What Is Amazon Consent Signal?
Amazon Consent Signal (ACS) is a consent-sharing framework developed by Amazon that allows advertisers and third parties to transmit user privacy choices to Amazon Ads. It works in a similar way to Google Consent Mode, but it is built specifically for the Amazon advertising ecosystem - covering Amazon DSP, Sponsored Products, Display Ads, and Amazon Marketing Cloud (AMC).
ACS was introduced in 2025 and is now mandatory for any advertiser that processes personal data from UK or EEA users through Amazon advertising services. The requirement applies whether you collect data via tags, pixels, or data uploads. If you do not pass a valid consent signal, Amazon may restrict or block campaign delivery, measurement, and attribution for those users.
The alternative to ACS is the IAB Transparency and Consent Framework (TCF). Amazon accepts either signal, but ACS offers more granular control because it maps directly to Amazon's own data-processing categories rather than relying on TCF's broader vendor-purpose model.
How ACS Communicates Consent
ACS uses two parameters to signal a user's consent status to Amazon. Both accept a value of GRANTED or DENIED.
| Parameter | What it controls | Accepted values |
|---|---|---|
amzn_user_data | Whether Amazon may process the user's personal data (e.g. advertising identifiers) for advertising purposes | GRANTED / DENIED |
amzn_ad_storage | Whether Amazon may read or write advertising cookies or similar technologies on the user's device | GRANTED / DENIED / NULL |
Both parameters are typically mapped to the Marketing consent category in a consent management platform. When a visitor accepts marketing cookies, both values are set to GRANTED. When they decline, both are set to DENIED. The amzn_ad_storage parameter also accepts NULL if cookie storage is not relevant to the data flow (for example, in server-side data uploads).
If consent is granted, Amazon processes data normally for ad personalisation and measurement. If denied, Amazon either uses only anonymised data or stops processing altogether, depending on the specific service.
The amzn_consent Cookie
When ACS is active on a website, it stores the consent state as a first-party cookie called amzn_consent. The cookie contains a JSON payload with the geographic location, the consent values, a timestamp, and a version number. A typical value looks like this:
amzn_consent={"geo":{"countryCode":"DE"},"amazonConsentFormat":{"amznAdStorage":"GRANTED","amznUserData":"GRANTED"},"timestamp":"2025-12-09T12:31:09.666Z","version":"1"}
The country code follows the ISO 3166-1 alpha-2 standard and tells Amazon which jurisdiction's rules apply. This is relevant because GDPR requirements in Germany differ in enforcement from those in, say, France or Ireland.
One technical detail worth noting: the JSON structure of this cookie can trigger Web Application Firewalls (WAFs) on some server configurations. If you notice the amzn_consent cookie being stripped or blocked, check your WAF rules and add an exception for this cookie format.
Who Needs to Implement ACS?
Amazon requires a valid consent signal from any advertiser that transmits personal information to Amazon Ads for users located in the UK or EEA. This applies across several scenarios:
- Running Amazon DSP campaigns that target UK/EEA audiences
- Using Amazon's conversion tracking pixel or tag on your website
- Uploading customer data to Amazon Marketing Cloud for measurement or audience building
- Passing data to Amazon through third-party data providers
Amazon began rolling out these requirements in late 2024, with a mandatory compliance deadline of February 2025 for third-party data providers. Since then, the requirement has been enforced across all advertiser types. Non-compliance can result in campaigns being paused or restricted in the EEA and UK, and attribution data being lost.
If you only run Amazon Sponsored Products ads within the Amazon marketplace itself (not on external websites), you do not need ACS on your own site. ACS applies when your website sends data to Amazon Ads.
ACS vs Google Consent Mode vs IAB TCF
Three consent signal frameworks now compete for attention on any website running multi-platform advertising. Each serves a different ecosystem, and many sites need all three.
| Feature | Amazon Consent Signal | Google Consent Mode v2 | IAB TCF v2.3 |
|---|---|---|---|
| Scope | Amazon Ads ecosystem only | Google Ads, GA4, Floodlight | Multi-vendor (500+ vendors) |
| Parameters | amzn_user_data, amzn_ad_storage | ad_storage, ad_user_data, ad_personalization, analytics_storage | Purposes 1-10 + special features |
| Mandatory for | Amazon Ads in UK/EEA | Google Ads in EEA (since March 2024) | Optional but widely adopted |
| Fallback when denied | Anonymised data or no processing | Cookieless pings + conversion modelling | Depends on vendor implementation |
| Cookie stored | amzn_consent (first-party) | No dedicated cookie (uses data layer) | eupubconsent-v2 (first-party) |
| Can replace TCF? | Yes, for Amazon specifically | No - different scope | N/A |
The key difference between ACS and the TCF is scope. If you use IAB TCF and Amazon is included as a registered vendor in your consent string, you do not also need ACS - the TCF signal overrides it. But if you use a non-TCF cookie consent setup or a CMP that does not generate a TCF string, ACS is your only path to compliance with Amazon's requirements.
For websites running both Google and Amazon advertising, you likely need Google Consent Mode v2 and either ACS or TCF running side by side. A CMP that supports all three frameworks simplifies this considerably.
How to Set Up Amazon Consent Signal
The implementation path depends on your consent management platform. Most major CMPs now offer built-in ACS support, including Cookiebot, Usercentrics, Didomi, OneTrust, Consentmo (for Shopify), and Pandectes.
General Setup Steps
The typical workflow involves three actions. First, add Amazon Advertising as a data processing service in your CMP, mapped to the Marketing consent category. Second, enable the ACS feature in your CMP's settings or integrations panel. Third, verify that the amzn_consent cookie is being set correctly after a visitor interacts with your cookie banner.
To verify, open your site in an incognito browser window. Accept marketing cookies via the banner, then check your browser's cookie storage for the amzn_consent cookie. The JSON payload should show amznAdStorage and amznUserData set to GRANTED, along with a valid country code and timestamp.
Without a CMP
Technically, you can implement ACS without a CMP by manually setting the amzn_consent cookie and managing the consent logic yourself. This is not recommended. Maintaining accurate records, handling withdrawals, respecting geo-specific rules, and keeping the signal synchronised with your actual banner state is error-prone without tooling. Amazon's own policy requires you to keep auditable records of consent and provide them on request.
Amazon's Requirements Beyond the Signal
Passing the consent signal correctly is only part of the picture. Amazon's GDPR-related advertising policy sets out additional obligations for any advertiser processing personal data through Amazon Ads:
- Publish a clear privacy policy that mentions Amazon's role in data processing
- Collect affirmative opt-in consent that meets GDPR Article 7 standards
- Allow users to withdraw consent at any time
- Keep records of consent and opt-out choices, and provide them to Amazon on request
- Never pass personally identifiable information (names, emails, phone numbers) directly to Amazon
- Never pass data from sites directed at children under 13
- Never pass sensitive personal data (health, financial status) to Amazon
If you discover that data was collected in violation of these rules, Amazon requires you to stop sharing it immediately and notify them in writing. These obligations sit alongside - not instead of - the ePrivacy Directive and GDPR requirements that already apply to your website.
What Happens If You Do Not Comply
Missing or invalid consent signals can block campaign impressions, restrict conversion tracking, and break attribution in Amazon Marketing Cloud. In practical terms, your Amazon ads will still run in non-EEA regions, but you will lose visibility and performance data for UK and EEA audiences.
From a regulatory perspective, the risk sits with you as the advertiser, not with Amazon. If a data protection authority - such as the CNIL or the ICO - investigates your cookie practices and finds that Amazon advertising cookies were set without valid consent, the fine falls on your organisation. GDPR Article 83 penalties can reach 4% of annual global turnover or 20 million euros, whichever is higher.
Amazon can also terminate or suspend your advertising account if it determines you have violated its consent policies.
Frequently Asked Questions
Is Amazon Consent Signal mandatory for all advertisers?
ACS (or a valid IAB TCF signal) is mandatory only if you process personal data from UK or EEA users through Amazon Ads. Advertisers targeting only non-EEA markets are not currently required to implement it, though Amazon may extend requirements to other regions as global privacy laws evolve.
Can I use IAB TCF instead of Amazon Consent Signal?
Yes. Amazon accepts either the IAB TCF consent string or ACS. If your CMP already generates a TCF string and Amazon is included as a vendor, the TCF signal overrides ACS and you do not need to enable it separately.
What is the amzn_consent cookie and how long does it last?
The amzn_consent cookie is a first-party cookie set by the ACS integration. It stores a JSON payload containing the user's consent status, country code, and a timestamp. Its duration depends on your CMP configuration, but GDPR guidance generally recommends refreshing consent at least every 12 months.
Does ACS work with server-side data uploads to Amazon?
Yes. When uploading data to Amazon Marketing Cloud or via the Ads Data Manager, you can include ACS consent fields. For server-side flows where cookies are not relevant, the amzn_ad_storage parameter can be set to NULL.
Will enabling ACS affect my website performance?
The performance impact is minimal. ACS adds a small first-party cookie and communicates consent via the data layer or directly through your CMP. It does not load additional scripts or make external network requests beyond what Amazon's existing tags already perform.
What happens to my Amazon ad campaigns if a user denies consent?
Amazon will not process that user's personal data for advertising. Depending on the service, Amazon may use anonymised or aggregated data, or it may exclude the user from targeting and measurement entirely. Your campaigns continue to run for users who have granted consent and for audiences outside the UK/EEA.
How does Amazon Consent Signal differ from Google Consent Mode?
Both frameworks serve the same purpose - communicating user consent to an ad platform - but they are designed for different ecosystems. Google Consent Mode controls Google Ads, Analytics, and Floodlight tags. ACS controls Amazon's advertising services. Google Consent Mode also supports cookieless pings for conversion modelling when consent is denied, a feature ACS does not currently offer.
Get Your Cookie Consent Right for Amazon Ads
If your website runs Amazon advertising and targets UK or EEA audiences, implementing Amazon Consent Signal (or IAB TCF) is not optional. Kukie.io scans your site for all cookies - including Amazon's amzn_consent cookie - and lets you categorise them correctly so your consent banner covers every signal your ad platforms need.
