Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Taboola is an Israeli native content recommendation and advertising platform widely deployed on European news publishers, magazines and ecommerce content hubs. The Taboola pixel and widget set third party cookies for ad targeting, retargeting, audience extension and Sponsored Content placements across the Taboola Network.
Taboola is a native content recommendation and advertising platform operated by Taboola.com Ltd., headquartered in Tel Aviv. Publishers integrate Taboola widgets at the bottom of their articles to display Sponsored Content, additional editorial recommendations and native ads. The platform competes directly with Outbrain in the European news, magazine and ecommerce content publishing market.
The Taboola widget loader (cdn.taboola.com/libtrc/...) injects the trc_cookie_storage, taboola_pa (publisher anonymous identifier), t_gid (audience extension identifier) and abLite_* (A B testing) cookies on the publisher domain, plus third party cookies under trc.taboola.com. The Conversions API (tfa) can also fire server side.
Taboola is a cross site behavioural advertising platform that falls squarely outside the strictly necessary exemption of Article 5(3) ePrivacy. Taboola.com Ltd. acts as a joint controller with the publisher under Article 26 GDPR for the audience extension and personalisation activities. The publisher must conclude a joint controller arrangement and inform visitors transparently.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Prior, freely given, specific, informed and unambiguous consent is required before the Taboola loader runs. Taboola supports the IAB Transparency and Consent Framework version 2.2: the pixel reads the TCF string and downgrades to non personalised recommendations when consent is denied. A CMP registered with the TCF is the recommended integration path.
Taboola.com Ltd. is established in Israel, which benefits from a European Commission adequacy decision under Article 45 GDPR. Edge delivery and recommendation engines also run on AWS and Google Cloud US regions, covered by the EU US Data Privacy Framework adequacy for the cloud subprocessors. Standard Contractual Clauses are included in the Taboola DPA.
Sign the Taboola DPA and Article 26 joint controller arrangement, register a TCF certified consent management platform, gate the Taboola loader behind the consent string, document the EU Israel adequacy and the AWS Google Cloud subprocessors, and inform readers about Sponsored Content disclosure under the Digital Services Act.
Websites using Taboola must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required at publisher scale because Taboola constitutes large scale behavioural advertising and audience extension. The DPIA should document the Taboola Network supply path, the joint controllership with Taboola.com Ltd. under Article 26 GDPR, the third country transfers and the IAB TCF integration.
Sample consent text
This page contains Taboola native recommendations. Taboola.com Ltd. (Israel) and its US infrastructure providers drop cookies on your browser to recommend personalised content and Sponsored articles, build audience segments and measure performance. Taboola cookies are activated only with your consent.
Third-party domains contacted
taboola.comtrc.taboola.comcdn.taboola.comvidstat.taboola.comexchange.taboola.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| t_gid | Marketing | 13 months | Global Taboola user identifier set on taboola.com, used for content recommendation personalisation and audience targeting across the Taboola publisher network. |
| taboola_session_id | Marketing | Session | Stores the Taboola session identifier on taboola.com for session level recommendation logic. |
| t_pt_gid | Marketing | 13 months | Partner user identifier used when Taboola syncs audiences with DSPs and other partners. |
| tbla_id | Marketing | 1 year | Tracks a visitor across the Taboola network and stores anonymous click and impression history for attribution. |
| _tb_sess_r | Marketing | Session | Records the referring URL for the current Taboola session to attribute traffic sources. |
Taboola places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Taboola widget loader sets trc_cookie_storage, taboola_pa (publisher anonymous identifier), t_gid (audience extension identifier) and abLite_* (A B testing) cookies on the publisher domain, plus third party cookies under trc.taboola.com.
Yes. The Taboola pixel is a cross site behavioural advertising technology that falls outside the strictly necessary exemption. Prior, freely given, specific, informed and unambiguous consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR is required.
Consent under Article 6(1)(a) GDPR is the lawful basis for the Taboola pixel cookies. Taboola.com Ltd. acts as a joint controller with the publisher under Article 26 GDPR for audience extension and personalisation activities, requiring an Article 26 arrangement.
Partially. Taboola.com Ltd. is established in Israel (covered by an EU Commission adequacy decision under Article 45 GDPR). Edge delivery and recommendation engines also run on AWS and Google Cloud US regions, covered by the EU US Data Privacy Framework adequacy for cloud subprocessors.
Yes at publisher scale. Taboola constitutes large scale behavioural advertising under Article 35(3)(a) GDPR. Document the supply path, the joint controllership, the third country transfers, the IAB TCF integration and the retention period in the DPIA.
Sign the Taboola DPA and Article 26 joint controller arrangement, register a TCF certified consent management platform, gate the Taboola loader behind the consent string, label Sponsored Content placements clearly under the Digital Services Act and document subprocessor transfers in your record of processing activities.
European native advertising alternatives include Outbrain (Israel, similar profile), Ligatus (Germany, part of Outbrain), Seedtag (Spain, contextual), Adnow, MGID and Yieldlove. Contextual alternatives that avoid cross site profiling include Seedtag, Captify and EU based publisher direct programmes.
Add a Taboola section in the advertising or marketing category listing trc_cookie_storage, taboola_pa, t_gid and abLite_* with name, domain, duration and purpose. Disclose joint controllership with Taboola.com Ltd., the Israel adequacy and the AWS Google Cloud US subprocessors, and link to the Taboola privacy notice.