Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ketch is a privacy operations platform from Ketch.com Inc. (San Francisco). It bundles a Consent Management Platform with data mapping, data subject rights workflow automation, and Global Privacy Control signal handling. The CMP supports IAB TCF v2.2 for European programmatic, and the wider platform addresses CCPA, CPRA and other US state laws. European operators use Ketch to coordinate consent and rights handling across jurisdictions, but must configure data residency carefully because default infrastructure is US based.
Ketch is a privacy operations platform from Ketch.com Inc., a San Francisco software company founded in 2018. The platform combines four major components: a Consent Management Platform with banner, preference centre and TCF v2.2 support; a data mapping and inventory tool that tracks where personal data flows across the organisation; a Data Subject Rights (DSR) automation layer that captures, routes and fulfils access, deletion, portability and opt out requests; and a Global Privacy Control (GPC) and Universal Opt Out Mechanism support layer that interprets browser level privacy signals across US state laws. European operators typically engage Ketch for the CMP and DSR features, often in environments that also need to comply with US state laws like California''s CCPA and CPRA.
The CMP writes ketch_consent (12 month default), a JSON encoded record of the per purpose decision and timestamp, plus _swb (also 12 months), a backend identifier used to look up the consent record in Ketch databases. When TCF v2.2 is enabled for European programmatic advertising, the same SDK writes the standard euconsent-v2 cookie. The backend stores the consent log against an IP address and user agent for proof purposes. For data subject rights workflows, Ketch processes the requester''s name, email address, phone, free text request description and any verification documents the operator chooses to collect. GPC signals are read from the navigator.globalPrivacyControl property and converted into an automatic opt out decision under the configured policies.
Recital 30 of the ePrivacy Directive accepts that storing the user''s consent record is necessary processing, so the Ketch banner can load before consent. GDPR Art. 7(1) places the burden of proof on the controller to demonstrate consent, which justifies storing the consent log under legitimate interest or legal obligation. For DSR workflows, the legal basis is generally legal obligation (Art. 6(1)(c)) because the GDPR itself mandates handling Art. 15 to 22 requests, with retention limited to what is needed to demonstrate compliance to supervisory authorities. The TCF integration carries the same considerations as for any TCF based CMP, including the Belgian APD ruling on IAB Europe and ongoing EDPB scrutiny.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Ketch exposes the standard __tcfapi() global when TCF is enabled, plus its own ketch() command queue for non TCF vendors. Operators wire each downstream tag (Google Analytics, Meta Pixel, custom pixels) to the corresponding Ketch purpose by either using server side gating, GTM consent triggers, or the Ketch tag inventory and policy engine. The platform supports Google Consent Mode v2 mapping, so granting analytics purpose triggers analytics_storage and granting advertising purpose triggers ad_storage, ad_user_data and ad_personalization. For mobile apps, the Ketch SDKs cover Android and iOS with App Tracking Transparency integration.
Default Ketch infrastructure runs on AWS us-west-2 and us-east-1. The CMP banner can be served from CloudFront edges close to European visitors, but the consent log and DSR data land on US infrastructure unless the operator negotiates EU residency on eu-west-1 (Ireland) or eu-central-1 (Frankfurt) under separate contract terms. Ketch is self certified under the EU US Data Privacy Framework and uses Standard Contractual Clauses for transfers outside the DPF. Operators handling sensitive DSR data, or those with strict EU only commitments to their users, should request the EU residency contract option before deployment.
Configure equal prominence between accept and reject in the banner, with no pre ticked boxes, granular per purpose controls accessible in one click, and a clear withdrawal link in the footer. Map all tags to Ketch purposes through the policy engine, and run regular cookie scans to confirm tags honour the consent. Enable Global Privacy Control honouring for EU visitors (some authorities now recognise GPC as a valid opt out signal), and align GPC handling with US state laws when applicable. Document the data residency option chosen, the transfer mechanism, and any DSR retention period in the record of processing activities. Test the DSR flow end to end before launch, including the verification step.
Websites using Ketch must obtain user consent under GDPR regulations.
DPIA considerations
Ketch writes the ketch_consent cookie (12 month default lifetime) holding the per purpose consent decision, plus the _swb cookie used to identify the consent record on the backend, and stores a TCF v2.2 euconsent-v2 cookie when the IAB framework is enabled. DPIA considerations: (1) consent records are personal data because they are tied to IP, timestamp and a persistent identifier, so processing falls within the GDPR; (2) Ketch is US headquartered with US default infrastructure, so transfers to the US must be assessed under Schrems II even where the EU US Data Privacy Framework applies; (3) the platform also processes data subject request submissions (names, email addresses, free text descriptions of requests), which is more sensitive than consent data and benefits from EU residency; (4) when the SDK includes experience analytics, that processing requires a separate basis (consent for non strictly necessary tracking); (5) for IAB TCF v2.2 deployment, the same considerations apply as for any TCF CMP, including the Belgian APD ruling against IAB Europe and the EDPB scrutiny of the framework. A DPIA is recommended whenever Ketch is used for data subject rights handling beyond simple consent capture.
Sample consent text
We use Ketch as our privacy operations platform, including the consent banner you see now. Ketch stores your preferences in a first party cookie (ketch_consent, 12 month duration) and synchronises the choice with Ketch.com Inc. servers in the United States so that we can prove your consent and respect your rights across our services. You can change or withdraw your consent at any time via the privacy preferences link in the footer, and you can also submit a rights request (access, deletion, opt out) through the same interface.
Third-party domains contacted
global.ketchcdn.comconfig.ketchcdn.comcd.ketchcdn.complugins.ketchcdn.comketch.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ketch_consent | Strictly Necessary / Consent | 12 months | Set by Ketch. Stores the JSON encoded per purpose consent decision (analytics, advertising, functional, etc.) plus the timestamp and version of the policy displayed when the user made their choice. |
| _swb | Strictly Necessary / Consent | 12 months | Set by Ketch. Backend identifier used to look up the persistent consent record on the Ketch servers, so that the same decision can be applied across subdomains and synchronised to mobile apps. |
| _swb_consent_ | Strictly Necessary / Consent | 12 months | Set by Ketch. Mirrors the high level consent state per jurisdiction (EU, California, etc.), allowing the SDK to apply different rules to visitors from different regions without re reading the full ketch_consent payload. |
| euconsent-v2 | Strictly Necessary / Consent | 12 months | Set by Ketch when IAB Europe TCF v2.2 is enabled. Stores the standard TCF consent string used by downstream programmatic advertising vendors. |
| usprivacy | Strictly Necessary / Consent | 12 months | Set by Ketch under the IAB CCPA Compliance Framework. Stores the US Privacy String reflecting opt out status for California and other US state law sales/sharing flows. |
Ketch is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Ketch writes ketch_consent (12 month default lifetime) containing the JSON encoded per purpose consent decision, _swb (12 months) as a backend identifier used to look up the consent record in Ketch databases, and euconsent-v2 (12 months) when the IAB TCF v2.2 framework is enabled. A mirror copy of the consent state is also written to local storage. All cookies are first party on the operator's domain.
Recital 30 of the ePrivacy Directive accepts that storing the user's consent record is necessary processing, so the Ketch banner can fire before consent. Any other Ketch SDK feature (analytics, experimentation, data subject rights tracking pixels) requires its own basis, and that processing must be gated until the user has granted the relevant purpose.
The consent record itself rests on legitimate interest under GDPR Art. 6(1)(f), or alternatively on legal obligation under Art. 6(1)(c) since GDPR Art. 7(1) requires the controller to demonstrate consent. Data subject rights workflows rest on legal obligation under Art. 6(1)(c) since Articles 15 to 22 of the GDPR impose the rights handling duty. Marketing or analytics features that ride on Ketch (such as Ketch Tags or downstream pixels) require consent under Art. 6(1)(a).
Yes by default. Ketch.com Inc. is headquartered in San Francisco and the default Ketch tenant runs on AWS us-west-2 and us-east-1. Enterprise customers can negotiate EU only residency on eu-west-1 (Ireland) or eu-central-1 (Frankfurt). Ketch self certifies under the EU US Data Privacy Framework and offers Standard Contractual Clauses as the fallback transfer mechanism.
A DPIA is recommended whenever Ketch is used for data subject rights workflows, because the data involved (names, emails, free text descriptions, verification documents) is more sensitive than a consent record. The DPIA should cover the legal basis for each Ketch feature, the data residency option, the transfer mechanism for US processed data, the retention period for consent and DSR records, and the security controls applied to verification documents.
Configure the banner with equal prominence between accept and reject, no pre ticked boxes, granular per purpose controls, and a clear privacy preferences link in the footer that reopens the banner. Map every downstream tag to a Ketch purpose through the policy engine, and rely on server side gating for high risk vendors. Enable Global Privacy Control honouring across all jurisdictions where it provides legal value. Document the data residency option, transfer mechanism and retention period in the record of processing.
Privacy operations platforms that combine CMP with DSR automation include OneTrust, Securiti, Transcend, DataGrail and Osano. CMP only alternatives include Didomi (France), Sourcepoint, Cookiebot, Usercentrics (Germany) and Axeptio (France). For sites that prioritise EU only data residency, Didomi and Usercentrics are EU based, while Ketch, OneTrust and Securiti default to US infrastructure with EU residency as a paid option.
List ketch_consent, _swb and euconsent-v2 under strictly necessary cookies, with their purposes and durations. Name Ketch.com Inc. as the CMP processor in the privacy notice, declare the data residency option chosen, and cite the transfer mechanism (EU US Data Privacy Framework or SCCs). Maintain a real time vendor table reflecting downstream tags configured behind the Ketch policy engine. Provide a working preferences link in the footer that reopens the Ketch banner.