Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sizmek is an ad serving and rich media platform now operating as Amazon Ad Server after Amazon acquired the assets in 2019. It serves and measures display, video, and rich media advertising campaigns, with creative management, dynamic creative optimisation, and verification capabilities. Sizmek tags set advertising cookies on serving.bm23.com and amazon-adsystem.com, and process data on Amazon infrastructure in the United States. EU deployments require explicit consent under the GDPR and the ePrivacy Directive.
Sizmek was an independent ad serving and rich media platform until 2019, when Amazon acquired the technology and rebranded the core product as Amazon Ad Server. Today it remains one of the largest third party ad servers used by agencies and advertisers to deliver display, video, rich media, and dynamic creative across the open web.
On publisher sites, Sizmek is loaded as a third party ad tag inside the ad slot. The tag serves the creative, tracks impressions, viewability and clicks, and may run dynamic creative optimisation based on visitor signals.
Each ad served collects the IP, User Agent, page URL, referrer, viewport size, viewability metrics, click and conversion events, and any audience identifiers passed by the advertiser or the DSP. Sizmek may also collect content categorisation for brand safety purposes.
Cookies are set on serving.bm23.com, amazon-adsystem.com, and other Amazon advertising domains: ad-id (advertising identifier), ad-privacy (consent state), session helpers, frequency capping cookies. All are third party and require consent.
Amazon Advertising is registered in the IAB Europe TCF v2.2 Global Vendor List for the relevant advertising purposes. The TC string must be transmitted in the bid request and the ad call. Without consent, Sizmek tags must not fire.
After CJEU C 252/21, legitimate interest is not available for behavioural advertising. Consent is the only safe Art. 6 GDPR basis. The Belgian DPA TCF decision and CNIL enforcement against opaque ad chains apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Once integrated under Amazon Advertising, Sizmek data can be combined with Amazon DSP audience profiles. This raises specific EDPB and DPA concerns about the combined power of a large retailer and an ad serving stack: granular shopping, content browsing, and ad exposure data are now under one controller.
Document this in your DPIA, especially the data combination and the cross border transfer chain.
Amazon Corporate LLC is a US controller, certified under the EU US Data Privacy Framework. SCCs apply where DPF is not sufficient. A Transfer Impact Assessment is required by the publisher / advertiser.
Document the chain from the publisher to Amazon Ad Server, and from Amazon Ad Server to any DSP or verification partner.
Sign the Amazon Advertising Services agreement and DPA. Register the Amazon Ad Server vendor in your TCF v2.2 CMP. Defer ad tags until consent. Restrict Sizmek to specific ad slots and content categories. Document the cross border transfer chain in your privacy notice.
Implement Global Privacy Control handling. Review the DPIA annually, especially around the Amazon DSP audience combinations and any new Amazon products integrated with Sizmek.
Websites using Sizmek must obtain user consent under GDPR regulations.
DPIA considerations
Sizmek (Amazon Ad Server) is a high impact ad serving and measurement platform. Key DPIA considerations: (1) ad tags collect the visitor IP, User Agent, page URL, referrer, click and impression events, and any audience identifiers passed by the publisher; (2) cookies set on the serving domain enable cross site frequency capping and re targeting; (3) data is processed on Amazon Web Services infrastructure, with US storage triggering Schrems II requirements; (4) Amazon Advertising integrations link Sizmek data with Amazon DSP and audience profiles, which raises additional concerns under EDPB guidance on retail giant profiling; (5) verification features (viewability, brand safety) may involve content scanning that could capture sensitive context.
Sample consent text
We use Sizmek (Amazon Ad Server) to serve and measure advertising on our website. With your consent, Sizmek sets advertising cookies on its serving domains and processes your interactions with ads. This data is transferred to Amazon servers in the United States under Standard Contractual Clauses. You can refuse advertising in our consent banner.
Third-party domains contacted
serving.bm23.comamazon-adsystem.comaax.amazon-adsystem.comaax-eu.amazon-adsystem.comsizmek.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ad-id | Marketing | 13 months | Persistent advertising identifier used by Amazon Ad Server (Sizmek) to recognise users for frequency capping and re targeting across publisher sites. |
| ad-privacy | Marketing | 13 months | Stores the current Amazon advertising consent state for the visitor, including TCF v2.2 signals. |
| eud | Marketing | 6 months | EU device identifier used to manage frequency capping and re targeting in the EU region. |
| aps_* | Marketing | 13 months | Family of Amazon Publisher Services cookies used for header bidding orchestration and conversion measurement. |
Sizmek places tracking cookies for advertising — comply with GDPR using FlowConsent.
Sizmek (Amazon Ad Server) writes third party cookies on serving.bm23.com, amazon-adsystem.com, and related Amazon advertising domains: ad-id (advertising identifier), ad-privacy (consent state), frequency capping helpers and conversion tracking cookies. All are advertising cookies and require consent.
Yes for any EU deployment. The Sizmek ad tag, cookies, and OpenRTB integration require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG, plus a valid TCF v2.2 TC string transmitted to Amazon Ad Server.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is not available for behavioural advertising after CJEU C 252/21. The Amazon Advertising vendor declaration in TCF v2.2 must match the actual processing.
Yes. After the Amazon acquisition, data is processed on AWS infrastructure in the United States under SCCs and the EU US Data Privacy Framework certification of Amazon. A Transfer Impact Assessment is required by the publisher and the advertiser.
Yes, in most cases. The DPIA must cover audience and content categorisation, the Amazon DSP combinations, US transfers, vendor list, retention, and Art. 22 GDPR considerations.
Sign the Amazon Advertising Services agreement and DPA. Register Amazon Ad Server in your TCF v2.2 CMP. Defer the Sizmek ad tag until consent. Restrict Sizmek to specific slots. Document the US transfer chain and the Amazon DSP combinations.
Independent ad servers: Google Campaign Manager 360 (DV360 ad serving), Adform Flow, Equativ (Smart AdServer), Flashtalking (a Mediaocean company). DSPs that include ad serving: The Trade Desk, MediaMath. After the Amazon acquisition, Sizmek and Amazon Ad Server are increasingly tied to the Amazon ecosystem.
List the Sizmek / Amazon Ad Server cookies (ad-id, ad-privacy) with provider (Amazon Corporate LLC, United States), purpose (third party ad serving and measurement), lifetime, and category (Marketing). Disclose the US transfer, the Amazon Advertising integration, and link the Amazon privacy notice.