Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TripleLift is a US based advertising technology platform specialising in native, branded content, and CTV advertising. Founded in 2012 in New York and acquired by Vista Equity Partners in 2020, it operates an SSP that transforms publisher inventory into native creative units through computer vision and dynamic creative optimisation. TripleLift sets advertising cookies on triplelift.com, is registered in the IAB Europe TCF v2.2 framework, and processes data in the United States. EU traffic deployments require explicit consent under the GDPR and the ePrivacy Directive.
TripleLift is a US advertising technology company founded in 2012 in New York, specialising in native programmatic advertising. It uses computer vision and creative reshaping to transform standard ad creative into native, in feed, and out stream video formats that match the look and feel of publisher content. In 2020, Vista Equity Partners acquired a majority stake. The company also expanded into connected TV (CTV) advertising.
TripleLift integrates with publishers via Prebid.js, direct tags, or server side integrations. Bid requests are sent to demand side platforms in real time, and winning creatives are returned in the appropriate native, video, or display format.
Each bid request contains the visitor IP, User Agent, page URL, ad slot data, viewport, approximate geolocation, content categorisation, the user advertising identifier (tluid), and the TCF v2.2 consent string. Authenticated identifiers (UID 2.0, ID5, RampID) may be transmitted depending on the publisher configuration.
Cookies on triplelift.com: tluid (persistent advertising identifier, 1 year), tlsync (sync state), and several auxiliary cookies for partner mapping. All are third party cookies and require consent.
TripleLift is registered in the IAB Europe TCF v2.2 Global Vendor List. Publishers must transmit a valid TC string with the relevant purposes consented before loading TripleLift or sending bid requests.
The Belgian DPA decision on TCF and the CJEU ruling C 252/21 on legitimate interest both apply. Consent is the only safe Art. 6 GDPR basis for the advertising purposes powered by TripleLift, including in native and CTV contexts.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Native ads must be clearly labelled under the Digital Services Act (Art. 26 DSA) and consumer protection law. TripleLift native creatives should be tagged with a clear sponsored or advertising marker to avoid misleading the user.
CTV inventory introduces additional concerns: device level identifiers (IFA, Roku ID, etc.) can identify households rather than individuals, raising specific Art. 9 GDPR risks if the household is profiled around sensitive content (health, religion).
TripleLift LLC is a US controller. EU to US transfers rely on SCCs and the EU US Data Privacy Framework. A TIA is required, and supplementary measures (IP truncation, restricted property pushes) are recommended.
List TripleLift and its downstream DSP recipients in your privacy notice. The TCF v2.2 vendor list provides standard categories but does not absolve the publisher from its own disclosure obligation.
Register TripleLift in your TCF v2.2 CMP. Sign the TripleLift DPA. Defer triplelift.com calls until consent. Restrict your Prebid bidder list. Ensure clear native ad labelling under DSA. Document TripleLift in your privacy notice with US transfer details.
Implement Global Privacy Control handling. For sensitive content pages or vulnerable audience contexts, disable TripleLift loading entirely. Review the DPIA at least annually.
Websites using TripleLift must obtain user consent under GDPR regulations.
DPIA considerations
TripleLift is a high impact SSP specialised in native, branded content, and CTV. Key DPIA considerations: (1) bid requests include IP, User Agent, page URL, ad slot data, geolocation, content categorisation, and the user advertising identifier (tluid); (2) cookies on triplelift.com enable cross site profiling; (3) native ads blend with editorial content, triggering DSA labelling obligations; (4) US data storage requires SCCs and a TIA under Schrems II; (5) CTV inventory introduces device level identifiers that may persist across households; (6) the Belgian DPA TCF decision and CJEU C 252/21 apply.
Sample consent text
We use TripleLift to monetise our advertising inventory through native, display, and CTV programmatic auctions. With your consent, TripleLift sets cookies on triplelift.com (tluid and helpers) and shares bid request data with our demand partners. This data is processed on TripleLift servers in the United States under Standard Contractual Clauses. You can refuse advertising in our consent banner.
Third-party domains contacted
triplelift.com3lift.comeb2.3lift.comtlx.3lift.comib.3lift.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tluid | Marketing | 1 year | Persistent advertising identifier set by TripleLift. Used to recognise users across publisher sites and participate in native, display, and CTV real time bidding. |
| tlsync | Marketing | 30 days | Cookie sync state between TripleLift and demand side platforms for cookie matching. |
| tl_TCID | Marketing | 30 days | Auxiliary identifier used for partner cookie mapping in TripleLift exchange operations. |
TripleLift places tracking cookies for advertising — comply with GDPR using FlowConsent.
TripleLift sets third party cookies on triplelift.com: tluid (persistent advertising identifier, 1 year), tlsync (cookie sync state), and several auxiliary cookies for partner mapping. All are advertising cookies and require consent.
Yes for any EU deployment. The cookies and OpenRTB bid request require prior informed consent under Art. 5(3) ePrivacy and §25 TTDSG, plus a valid TCF v2.2 TC string.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is not available for behavioural advertising (CJEU C 252/21). The TCF v2.2 vendor declaration must match the actual processing.
Yes. TripleLift is US based and processes data primarily in the United States under SCCs and the EU US Data Privacy Framework. A Transfer Impact Assessment is required by the publisher.
Yes, in most cases. The DPIA must cover audience and content categorisation (avoid Art. 9 content), the OpenRTB fan out, vendor list, retention, CTV identifiers, and Art. 22 GDPR for automated bidding. DSA labelling for native ads should also be addressed.
Register TripleLift in your TCF v2.2 CMP. Sign the DPA. Defer triplelift.com calls until consent. Restrict Prebid bidders. Ensure clear native ad labelling per DSA. Document the full chain in your privacy notice.
Native SSPs: Sharethrough, Outbrain, Taboola, MGID, Nativo, RevContent. EU based: ADYOULIKE (France), Plista. TripleLift differentiator is the computer vision based creative transformation and the strength in CTV and branded content.
List the TripleLift cookies (tluid, tlsync) with provider (TripleLift LLC, United States), purpose (native and CTV advertising), lifetime, and category (Marketing). Disclose the US transfer, TCF v2.2, and link the TripleLift privacy policy.