Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sovrn is a US based supply side platform and advertising network focused on independent publishers and long tail websites. Founded in 2014 in Boulder, Colorado (combining Lijit Networks, Federated Media, and ad.ly), it offers programmatic auctions, header bidding (Sovrn //Ad Management), commerce solutions (Sovrn //Commerce, formerly VigLink) and audience services. Sovrn sets advertising cookies on sovrn.com and lijit.com, is registered in the IAB Europe TCF v2.2 framework, and processes data in the United States. EU traffic deployments require explicit consent under the GDPR and the ePrivacy Directive.
Sovrn is an independent advertising and content technology platform headquartered in Boulder, Colorado. Founded in 2014 from the merger of Lijit Networks, Federated Media, and ad.ly, it now serves more than 60,000 publishers. Sovrn provides three core products: //Ad Management (header bidding and SSP), //Commerce (affiliate link rewriting, formerly VigLink) and //Data (audience and measurement).
On publisher websites, Sovrn is integrated through Prebid.js, the Sovrn Beacon (sovrn.js) or via the //Commerce script. Once loaded, it participates in OpenRTB auctions and may rewrite outbound product links to include commerce affiliate parameters.
On the SSP side, bid requests include IP, User Agent, page URL, ad slot data, viewport, approximate geolocation, advertising identifier (ljt_reader on lijit.com), and the TCF v2.2 consent string. On the //Commerce side, every outbound link click is logged for affiliate tracking with HTTP referrer and target URL.
Cookies on sovrn.com and lijit.com: ljt_reader (visitor ID, 1 year), uid (cookie sync, 1 year). The Sovrn //Commerce script also stores click data temporarily in localStorage.
Sovrn is registered in the IAB Europe TCF v2.2 Global Vendor List for the advertising component. The //Commerce component is not strictly an advertising vendor but it does rewrite links and capture clicks, which qualifies as Art. 5(3) ePrivacy processing in many EU jurisdictions and requires consent.
The Belgian DPA TCF decision and CJEU ruling C 252/21 apply. Consent is the only safe Art. 6 GDPR basis for the SSP and audience purposes.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sovrn Inc. is a US controller, processing data primarily on US infrastructure under SCCs and the EU US Data Privacy Framework. A Transfer Impact Assessment is required, and the //Commerce affiliate link processing must be documented as a separate purpose with its own legal basis.
List Sovrn and its downstream DSP recipients in your privacy notice. //Commerce partner brands receiving click data should also be disclosed.
A DPIA is required for any non trivial Sovrn deployment, covering both advertising (SSP) and commerce (link rewriting) purposes. Document audience categorisation, retention, sub processors, US transfers, and the dual use of cookies across both products.
Recent DPA enforcement places clear responsibility on the publisher for the full chain, including affiliate networks like Sovrn //Commerce.
Register Sovrn in your TCF v2.2 CMP. Sign the Sovrn DPA covering both //Ad Management and //Commerce. Defer the sovrn.com and lijit.com calls until consent. If using //Commerce, present it as a separate consent purpose distinct from advertising.
Audit your Prebid bidder list. Document Sovrn in your privacy notice with both purposes and the US transfer chain. Implement Global Privacy Control. Review the DPIA at least annually.
Websites using Sovrn must obtain user consent under GDPR regulations.
DPIA considerations
Sovrn is a high impact SSP plus a commerce affiliate network. Key DPIA considerations: (1) the SSP component shares bid request data (IP, User Agent, URL, geolocation, audience IDs) with dozens of DSPs in real time; (2) the //Commerce (formerly VigLink) component rewrites outbound links to include affiliate tracking parameters, which can constitute new tracking even on non advertising pages; (3) cookies on sovrn.com and lijit.com enable cross site profiling; (4) US data storage triggers Schrems II requirements; (5) audience activation may involve special category content (Art. 9 GDPR); (6) the TCF v2.2 vendor declaration must match actual processing; (7) the Belgian DPA TCF decision and CNIL Criteo enforcement apply.
Sample consent text
We use Sovrn to monetise our advertising inventory and, where applicable, to rewrite outbound links into commerce affiliate links. With your consent, Sovrn sets cookies on sovrn.com and lijit.com and shares bid request data with our demand partners. This data is processed on Sovrn servers in the United States under Standard Contractual Clauses. You can refuse advertising and affiliate link rewriting in our consent banner.
Third-party domains contacted
sovrn.comap.lijit.combeacon.sovrn.comsovrn-ads.comviglink.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ljt_reader | Marketing | 1 year | Persistent visitor identifier set by Sovrn on the lijit.com domain. Used to recognise users across publisher sites and to participate in real time bidding. |
| uid | Marketing | 1 year | Cookie sync identifier shared between Sovrn and demand side platforms for cookie matching. |
| vglnk.Agent.p | Marketing | 1 year | Identifier used by the Sovrn //Commerce (formerly VigLink) script to attribute outbound product clicks to a visitor session. |
Sovrn places tracking cookies for advertising — comply with GDPR using FlowConsent.
Sovrn sets third party cookies on sovrn.com and lijit.com, mainly ljt_reader (visitor identifier, 1 year), uid (cookie sync, 1 year), and several auxiliary cookies for the //Ad Management and //Commerce products. All are advertising or commerce cookies and require consent.
Yes for any EU deployment. The Sovrn cookies and OpenRTB bid request require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG. The //Commerce link rewriting feature also requires consent in most EU jurisdictions because the visitor outbound clicks are tracked.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is not available for behavioural advertising (CJEU C 252/21). For //Commerce, consent or legitimate interest can both be considered, but consent is safer given the click level tracking.
Yes. Sovrn is US based and processes data primarily in the United States under SCCs and the EU US Data Privacy Framework. A Transfer Impact Assessment is required by the publisher.
Yes, in most cases. The DPIA must address audience categorisation (avoiding Art. 9 GDPR content), the OpenRTB fan out, vendor list governance, retention, the dual purpose nature of //Ad Management and //Commerce, and US transfers.
Register Sovrn in your TCF v2.2 CMP. Sign the DPA. Defer sovrn.com / lijit.com calls until consent. Treat //Commerce as a separate consent purpose if used. Restrict your Prebid bidder list. Document the full chain in your privacy notice.
For SSP: Magnite, Index Exchange, PubMatic, OpenX, Google Ad Manager, Xandr (Microsoft). For commerce affiliate: Skimlinks, Awin, Rakuten Advertising, Impact, ShareASale. Sovrn differentiator is the combination of SSP + commerce in a single platform for independent publishers.
List the Sovrn cookies (ljt_reader, uid) with provider (Sovrn Inc., United States), purpose (programmatic advertising and commerce affiliate tracking), lifetime, and category (Marketing). Disclose the US transfer, the TCF v2.2 registration, and the //Commerce link rewriting feature if used. Link the Sovrn privacy policy.