Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tapad is a cross-device identity resolution platform acquired by Experian in 2020. It builds device graphs that link a single user across phones, tablets, laptops and connected TVs using probabilistic and deterministic signals, then sells access to that graph to advertisers and publishers. For European deployments, Tapad involves extensive third-party tracking, US transfers and the strict requirements of the IAB TCF v2.2.
Tapad was founded in 2010 in New York with operations in Norway, and was acquired by Experian in 2020. Its product is a cross-device identity graph, the Tapad Graph, that links devices belonging to the same user (phones, tablets, laptops, connected TVs). It combines deterministic signals (logged in identifiers, hashed emails) with probabilistic signals (IP, time of day, geo, behavioural patterns). The graph is used by DSPs, SSPs, publishers and advertisers for cross-device measurement, retargeting and frequency capping.
Tapad processes third party cookies on tapad.com, mobile advertising IDs (IDFA, AAID), IP addresses, user agent strings, screen resolution, language headers, time of day, geo and browsing patterns. Pixel calls from partner publishers feed the graph. Conversion and exposure events from advertisers close the measurement loop. Cookies set in browsers include TapAd_DID and TapAd_TS.
The Tapad Graph is a profile under GDPR Art. 4. Third party cookies and identifiers are non essential and require consent under Art. 5(3) ePrivacy. Cross-device matching that combines signals across publishers triggers Art. 6 GDPR with consent as the only safe basis, and the IAB TCF v2.2 should be used to capture and propagate it. Tapad and Experian acquired the obligation to update their TCF vendor entry to the latest version.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Explicit, granular consent is required for the cookies, the identifier processing and the cross-device matching. Use an IAB certified CMP with TCF v2.2 and list Tapad and Experian in the vendor list. Make sure the consent purposes match Tapad''s declared use cases (storage, personalisation, profiling, ad measurement). Provide a clear way to withdraw consent.
Tapad operates from the United States under Experian and transfers data accordingly. Standard Contractual Clauses and the EU US Data Privacy Framework cover the transfer where Experian is certified. The cross-device graph aggregates data from many publishers globally, raising onward transfer and purpose limitation questions.
Sign Tapad/Experian''s DPA with full SCCs, use a CMP with IAB TCF v2.2 listing Tapad in the vendor list, run a DPIA covering cross-device identity, complete a TIA referencing the EU US Data Privacy Framework, disclose Tapad and Experian in your privacy notice, restrict the categories of data shared and prepare contingency plans for third party cookie deprecation in browsers.
Websites using Tapad must obtain user consent under GDPR regulations.
DPIA considerations
Tapad's cross-device graph processes browser cookies, mobile advertising IDs, IP addresses, user agent fingerprints and probabilistic signals to link devices to a single user. Key DPIA considerations: (1) third party cookies and identifiers require consent under Art. 5(3) ePrivacy; (2) probabilistic matching builds a profile and falls under Art. 6 GDPR with consent as the only safe basis; (3) data is transferred to the US and shared across the Experian group; (4) the graph aggregates signals from many publishers, raising joint controllership and purpose limitation questions; (5) the IAB TCF v2.2 should be used to capture and signal consent in the bid stream; (6) Apple ATT, Android Privacy Sandbox and browser cookie deprecation are progressively reducing the reliability and acceptability of the underlying signals.
Sample consent text
With your consent, we work with Tapad (an Experian company) to link your devices for advertising measurement and personalisation. Tapad processes your browser cookies, mobile advertising ID, IP and device fingerprint in the United States, transferred under Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
tapad.comrtb.tapad.compixel.tapad.comexperian.comexperianmarketingservices.digitalCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| TapAd_DID | Marketing | 1 year | Tapad device graph identifier set as a third party cookie on tapad.com. Used to link the browser to a user across devices. |
| TapAd_TS | Marketing | 1 year | Timestamp cookie used by Tapad to track the last time the device was seen, supporting probabilistic matching. |
| TapAd_3WAY_SYNCS | Marketing | 60 days | Records cookie syncs between Tapad and partner DSPs/SSPs to keep the cross device graph in sync with the wider ad ecosystem. |
| TData | Marketing | 1 year | Stores additional Tapad targeting attributes used for cross device measurement and audience matching. |
Tapad places tracking cookies for advertising — comply with GDPR using FlowConsent.
Tapad sets third party cookies on tapad.com including TapAd_DID (device graph identifier, 1 year) and TapAd_TS (timestamp). It also reads mobile advertising IDs (IDFA on iOS, AAID on Android) through partner integrations and adds probabilistic signals (IP, user agent, screen, time of day).
Yes, explicit and granular consent is required because Tapad combines third party cookies, mobile identifiers and probabilistic matching across publishers. Use a CMP with IAB TCF v2.2 and ensure Tapad and Experian are listed in the vendor list.
Consent (Art. 6(1)(a) GDPR) is the only safe basis. Legitimate interest does not work for cross device matching and ad measurement at this scale given the EDPB and CNIL guidance, and the surprise factor for visitors.
Tapad operates from the United States under Experian, with global data flows in the open ad ecosystem. EU transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework. Document Experian sub processors and the cross device graph in your records.
Yes. Cross device profiling at scale clearly meets Art. 35(3) GDPR criteria (systematic monitoring, large scale processing, third country transfers). The DPIA should cover deterministic and probabilistic signals, third party sharing, retention and risks to data subjects.
Sign the Tapad/Experian DPA with full SCCs, run an IAB certified CMP with TCF v2.2 listing Tapad, complete a DPIA and a TIA, restrict the categories of data shared (avoid sensitive interests), disclose Tapad as a separate controller for the graph and provide a clear, machine readable opt out.
EU based identity and measurement alternatives include ID5 (UK/France), The European netID Foundation (Germany), and contextual targeting providers such as Seedtag (Spain) and GumGum. For first party identity, server side approaches with hashed user IDs and aggregated measurement (Google Consent Mode v2, Meta Conversions API) reduce reliance on cross publisher graphs.
Disclose Tapad and Experian as separate controllers for the cross device identity graph, list the categories of data shared (cookies, mobile IDs, IP, fingerprint), mention US transfers under SCCs and the EU US Data Privacy Framework, document IAB TCF v2.2 use, and link Tapad's and Experian's privacy notices.