Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
PubMatic is a US based independent supply side platform that helps publishers monetise inventory through programmatic auctions across display, video, mobile, and connected TV. Founded in 2006 and headquartered in Redwood City, California, with major engineering centres in India, it runs the OpenWrap header bidding solution and powers real time bidding for thousands of publishers. PubMatic sets advertising cookies on pubmatic.com, is registered in the IAB Europe TCF v2.2 framework, and processes data in the United States. EU traffic deployments require explicit consent under the GDPR and the ePrivacy Directive.
PubMatic is a publicly traded independent SSP founded in 2006 and headquartered in Redwood City, California, with major engineering and operations teams in Pune, India. It powers programmatic auctions for thousands of publishers across display, video, mobile, and CTV, and offers the OpenWrap open source header bidding wrapper.
On publisher websites, PubMatic is typically integrated via Prebid.js, OpenWrap, or direct integration. Once loaded, it sends OpenRTB bid requests to demand side platforms and returns winning creative for ad rendering.
Each bid request includes the IP, User Agent, page URL, ad slot data, viewport, approximate geolocation, the user advertising identifier (KADUSERCOOKIE), and the TCF v2.2 consent string. Audience segments, content categories, and authenticated user IDs (UID 2.0, LiveRamp ID, ID5) may also be transmitted.
Cookies set by PubMatic on pubmatic.com: KADUSERCOOKIE (persistent advertising identifier, 30 days), PugT (sync state, 30 days), KRTBCOOKIE_* (per buyer mapping cookies), KTPCACOOKIE (preferences). All are third party cookies and shared across the PubMatic partner network.
PubMatic is registered in the IAB Europe TCF v2.2 Global Vendor List. Publishers must transmit a valid TC string with the required purposes consented. Without consent for the relevant purposes, PubMatic must not be loaded or sent bid requests.
The Belgian DPA decision on TCF and the CJEU ruling C 252/21 on legitimate interest both apply. Consent is the only defensible Art. 6 GDPR basis for the advertising activation purposes powered by PubMatic.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
PubMatic Inc. is a US controller, certified under the EU US Data Privacy Framework. SCCs apply where DPF is not sufficient. India based engineering teams may access data under additional intra group agreements. A Transfer Impact Assessment by the publisher is required and should document the chain from PubMatic to downstream DSPs.
List PubMatic and its downstream DSP recipients in your privacy notice. The TCF v2.2 framework provides standard categories but the publisher remains responsible for the disclosure.
A DPIA is generally required given the systematic large scale monitoring. It must address audience categorisation (Art. 9 GDPR content exclusions), the OpenRTB fan out, vendor list management, retention, and Art. 22 GDPR implications for automated bidding decisions.
Recent DPA enforcement places clear responsibility on the publisher for the full programmatic chain, not just for the immediate processor.
Register PubMatic in your TCF v2.2 CMP. Sign the PubMatic DPA. Defer pubmatic.com requests until explicit consent. Audit your Prebid / OpenWrap configuration to restrict bidders. Document PubMatic in your privacy notice with purposes, lifetimes, and US transfer information.
Implement Global Privacy Control handling, configure ad slot level consent, and review the DPIA annually. For sensitive content categories, exclude PubMatic loading entirely on those pages.
Websites using PubMatic must obtain user consent under GDPR regulations.
DPIA considerations
PubMatic is a high impact SSP in the programmatic chain. Key DPIA considerations: (1) every bid request includes IP, User Agent, page URL, geolocation, audience segment IDs, and the advertising cookie value, broadcast to dozens of DSPs in real time; (2) pubmatic.com cookies enable cross site advertising profiling for up to 30 days; (3) US data storage triggers Schrems II requirements; (4) PubMatic engineering staff in India may access data for support; (5) audience activation may involve special category content (Art. 9 GDPR); (6) IAB Europe TCF v2.2 vendor declaration must match actual processing; (7) the CNIL Criteo decision and Belgian DPA TCF decision both apply.
Sample consent text
We use PubMatic to monetise our advertising inventory through real time auctions. With your consent, PubMatic sets cookies on pubmatic.com (KADUSERCOOKIE, PugT) and shares bid request data with our demand partners. This data is processed on PubMatic servers in the United States under Standard Contractual Clauses. You can refuse advertising in our consent banner.
Third-party domains contacted
pubmatic.comads.pubmatic.comimage2.pubmatic.comsimage2.pubmatic.comshowads.pubmatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| KADUSERCOOKIE | Marketing | 30 days | Persistent advertising identifier set by PubMatic. Used to recognise users across publisher sites and participate in real time bidding. |
| PugT | Marketing | 30 days | Tracks cookie sync state between PubMatic and demand side platforms. |
| KRTBCOOKIE_* | Marketing | 30 days | Per buyer mapping cookies used to align PubMatic identifiers with DSP partner identifiers in cookie matching tables. |
| KTPCACOOKIE | Marketing | 30 days | Stores PubMatic visitor preferences and consent state for advertising activation. |
PubMatic places tracking cookies for advertising — comply with GDPR using FlowConsent.
PubMatic sets third party cookies on pubmatic.com: KADUSERCOOKIE (persistent advertising identifier, 30 days), PugT (cookie sync state, 30 days), KRTBCOOKIE_* (per buyer mapping cookies, 30 days), KTPCACOOKIE (preferences, 30 days). All are advertising cookies and require consent.
Yes for any EU deployment. The PubMatic cookies and OpenRTB bid request require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG. The TCF v2.2 TC string must be transmitted with the correct purposes consented before any pubmatic.com call.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is not available for behavioural advertising after CJEU C 252/21 and EDPB guidance. The TCF v2.2 vendor declaration must match the actual processing.
Yes. PubMatic is US based and processes data primarily in the United States under SCCs and the EU US Data Privacy Framework. India based engineering teams may also access data under additional safeguards. A Transfer Impact Assessment is required.
Yes, in most cases. The DPIA must address audience categorisation (avoiding Art. 9 GDPR content), the OpenRTB fan out, vendor list governance, retention, and Art. 22 GDPR considerations for automated bidding.
Register PubMatic in your TCF v2.2 CMP. Sign the PubMatic DPA. Defer pubmatic.com calls until consent. Restrict your Prebid / OpenWrap bidder list. Document the full chain in your privacy notice. Implement Global Privacy Control handling.
Other SSPs: Magnite, Index Exchange, OpenX, Sovrn, Google Ad Manager, Xandr (Microsoft). EU based SSPs: Adform (Denmark), Smartclip, Equativ (Smart AdServer, France). PubMatic differentiator is the open source OpenWrap solution and a focus on omnichannel (CTV) inventory.
List the PubMatic cookies (KADUSERCOOKIE, PugT, KRTBCOOKIE_*) with provider (PubMatic Inc., United States), purpose (programmatic advertising and audience matching), lifetime (30 days), and category (Marketing). Disclose the US transfer, TCF v2.2, and link the PubMatic privacy policy.