Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Permutive is a UK based audience and data platform that lets publishers and advertisers build first party data segments, target advertising, and activate audiences across the open web without relying on third party cookies. Its core differentiator is edge computing: audience computation happens in the browser, reducing the amount of personal data sent to the cloud. Because Permutive supports advertising and audience profiling, deploying it on EU traffic requires explicit consent under the GDPR, the ePrivacy Directive, and the IAB TCF v2.2 framework.
Permutive is an audience and data platform founded in 2014 and headquartered in London. It is used primarily by digital publishers (BBC, Penske Media, News Corp, BuzzFeed) and brand advertisers to build first party data segments, activate audiences on the open web, and monetise inventory in a privacy first way after the deprecation of third party cookies.
The core architectural choice is edge computing: a JavaScript SDK runs in the browser and computes audience segments locally, sending only aggregated or pseudonymised signals to Permutive cloud. This reduces both bandwidth and the volume of raw personal data leaving the device.
Permutive processes the visitor IP (for geolocation and abuse prevention), browser User Agent, page URL, content metadata, search keywords, dwell time, scroll depth, click events, and any custom events sent by the publisher. Optionally, identifiers from authenticated logins (hashed emails, customer IDs) can be passed to enrich segments.
Cookies and localStorage are used to persist the visitor identifier and segment memberships across sessions, typically for 1 year. The Permutive ID is shared with downstream adtech partners through standard identifier graphs.
Permutive is registered as a vendor in the IAB Europe Transparency and Consent Framework (TCF) v2.2. Publishers must transmit a valid TC string with the appropriate purposes consented (typically purposes 1 to 4, 7 to 10, plus the legitimate interest purposes the vendor declares). The vendor configuration in your CMP must include Permutive explicitly.
Per the CJEU ruling in C 252/21 (Meta v. Bundeskartellamt) and recent EDPB guidance, legitimate interest is not a defensible basis for advertising profiling. Consent is the only safe Art. 6 GDPR basis for the advertising and audience activation purposes powered by Permutive.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Permutive Ltd is a UK controller. The UK benefits from the EU adequacy decision (2021), so EU UK transfers do not require additional safeguards. However, Permutive uses AWS infrastructure with regional clusters in the UK, EU (Ireland), and US. Onward flows to adtech partners (SSPs, DSPs, identity graphs) often cross into the US under SCCs and the EU US DPF.
List Permutive and all its downstream adtech recipients in your privacy notice and your vendor list. The TCF v2.2 framework provides standard vendor categories and a global vendor list maintained by IAB Europe.
A DPIA is generally required for any publisher or advertiser using Permutive at scale. The DPIA must address the segment categorisation logic, especially the use of sensitive content categories (Art. 9 GDPR), the cross border transfer chain, the TCF v2.2 vendor configuration, the retention period for segment memberships, and the appropriate Art. 22 GDPR review when segments feed automated bid decisions.
Recent DPA enforcement (CNIL, ICO, AEPD) has focused on consent quality, vendor disclosure, and special category content. Document the controls you have in place to avoid profiling users on the basis of health, religious, or political content.
Sign the Permutive DPA. Register Permutive as a vendor in your TCF v2.2 CMP and pass the correct TC string. Defer the SDK until consent is granted. Configure segment categorisation to exclude special category content unless explicit consent is captured. Document the chain of sub processors and onward recipients.
Run a DPIA and review it annually. Provide a clear opt out at the CMP level that propagates to Permutive (no further events, no segment activation, deletion of stored segment memberships).
Websites using Permutive must obtain user consent under GDPR regulations.
DPIA considerations
Permutive is a data and audience platform used for advertising activation and analytics. Key DPIA considerations: (1) the SDK computes audience segments on the device, which reduces but does not eliminate personal data processing; some events (segment memberships, identifiers) are still transferred to Permutive servers; (2) the platform builds behavioural profiles that may produce automated targeting decisions, triggering Art. 22 GDPR considerations; (3) audience activation typically involves onward transfers to SSPs and DSPs (Google Ad Manager, Magnite, Xandr) that have their own transfer chains, frequently to the US; (4) Permutive integrates with the IAB TCF v2.2 framework as a vendor, the consent signal must be passed correctly and the purposes registered match the actual processing; (5) UK adequacy reduces, but does not eliminate, transfer risks; (6) profiling for advertising on sensitive content (health, finance, political) raises Art. 9 GDPR concerns and may attract DPA enforcement (cf. CNIL and ICO recent cases).
Sample consent text
We use Permutive to build first party audience segments and to deliver more relevant advertising on our site. With your consent, Permutive processes some of your interaction data (page views, content categories, search keywords) directly in your browser and may share aggregated segment information with our advertising partners. You can refuse this audience processing in our consent banner.
Third-party domains contacted
permutive.comedge.permutive.comapi.permutive.comcdn.permutive.compermutive.appCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| permutive-id | Marketing | 1 year | Persistent visitor identifier used by Permutive to build first party audience segments and to share segment memberships with advertising partners. |
| permutive-session | Marketing | Session | Tracks the current Permutive session for event grouping and segment computation in the browser. |
| permutive-consent-state | Functional | 1 year | Stores the current Permutive consent state derived from the TCF v2.2 string, used to gate audience computation and activation. |
| permutive-login | Marketing | 1 year | Stores hashed authenticated user identifiers (when provided by the publisher) to enrich audience segments for logged in visitors. |
Permutive places tracking cookies for advertising — comply with GDPR using FlowConsent.
Permutive writes first party cookies on your domain, mainly permutive id (persistent visitor ID, 1 year), permutive session, and permutive consent state. The bulk of the data, however, is stored in localStorage and IndexedDB on the device, because audience computation runs locally. The cookies themselves are not strictly necessary for the website and require consent.
Yes, in any EU deployment. The Permutive SDK and cookies enable advertising and audience profiling, which require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG. The CJEU ruling in C 252/21 confirmed that legitimate interest is not a defensible basis for behavioural advertising, so consent is the only safe Art. 6 GDPR basis.
Consent (Art. 6(1)(a) GDPR) for the advertising and audience profiling purposes. For purely first party analytics with no onward activation, legitimate interest may apply with a documented balancing test, but the Permutive deployment is generally tied to advertising activation, so consent should be the default.
Permutive Ltd is UK based, the UK has EU adequacy. Permutive uses AWS clusters in UK, EU and US. Audience segments and identifiers are typically shared with downstream adtech partners (SSPs, DSPs, identity graphs) that may transfer data to the US under SCCs and EU US DPF. Map the full chain in your DPIA.
Yes, in most cases. Audience profiling at publisher scale meets the EDPB criteria for high risk processing. The DPIA must address segment categorisation, special category content exclusion, the TCF v2.2 vendor configuration, retention, and Art. 22 GDPR implications when segments feed automated bid decisions.
Sign the DPA. Register Permutive in your TCF v2.2 CMP. Defer the SDK until consent. Configure the segment categorisation to exclude special category content (health, religion, politics) unless explicit consent is captured. Provide a granular opt out that propagates to Permutive and downstream partners. Document the full vendor chain.
Audience platforms and DMPs: Lotame, Permutive direct competitors, ID5 for identity, LiveRamp for activation. CDPs: Tealium AudienceStream, mParticle, Segment with EU residency. Open source: RudderStack. Permutive differentiator is the edge computing architecture and the privacy first positioning for publishers.
List the Permutive cookies (permutive id, permutive session) with provider (Permutive Ltd, United Kingdom), purpose (audience segmentation and advertising activation), lifetime, and category (Marketing). Disclose the audience activation logic and the downstream recipients. Provide a TCF compatible opt out and a link to the Permutive privacy policy.