What Amazon Publisher Services Does on Your Website
Amazon Publisher Services (APS) is Amazon's programmatic advertising platform for publishers. It connects your ad inventory to Amazon's demand through two server-side header bidding solutions: Unified Ad Marketplace (UAM) and Transparent Ad Marketplace (TAM).
When a visitor loads a page on your site, APS participates in the auction for ad space. During this process, Amazon may place or facilitate the placement of cookies and pixels on the visitor's browser, including cookies associated with your domain. These cookies support ad targeting, frequency capping, measurement, and fraud prevention.
The critical point for publishers: you bear responsibility for obtaining valid consent before these cookies are set.
Which Cookies Does APS Set?
APS and Amazon Advertising use several cookies and identifiers when operating on publisher sites. The exact cookies depend on your integration method and the Amazon services active on your pages.
| Cookie / Identifier | Purpose | Category | Duration |
|---|---|---|---|
ad-id | Serves and measures advertising across Amazon properties and partner sites | Marketing / Advertising | Varies |
ad-privacy | Stores user ad privacy preferences for Amazon advertising | Marketing / Advertising | Varies |
amzn-token | Identifies bid requests and auction participation | Marketing / Advertising | Session |
aps-bid | Caches header bidding responses for ad rendering | Marketing / Advertising | Short-lived |
_fbp (via Amazon DSP) | Cross-platform attribution when Amazon DSP and Meta campaigns overlap | Marketing / Advertising | 90 days |
All of these fall squarely into the marketing and advertising cookie category. None qualifies as strictly necessary under Article 5(3) of the ePrivacy Directive, which means consent is required before they are set.
Publisher Responsibilities Under GDPR and ePrivacy
Amazon's own terms make the position clear. As a publisher using APS, you determine your processing basis for EU and UK personal data. If you rely on consent, you must use a legally compliant consent management platform.
Your obligations include publishing a transparent privacy policy that explains how Amazon advertising cookies work on your site. Visitors must be able to grant, deny, or withdraw consent at any time. You also need to maintain records of consent choices and provide Amazon access to those records upon request.
GDPR Recital 32 specifically rejects silence, pre-ticked boxes, and inactivity as valid consent mechanisms. A cookie banner that loads APS scripts by default and only stops them if the visitor actively opts out does not meet the standard.
This applies to publishers across the EEA, UK, and any jurisdiction where GDPR-style opt-in consent is the legal baseline.
Amazon Consent Signal vs IAB TCF
Amazon supports two mechanisms for receiving consent signals from publishers: the Amazon Consent Signal (ACS) and the IAB Transparency and Consent Framework (TCF).
Amazon Consent Signal (ACS)
ACS is Amazon's proprietary consent framework. It uses two parameters to communicate user choices:
amzn_user_data- indicates whether the user has consented to Amazon processing personal data for advertising. Acceptable values:GRANTEDorDENIED.amzn_ad_storage- indicates whether the user has given Amazon consent to read or write advertising cookies. Acceptable values:GRANTEDorDENIED.
ACS integrates across Amazon's advertising services, including Sponsored Products, Display Ads, Amazon DSP, and Amazon Marketing Cloud. Your CMP must pass these parameters correctly so that Amazon receives the visitor's actual choice.
IAB TCF Integration
Publishers who use a TCF-certified CMP can rely on the TCF consent string instead of ACS. When a valid TCF string is present, it overrides any ACS parameters. Amazon is registered as a vendor in the TCF framework, so the consent string communicates whether the visitor has granted Amazon the necessary purposes and legitimate interests.
TCF v2.3 became mandatory on 28 February 2026, with the requirement for CMPs to implement the Disclosed Vendors segment. If your CMP has not been updated, your TCF strings may be rejected by Amazon and other demand partners.
How to Configure Your CMP for APS Compliance
Getting the technical setup right prevents both compliance gaps and revenue loss. A misconfigured consent flow can either fire APS scripts without consent (a legal risk) or block them entirely even when consent exists (lost revenue).
Step 1: Categorise APS Cookies Correctly
In your CMP configuration, assign all Amazon advertising cookies to the marketing or advertising category. Do not classify them as functional or analytics. Run a cookie audit after integration to confirm APS cookies appear in the correct category.
Step 2: Block APS Scripts Until Consent
Your APS integration scripts must not execute until the visitor grants consent for marketing cookies. If you use Google Tag Manager, set up a consent initialisation trigger that only fires APS tags when the advertising consent category is active. For direct integrations, wrap the APS library call inside your CMP's consent callback.
Step 3: Pass Consent Signals to Amazon
Choose either ACS or TCF as your signal mechanism. If you use TCF, ensure Amazon is included as a vendor in your CMP's vendor list. If you use ACS, implement the amzn_user_data and amzn_ad_storage parameters in your tag or script configuration.
Step 4: Test the Integration
Use browser developer tools to verify that no APS cookies are set before consent is granted. Load your page, reject all cookies, and check the Application panel in Chrome DevTools. The testing and verification process should confirm zero Amazon cookies appear when consent is denied.
APS, Google Consent Mode, and Multi-Vendor Setups
Many publishers run APS alongside Google Ad Manager, AdSense, or other demand sources. Each vendor needs its own consent signal. Google Consent Mode v2 handles Google's requirements, while ACS or TCF handles Amazon's.
Your CMP must send the right signal to the right vendor. A common mistake is assuming that a single consent toggle covers all advertising partners. In practice, TCF simplifies this because a single consent string communicates choices to every registered vendor. Without TCF, you need to map each vendor's consent API individually.
Publishers operating in multiple jurisdictions face a further layer of complexity. APS consent requirements apply in the EEA and UK where opt-in consent is mandatory. In the US, the rules differ by state. California's CCPA requires an opt-out mechanism for the sale or sharing of personal information, which may apply when APS cookies enable cross-context behavioural advertising.
What Happens When Consent Is Denied
When a visitor denies consent for advertising cookies, APS should not set any cookies or process personal data for ad targeting on that visit. Amazon can still serve contextual ads that do not rely on personal data or cookies, though revenue per impression typically drops.
The impact on publisher revenue depends on your audience's consent rate. Sites with high consent acceptance rates see minimal disruption. Sites where most visitors reject marketing cookies may experience a significant drop in programmatic advertising revenue from Amazon demand.
Attempting to circumvent this by loading APS before consent, using cookie walls, or deploying dark patterns to inflate consent rates creates serious legal exposure. The CNIL fined Amazon EUR 35 million in 2020 for placing advertising cookies on amazon.fr without prior consent - a reminder that Amazon itself has been on the receiving end of cookie enforcement.
Data Amazon Prohibits in APS Integrations
Beyond cookie consent, Amazon restricts the types of data publishers may transmit through APS. You must not send personally identifiable information such as names, email addresses, or phone numbers. Personal information from children under 13 is prohibited entirely, as is sensitive data including financial status and health or medical information.
These restrictions align with COPPA requirements in the US and GDPR provisions around special category data. Violating them can result in suspension from the APS programme and separate regulatory consequences.
Frequently Asked Questions
Do I need consent to use Amazon Publisher Services on my website?
Yes. APS sets advertising cookies that require opt-in consent under the ePrivacy Directive and GDPR. You must obtain affirmative consent before APS scripts execute and cookies are placed on visitors' browsers.
What is the difference between Amazon Consent Signal and IAB TCF?
Amazon Consent Signal (ACS) is Amazon's proprietary framework using two parameters (amzn_user_data and amzn_ad_storage). IAB TCF is an industry-wide standard. When a TCF string is present, it overrides ACS. Publishers can use either mechanism, but not both simultaneously.
Can Amazon serve ads without cookies if consent is denied?
Amazon can serve contextual ads that do not rely on personal data or tracking cookies. However, these typically generate lower revenue per impression compared to targeted programmatic ads.
How do I block APS cookies until consent is given?
Configure your CMP to categorise APS as a marketing or advertising vendor. Use script blocking via Google Tag Manager consent triggers or your CMP's callback API to prevent APS scripts from loading until the visitor grants consent for advertising cookies.
Does APS work with Google Consent Mode v2?
APS uses its own consent mechanism (ACS or TCF), separate from Google Consent Mode. Your CMP must send consent signals to both Amazon and Google independently. TCF simplifies this by using a single consent string for all registered vendors.
Was Amazon itself ever fined for cookie violations?
Yes. The CNIL fined Amazon EUR 35 million in December 2020 for placing advertising cookies on amazon.fr without obtaining prior user consent, in breach of Article 82 of France's Data Protection Act.
Take Control of Your Cookie Compliance
If you are not sure which cookies APS or other ad partners set on your site, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
