Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yandex.Direct is the contextual advertising platform of Yandex, the Russian counterpart of Google Ads. It powers search advertising on Yandex search results and display and video advertising across the Yandex Advertising Network. All data is processed on Yandex servers in Russia. Deploying Yandex.Direct conversion pixels and audience tags on EU traffic raises severe GDPR concerns: no EU adequacy for Russia, Schrems II transfer assessment that is extremely difficult to pass, and EU sanctions context since 2022.
Yandex.Direct is the advertising platform of Yandex LLC, the largest Russian search and technology company. It is the Russian counterpart of Google Ads: search advertising on Yandex search results, plus display, video, and Smart Banner advertising across the Yandex Advertising Network (YAN) covering thousands of Russian publisher sites and apps.
On advertiser websites, Yandex.Direct is integrated through conversion pixels and audience tags (often combined with Yandex.Metrica for analytics and audience building). On publisher sites within YAN, ads are served through Yandex tags from yandex.ru, an.yandex.ru and related domains.
Yandex.Direct processes the visitor IP, User Agent, page URL, referrer, click and conversion events, audience identifiers (often linked with Yandex.Metrica counters), and search queries when ads are shown on Yandex search. Custom event data and ecommerce parameters can also be transmitted by advertisers.
Main cookies on yandex.ru: yandexuid (persistent advertising identifier, 10 years), ys (Yandex search session), yandex_login (login state), yp (preferences). These cookies are used across all Yandex services, enabling deep cross product profiling.
Russia has no European Commission adequacy decision. EU to Russia transfers therefore require SCCs plus a Transfer Impact Assessment that explicitly addresses Russian Federal Law N 152 FZ data localisation, FSB and SORM access rights, and the lack of effective judicial remedy for EU data subjects. After Schrems II this assessment is hard to conclude favourably for an advertising use case.
Several EU DPAs have effectively warned against using Yandex services for EU advertising. The CJEU ruling C 252/21 also confirms that legitimate interest is not available for behavioural advertising, leaving consent as the only conceivable Art. 6 basis, although consent alone does not legitimise the transfer chapter.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Since 2022, EU sanctions (Council Regulation 833/2014 as amended) restrict various commercial dealings with Russian entities. While Yandex LLC itself is not directly sanctioned at the time of writing, EU advertisers running ad spend on Yandex.Direct must check whether their compliance and legal teams are comfortable with the geopolitical context. Many EU advertisers have voluntarily withdrawn ad spend on Russian platforms.
For EU users targeted by Yandex.Direct (in mirror, on Russian search), the privacy implications are no different from EU traffic to Yandex.Metrica.
Yandex.Direct remains the dominant search advertising platform inside Russia. Brands that legitimately need to reach Russian consumers (for example to communicate with diaspora, humanitarian organisations, journalism) may still need to use it. In that case, the campaigns should be tightly scoped to Russian IP ranges, EU traffic geofenced out, and the residual risk documented in detail.
For pure EU advertising, Google Ads, Microsoft Advertising, Criteo, Outbrain, and EU based DSPs are far safer choices.
Document why Yandex.Direct is necessary and why EU alternatives are not acceptable. Sign the most recent Yandex DPA and SCCs. Run a thorough TIA. Geofence Yandex.Direct tags out of EU traffic where possible. Capture explicit consent for any residual EU traffic. List Yandex LLC in your privacy notice with a prominent Russian transfer warning.
Monitor EU DPA guidance and sanctions updates. Prepare a migration plan to Google Ads, Microsoft Advertising or another EU friendly platform in case enforcement escalates.
Websites using Yandex.Direct must obtain user consent under GDPR regulations.
DPIA considerations
Yandex.Direct is a high risk advertising service for EU deployments. Key DPIA considerations: (1) all data is processed in the Russian Federation with no EU adequacy decision; (2) Russian Federal Law N 152 FZ data localisation and FSB / SORM access rights apply; (3) the EU sanctions framework since 2022 (Council Regulation 833/2014 as amended) creates commercial and reputational risk; (4) Yandex.Direct sets advertising cookies (yandexuid, ys, yandex_login, yp) on yandex.ru and partner domains, enabling cross site profiling; (5) the Yandex Advertising Network distributes data to publisher partners, further extending the chain; (6) audience targeting and the Yandex Smart Banner feature build behavioural profiles that may produce automated targeting decisions under Art. 22 GDPR; (7) for most EU controllers, a TIA cannot conclude that adequate protection is in place.
Sample consent text
We use Yandex.Direct (Yandex LLC, Russian Federation) to deliver advertising on this site and to track conversions. With your explicit consent, Yandex.Direct sets cookies (yandexuid, ys and others) and transfers data to Yandex servers in Russia under Standard Contractual Clauses. Russia has no EU adequacy and this transfer carries additional legal risk. You can refuse advertising in our consent banner.
Third-party domains contacted
yandex.ruan.yandex.ruawaps.yandex.rumc.yandex.comyandex.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| yandexuid | Marketing | 10 years | Persistent Yandex advertising identifier. Used across all Yandex services to recognise the user and to target ads on the Yandex Advertising Network. |
| ys | Marketing | Session | Yandex search session identifier. Used to associate ad impressions and clicks with a specific search session. |
| yandex_login | Functional | 10 years | Stores the login state of the visitor in the Yandex ecosystem, used to personalise advertising for authenticated Yandex users. |
| yp | Marketing | 10 years | Stores Yandex visitor preferences, including ad personalisation settings. |
| bh | Marketing | 1 year | Browser characteristics cookie used by Yandex for ad delivery and fraud detection. |
Yandex.Direct places tracking cookies for advertising — comply with GDPR using FlowConsent.
The main Yandex cookies used for advertising are yandexuid (persistent advertising identifier, up to 10 years), ys (Yandex search session), yandex_login (login state for Yandex users), yp (preferences), and bh (browser characteristics). All are non essential and require consent. They are shared across all Yandex products including Yandex.Metrica.
Yes, doubly. Art. 5(3) ePrivacy and §25 TTDSG require consent for the advertising cookies. The cross border transfer to Russia is itself a separate compliance issue under GDPR Chapter V: consent alone does not legitimise the transfer after Schrems II.
Only consent (Art. 6(1)(a) GDPR) is conceivable for advertising profiling. Legitimate interest is not available after CJEU C 252/21. Even with consent, the international transfer chapter must be satisfied separately, which is very difficult for Russia.
Yes, to the Russian Federation. Russia has no EU adequacy decision. Transfers rely on SCCs plus a TIA that explicitly addresses Russian Federal Law N 152 FZ, FSB and SORM access rights, and the absence of effective EU data subject remedies. This assessment will rarely conclude that adequate protection is in place.
Yes. Yandex.Direct meets multiple EDPB criteria for mandatory DPIA: systematic large scale advertising profiling, cross border transfer to a third country without adequacy, and (when combined with Yandex.Metrica) innovative behavioural tracking. The DPIA must also document the sanctions context.
In most EU cases, do not use Yandex.Direct on EU traffic. If you must reach Russian audiences, scope campaigns to Russian IP ranges, geofence EU traffic out of any tagging, sign the most recent Yandex DPA and SCCs, capture explicit consent for residual EU traffic, and document the residual risk in a full DPIA.
For EU search advertising: Google Ads and Microsoft Advertising (formerly Bing Ads). For EU display and video programmatic: The Trade Desk, DV360, Adform (Denmark), Equativ (Smart AdServer, France), Outbrain, Taboola. For Russian audiences specifically, Yandex.Direct remains dominant but should be scoped to Russian users only.
List the Yandex advertising cookies (yandexuid, ys, yandex_login, yp, bh) with provider (Yandex LLC, Russian Federation), purpose (search and display advertising on the Yandex Advertising Network), lifetime, and category (Marketing). Disclose prominently the transfer to the Russian Federation and the residual risk. Link the Yandex privacy policy. Strongly consider migrating to a GDPR friendly platform.