Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Dynamic Yield is a personalization, recommendations and A/B testing platform owned by Mastercard since 2022. The script stores a persistent visitor identifier (_dyid) and captures behavior across sessions to personalize the website experience. Prior opt in consent is required.
Dynamic Yield is a personalization, recommendations and A/B testing platform founded in Israel in 2011. After being acquired by McDonalds in 2019 and resold to Mastercard in 2022, the company now operates from Tel Aviv, New York and London. The product combines a JavaScript SDK that runs on the website, a personalization engine that evaluates campaigns server side and a recommendations engine that powers product suggestions. The Dynamic Yield script (dy.js) is loaded from cdn.dynamicyield.com on every page.
The Dynamic Yield script sets _dyid (persistent first party identifier, default 13 months), _dyid_server (a server side variant for backend recommendations), _dyjsession (session identifier), _dyfs and _dy_geo (page context and geolocation hints). These identifiers persist across sessions and link behavior into a personalization profile, so they qualify as tracking cookies under Article 5(3) ePrivacy. The script may also write _dycst with the consent state when integrated with a consent management platform.
Article 5(3) ePrivacy requires prior opt in consent because Dynamic Yield stores persistent identifiers and reads them for profiling. Article 6(1)(a) GDPR (consent) is the legal basis. The platform performs profiling under Article 22, so the customer must inform visitors and offer a way to object. The customer is the controller, Dynamic Yield Inc. is the processor under Article 28 GDPR with a DPA. Israel and the United Kingdom benefit from adequacy decisions, the United States is covered by SCCs and the EU US Data Privacy Framework when applicable.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Request the AWS EU West 1 (Ireland) region for the customer data plane. The Cloudflare CDN that serves dy.js is global, which is acceptable for content delivery. Some AI training and product analytics pipelines run from the US or Israel, both covered by adequacy or SCCs. Tel Aviv is the primary R&D site, London handles EU support and account management.
Gate the Dynamic Yield script behind a consent management platform with Google Consent Mode v2 or IAB TCF. Use the Dynamic Yield consent integration so the script defers identifier creation until consent. Request the EU region. Sign the Dynamic Yield DPA. Document the processor in your RoPA with retention, personalization rules and channels. Carry out a DPIA before launch. Provide a clear opt out path in your privacy notice.
Websites using Dynamic Yield must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for Dynamic Yield deployments because the platform performs systematic profiling, behavioral segmentation and personalization of identified or identifiable users. Document the legal basis, the EU region selection, the retention period (default 13 months), the personalization rules, the data minimization controls and the integration with a consent management platform.
Sample consent text
We use Dynamic Yield to personalize the content and recommendations you see on this site. Dynamic Yield stores a cookie (_dyid) that identifies your visit and tracks your interactions to suggest the most relevant content. These cookies are activated only after you accept them in the consent banner.
Third-party domains contacted
dynamicyield.comcdn.dynamicyield.comst.dynamicyield.comrcom.dynamicyield.comrms.dynamicyield.comasync-px.dynamicyield.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _dyid | first-party | 13 months (default, configurable) | Persistent visitor identifier created by Dynamic Yield to recognise a returning visitor and link behavior across sessions for personalization. Requires consent. |
| _dyid_server | first-party (server side variant) | 13 months | Server side variant of _dyid used by Dynamic Yield server side recommendations. Requires consent. |
| _dyjsession | first-party | Session | Session identifier used to group page views and events within a single visit. Requires consent. |
| _dyfs | first-party | Session | Stores feature flags and the page context detected by the Dynamic Yield script. Requires consent. |
| _dy_geo | first-party | Session | Stores the approximate geolocation derived by Dynamic Yield to feed location based personalization. Requires consent. |
| _dycst | first-party | Up to 1 year | Stores the consent state communicated by the consent management platform to Dynamic Yield. Strictly necessary when the consent integration is enabled. |
Dynamic Yield collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. The Dynamic Yield script sets _dyid (persistent identifier, 13 months by default), _dyjsession (session), _dyfs and _dy_geo (page context) and may set _dyid_server and _dycst. These identifiers persist across sessions and require consent.
Yes. Prior opt in consent is required because Dynamic Yield stores persistent identifiers and performs profiling for personalization and recommendations.
Article 6(1)(a) GDPR (consent) for personalization and profiling. Article 22 GDPR applies because Dynamic Yield performs automated decisions to personalize content. The customer is the controller, Dynamic Yield Inc. (Mastercard) is the processor with a DPA.
European customers can request the AWS EU West 1 (Ireland) region. The Cloudflare CDN that serves dy.js is global, acceptable for content. Some AI training, support and product analytics pipelines run from the US or Israel, covered by SCCs or adequacy.
Yes. Article 35 GDPR makes a DPIA mandatory for systematic profiling of identified or identifiable users. Document the EU region, retention, personalization rules and consent mechanism.
Gate the script behind a consent management platform with Google Consent Mode v2 or IAB TCF, use the Dynamic Yield consent integration, request the EU region, sign the DPA, document the processor in your RoPA, run a DPIA before launch and provide a clear opt out.
Other personalization platforms include Adobe Target, Optimizely Web Experimentation, Monetate (Kibo), Insider (Turkey), Algonomy, AB Tasty (France), Kameleoon (France), Webtrekk (Mapp, Germany) and Salesforce Personalization.
List _dyid, _dyid_server, _dyjsession, _dyfs, _dy_geo and _dycst in your cookie disclosure with duration and purpose. Document the EU region, the profiling activity and the consent management integration. Update whenever new Dynamic Yield campaigns are activated.