Provide a withdrawal link that reopens the consent banner.