Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Rubicon Project, now operating as the SSP business unit of Magnite Inc., is one of the world's largest independent Supply Side Platforms. After the 2020 merger with Telaria (CTV inventory) and the 2021 acquisition of SpotX, Magnite is the largest independent SSP for connected TV and a major player in display, video and audio programmatic advertising. The SSP sets persistent cookies and is registered as IAB Europe TCF v2.2 Vendor ID 52.
Rubicon Project was founded in 2007 and was one of the original independent Supply Side Platforms. In 2020 it merged with Telaria, a connected TV ad platform, to form Magnite Inc. (NASDAQ: MGNI). In 2021 Magnite acquired SpotX and CTV start up SpringServe, becoming the largest independent SSP for CTV and a major player across display, video and audio inventory. Publishers integrate Magnite through Prebid.js header bidding adapters, the Magnite/Rubicon RTB tag, or server side header bidding. Magnite is registered as IAB Europe TCF v2.2 Vendor ID 52.
For each ad request, Magnite receives the visitor''s IP address, user agent, page URL, referrer, device type, viewport, time zone, language, the IAB TCF v2.2 consent string and any user IDs propagated by the publisher. Magnite writes cookies including khaos, rpb (Rubicon Project broker), rpx (Rubicon Project exchange), ruids (Rubicon user ID) and put_ on the rubiconproject.com domain, with lifetimes typically of 1 year. For CTV inventory, Magnite also processes smart TV device IDs (Roku, Samsung, LG) and IP addresses associated with the household.
Because Rubicon/Magnite writes persistent cookies and processes personal data for advertising, ePrivacy Art. 5(3) requires prior informed consent before the Magnite tag may run. Under the GDPR, consent under Art. 6(1)(a) is the appropriate basis. Publishers using Magnite must rely on a TCF v2.2 CMP that gates Vendor 52 behind the granted purposes. The Belgian APD ruling on IAB Europe TCF applies to Magnite by extension.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
With its CTV inventory, Magnite processes smart TV device IDs (TIFA on tvOS, Roku Advertising ID, Samsung TIFA), household IP addresses and viewing context. This is a sensitive data combination because it can be linked back to physical households and to family members rather than individual users. EU regulators (in particular Spain''s AEPD and Germany''s DSK) have flagged CTV tracking as a high risk processing area. A DPIA is strongly recommended for any publisher monetising CTV inventory through Magnite.
Magnite supports the major post cookie identity solutions: Unified ID 2.0 (The Trade Desk), ID5, LiveRamp ATS, Adform ID Fusion and Magnite''s own Magnite Universal ID. These IDs are propagated alongside the bid request and joined on the Magnite servers, enabling cross site reach as third party cookies disappear. Each unified ID has its own consent and transfer profile, which the publisher must document.
Configure the publisher CMP so Magnite (TCF Vendor 52) fires only with granted purposes. Sign the Magnite DPA and SCCs. Run a Transfer Impact Assessment addressing US CLOUD Act and FISA 702 exposure. Document Magnite in the record of processing including the bid request data, the CTV identifiers if applicable, the legal basis and the transfer mechanism. List Magnite cookies in the cookie policy under marketing/advertising. For CTV inventory, run a DPIA covering household level processing.
Websites using Rubicon Project must obtain user consent under GDPR regulations.
DPIA considerations
Rubicon/Magnite writes the khaos, rpb, rpx, ruids and put_ cookies on rubiconproject.com plus IAB TCF v2.2 vendor data on tdid.net. DPIA considerations: (1) the cookies are persistent online identifiers and personal data under the GDPR; (2) the SSP broadcasts bid requests to dozens of DSPs with the visitor's IP, page context, user agent, device type and TCF consent string, considerably expanding the data exposure; (3) Magnite Inc. is a US company with US CLOUD Act exposure; (4) connected TV inventory adds an additional data category (smart TV device IDs, household identifiers) that has been flagged by EU regulators; (5) the Belgian APD ruling on IAB Europe TCF and ongoing EDPB scrutiny apply. A DPIA is strongly recommended for publishers integrating Rubicon/Magnite, particularly when CTV inventory is included.
Sample consent text
We use Rubicon Project / Magnite (Magnite Inc., New York) as a Supply Side Platform to sell our advertising inventory programmatically. Magnite places cookies on your device for cross site advertising reach, frequency capping and reporting. Personal data is transferred to Magnite in the United States. We rely on your consent expressed through our IAB TCF v2.2 banner (Magnite vendor ID 52).
Third-party domains contacted
rubiconproject.comfastlane.rubiconproject.comeus.rubiconproject.comoptimized-by.rubiconproject.commagnite.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| khaos | Marketing / Advertising | 1 year | Set by Rubicon Project / Magnite on rubiconproject.com. Anonymous identifier used for cross site visitor recognition, frequency capping and audience targeting. |
| rpb | Marketing / Advertising | 1 year | Set by Rubicon Project / Magnite. Broker identifier used by the Magnite SSP to track which downstream DSP bids on the visitor's impression history. |
| rpx | Marketing / Advertising | 1 year | Set by Rubicon Project / Magnite. Exchange identifier used internally by the Magnite ad exchange for matching demand and supply side identities. |
| ruids | Marketing / Advertising | 1 year | Set by Rubicon Project / Magnite. Rubicon user identifier joined with third party DSP cookies for retargeting and audience extension across the Magnite network. |
| put_<ID> | Marketing / Advertising | 90 days | Set by Rubicon Project / Magnite during ID syncing pixels. Stores partner specific identifier mappings to allow audience segments to be reused across DSPs. |
Rubicon Project places tracking cookies for advertising — comply with GDPR using FlowConsent.
Magnite writes the khaos, rpb (broker), rpx (exchange), ruids (user ID) and put_ cookies on the rubiconproject.com domain, typically 1 year lifetime. The cookies are persistent online identifiers used for cross site audience reach and frequency capping.
Yes. Magnite is IAB Europe TCF v2.2 Vendor ID 52. The cookies it sets are not strictly necessary, so ePrivacy Art. 5(3) requires prior informed consent. The publisher CMP must gate Magnite behind the granted TCF purposes.
Consent (GDPR Art. 6(1)(a)). Magnite declares legitimate interest under TCF for some processing, but consent is the safer interpretation under EDPB and CNIL guidance.
Yes. Magnite Inc. is a US company. EU edges handle bidding latency, but identity graph processing happens on US infrastructure. Magnite self certifies under the EU US Data Privacy Framework and offers SCCs. A Transfer Impact Assessment is required.
A DPIA is strongly recommended for publishers using Magnite. The processing combines persistent online identifiers, broadcasting of personal data to many DSPs, US data transfer and, for CTV inventory, household level identifiers. All four factors are flagged by EDPB guidance as high risk.
Configure the publisher CMP so Magnite (TCF Vendor 52) fires only with granted purposes. Sign the Magnite DPA and SCCs. Run a Transfer Impact Assessment. Document Magnite in the record of processing. List Magnite cookies in the cookie policy. For CTV inventory, run a DPIA covering household level processing.
Other SSPs include OpenX, Xandr (Microsoft), PubMatic, Index Exchange, Equativ (France) and the Google Ad Manager SSP. For CTV specifically: FreeWheel (Comcast NBCUniversal), SpringServe (now part of Magnite), Premion, Beachfront, Equativ CTV. EU based alternatives like Equativ offer EU primary data processing.
List the Magnite cookies (khaos, rpb, rpx, ruids, put_) under marketing/advertising. Name Magnite Inc. (New York) as a recipient and reference IAB TCF v2.2 vendor ID 52. Disclose the US transfer with the appropriate mechanism (EU US Data Privacy Framework or SCCs). For CTV deployments, specifically mention smart TV device identifiers in the privacy notice.