What is GDPR?

GDPR stands for General Data Protection Regulation. It is a privacy law in the European Union that controls how companies collect, store, and use personal data.

It applies when:

  • The user is in the EU
  • A website or app has EU users
  • An SSP or DSP processes EU user data
Simple AdTech summary:

GDPR means user-level tracking and targeting need the right consent conditions. Without consent, advertising usually moves from personalized targeting to contextual-only or limited ads.

Personal dataWhat counts as personal data in AdTech OpenRTB and consentHow regs.gdpr and consent strings work AdTech flowCMP to SSP to DSP decision path DSP logicHow targeting changes under GDPR

What counts as personal data under GDPR?

In AdTech, GDPR affects many common identifiers and signals:

AdTech data Considered personal data?
CookiesYes
Device ID (IFA, AAID, IDFA)Yes
IP addressYes
LocationYes
User IDYes
Email (hashed)Yes
Advertising IDYes
Audience segmentYes

So GDPR mainly affects targeted advertising.

GDPR vs COPPA

COPPA GDPR
For childrenFor everyone
USA lawEU law
Blocks tracking for kidsNeeds consent for tracking
Contextual ads onlyConsent-based ads
regs.coppa = 1regs.gdpr = 1

GDPR in OpenRTB

In an OpenRTB bid request, GDPR is usually represented like this:

"regs": {
  "gdpr": 1
},
"user": {
  "ext": {
    "consent": "TCF_STRING"
  }
}

Two important fields matter most:

Field Meaning
regs.gdpr = 1User is in the EU or GDPR applies
user.ext.consentConsent string sent with the request

This consent string is usually called a TCF string, based on the Transparency and Consent Framework.

When an EU user visits a website, they often see a consent popup asking whether they allow cookies, personalized ads, and measurement. This popup is managed by a CMP, or Consent Management Platform.

Common CMP examples include:

  • OneTrust
  • Quantcast CMP
  • Sourcepoint
  • TrustArc

User choices usually look like:

Option Meaning
Accept AllPersonalized ads allowed
Reject AllOnly contextual ads
PartialOnly some vendors or purposes are allowed

That choice is converted into a consent string and sent with the bid request.

GDPR flow in AdTech

EU User visits website
        ↓
CMP popup appears
        ↓
User gives consent or rejects
        ↓
Consent string generated
        ↓
Ad request sent to SSP
        ↓
SSP sends to DSP with:
        regs.gdpr = 1
        user.ext.consent = string
        ↓
DSP reads consent
        ↓
DSP decides:
    If consent = yes -> personalized ads
    If consent = no -> contextual ads only

A bid request may look like:

{
  "regs": { "gdpr": 1 },
  "user": {
    "id": "abc123",
    "ext": {
      "consent": "BOEFEAyOEFEAyAHABDENAI4AAAB9vABAASA"
    }
  },
  "device": {
    "ifa": "AEBE52E7-03EE-455A-B3C4-E57283966239"
  }
}

The DSP sees:

  • GDPR applies
  • Consent = yes
  • Device ID present
  • User ID present

The DSP can usually do:

  • Retargeting
  • Audience targeting
  • Frequency capping
  • Lookalike targeting
  • Behavioral targeting

A request may look more like:

{
  "regs": { "gdpr": 1 },
  "user": {
    "ext": {
      "consent": "BOEFEAyOEFEAyAHABDENAI4AAAB9vABAASA"
    }
  },
  "device": {
    "ifa": null
  }
}

The DSP sees:

  • GDPR applies
  • No consent for personalization
  • No device ID

The DSP must:

  • Disable audience targeting
  • Disable retargeting
  • Use contextual targeting only

This is often called limited ads.

DSP behavior table

Situation DSP action
GDPR = 0Normal targeting
GDPR = 1 + Consent = YesPersonalized ads
GDPR = 1 + Consent = NoContextual ads
GDPR = 1 + No consent stringMany DSPs do not bid

SSP responsibilities under GDPR

  • Show the consent popup through a CMP
  • Store user consent
  • Send the consent string in the bid request
  • Remove IDs if consent is not present
  • Send regs.gdpr = 1
  • Pass the consent string to DSPs

If the SSP fails to do this correctly, there can be legal and platform risk.

DSP responsibilities under GDPR

  • Read the consent string
  • Check whether the vendor is allowed
  • Check whether the purpose is allowed, such as personalization, measurement, and frequency capping
  • If not allowed, do not use personal data
  • Bid contextual ads only when consent is not sufficient

Real example

Scenario: a user in Germany opens a news website.

The CMP popup appears and the user clicks Reject.

Now the bid request effectively behaves like this:

regs.gdpr = 1
device.ifa = null
user.id = null
context.category = news

Example DSP decisions:

DSP Decision
Retargeting DSPNo bid
Branding DSPBid
Contextual DSPBid
Performance DSPNo bid

So fill rate often drops, but it does not always fall to zero.

GDPR impact on revenue

Inventory type Typical CPM
Personalized ads$5
Contextual ads$2
No consent trafficLower fill

So GDPR usually reduces revenue if the user rejects consent, because user-level targeting becomes unavailable.

COPPA vs GDPR vs CCPA

Feature COPPA GDPR CCPA
RegionUSAEUCalifornia
ForChildrenEveryoneAdults
Needs consentYesYesOpt-out
PersonalizationNoYes, if consent existsYes, unless user opts out
OpenRTB flagregs.copparegs.gdprregs.us_privacy

OpenRTB privacy flags summary

Privacy law OpenRTB field
COPPAregs.coppa = 1
GDPRregs.gdpr = 1
CCPAregs.us_privacy = "1YYY"

Interviewers love this comparison.

One-line summary

Law Meaning in AdTech
COPPANo tracking for kids
GDPRTracking only with consent
CCPAUser can opt out of tracking

Final DSP decision logic

IF COPPA = 1
    -> Contextual ads only

ELSE IF GDPR = 1 AND Consent = Yes
    -> Personalized ads allowed

ELSE IF GDPR = 1 AND Consent = No
    -> Contextual ads only

ELSE
    -> Normal targeting

Real problems you will see in AdOps, SSP, or DSP work

Problem Reason
Low fill in EUNo consent
No retargeting in EUGDPR restriction
DSP not biddingVendor not allowed in the consent string
Low CPMContextual ads only
No device IDConsent rejected
GAM limited adsGDPR no consent