What Happens During a Programmatic Ad Auction
Every time a page loads on an ad-funded website, a complex sequence of events unfolds in under 200 milliseconds. The visitor's browser sends a request to the publisher's ad server, which passes bid requests to multiple demand-side platforms (DSPs), supply-side platforms (SSPs), and ad exchanges. Each participant in the auction may attempt to read or set cookies on the visitor's device.
A single page view can trigger requests to 20 or more advertising technology vendors. Each vendor may drop its own tracking cookies to identify the visitor across sites, build audience profiles, and measure ad performance. The publisher's page is the entry point for all of this activity, which is why marketing cookies set through programmatic channels are the publisher's compliance problem.
Real-time bidding (RTB) is the mechanism behind most programmatic transactions. During the bid request, data about the visitor - including cookie-based identifiers, browsing context, and sometimes location - is broadcast to dozens of potential bidders simultaneously.
Common Cookies Set by Programmatic Advertising
The specific cookies vary by vendor, but certain patterns appear on nearly every publisher site running programmatic ads. Understanding what these cookies do helps you categorise them correctly in your consent management platform.
| Cookie | Set By | Purpose | Duration |
|---|---|---|---|
uid | Criteo, Trade Desk | Cross-site user identification for ad targeting | 13 months |
CMID / CMPS | Casale Media (Index Exchange) | Header bidding participant ID and session tracking | 1 year |
__gads | Google Ad Manager | Ad serving and frequency capping | 13 months |
tuuid | Bidswitch / IPONWEB | Visitor identification for bid matching | 2 years |
_fbp | Meta Audience Network | User identification for ad targeting | 90 days |
pxrc | LiveRamp | Identity resolution and audience matching | 60 days |
KRTBCOOKIE_* | PubMatic | Cookie syncing with demand partners | 30 days |
These are all third-party cookies. None of them qualify as strictly necessary for delivering the page. Every single one requires consent before it is set on a visitor's device in jurisdictions governed by the GDPR and ePrivacy Directive.
Cookie Syncing: The Hidden Data Exchange
Cookie syncing is the mechanism that makes cross-vendor tracking possible. When vendor A wants to match its user ID with vendor B's records, a pixel request bounces through both domains, allowing each party to map their respective cookie IDs to the same visitor. This process happens silently during page load.
A single header bidding setup using Prebid.js can trigger cookie sync requests to every configured bidder adapter. The Prebid documentation lists specific cookies set during this process, including sync pixels fired to SSPs and DSPs. Each sync request creates another third-party cookie on the visitor's device.
From a compliance standpoint, cookie syncing is particularly problematic. The visitor has no visibility into which companies are exchanging data about them. Article 5(3) of the ePrivacy Directive requires consent for storing or accessing information on a user's device, and each cookie sync counts as a separate access.
Publisher Responsibilities Under GDPR and ePrivacy
The publisher is the first party in the relationship with the visitor. Regulators consistently hold publishers accountable for cookies set through their pages, even when those cookies originate from third-party ad tech vendors.
Under GDPR Article 7, consent must be freely given, specific, informed, and unambiguous. For programmatic advertising, this means your cookie banner must disclose the categories of cookies being set and, ideally, the specific vendors involved. Burying this information behind multiple clicks or using pre-ticked boxes does not meet the standard.
CNIL's enforcement record underlines the financial risk. In 2025, CNIL imposed fines totalling over 486 million euros across 83 sanctions, with cookie violations forming a significant portion. SHEIN received a 150 million euro fine specifically for placing advertising cookies before visitors could consent. These figures represent a near tenfold increase from 2024 enforcement levels.
Joint Controller Considerations
When a publisher and an ad tech vendor both determine the purposes and means of processing visitor data, they may be considered joint controllers under GDPR Article 26. This has practical implications: both parties need a written arrangement defining their respective responsibilities for consent collection, data subject rights, and breach notification.
The IAB Transparency and Consent Framework
The IAB Transparency and Consent Framework (TCF) is the advertising industry's attempt to standardise consent collection for programmatic advertising. The framework creates a consent string - a machine-readable signal that encodes the visitor's choices about data processing purposes and specific vendors.
TCF v2.2 made significant changes that affect publishers directly. Legitimate interest can no longer be used as a legal basis for targeted advertising or content personalisation. This means every vendor participating in programmatic auctions on your site needs explicit opt-in consent from the visitor.
Google requires publishers serving ads to EEA or UK users through its ad products to use a Google-certified CMP that supports TCF. Without a valid consent string, Google's demand sources will not bid on your inventory, directly impacting revenue.
How TCF Strings Flow Through the Bid Stream
When a visitor grants consent through your CMP, the consent string is attached to every bid request. Each DSP receiving the request reads the string to determine whether it has permission to bid. If a vendor's ID is not included in the consent, that vendor should refrain from processing the visitor's data.
The word "should" matters. The TCF relies on each vendor correctly interpreting and respecting the consent string. As a publisher, you have limited control over what happens after the bid request leaves your page. This is why vendor risk assessment and careful selection of demand partners matter.
Header Bidding and Consent: Practical Challenges
Header bidding wrappers like Prebid.js execute in the visitor's browser before the ad server is called. This client-side execution means bid requests - and the cookie syncs that accompany them - fire as soon as the wrapper loads.
If the wrapper loads before the visitor interacts with your cookie banner, you have a compliance problem. Cookies will be set and data will be shared with bidders before consent is obtained. The solution is to defer the Prebid.js initialisation until after the visitor makes a consent choice through your CMP. Prebid's own documentation supports this approach through its GDPR and US Privacy modules.
Server-side header bidding (using Prebid Server) shifts the auction from the browser to a server. This reduces the number of third-party cookies set on the visitor's device but does not eliminate the consent requirement. Visitor data is still shared with bidders - it simply happens server-to-server rather than client-to-client. Server-side approaches reduce cookie exposure but do not remove the need for a lawful basis.
Steps to Achieve Programmatic Compliance
Getting programmatic advertising right from a privacy standpoint requires coordination between editorial, ad operations, and development teams. The following steps address the most common gaps.
1. Audit Every Demand Partner
Run a full cookie audit of your site with all ad units active. Record every cookie set during a page load, identify which vendor sets it, and classify it by purpose. Automated scanning tools help, but manual verification in browser DevTools catches cookies that scanners miss.
2. Implement Consent-First Loading
Configure your ad stack so that no bid requests fire until the visitor has made a consent choice. For Prebid.js, enable the GDPR Enforcement Module and set the gdpr.defaultGdprScope to true. For Google Ad Manager, integrate Consent Mode v2 so that ad personalisation signals are withheld until consent is granted.
3. Limit Your Vendor List
Every additional demand partner adds cookies, increases data exposure, and lengthens your consent interface. Review your TCF vendor list and remove any partner that contributes minimal revenue. A shorter vendor list means a cleaner consent experience and fewer compliance risks.
4. Display Transparent Consent Notices
Your cookie banner must give visitors a genuine choice. Equal prominence for accept and reject options is now a regulatory expectation. Dark patterns - such as hiding the reject option behind a settings menu - have triggered substantial fines across multiple jurisdictions.
5. Maintain Consent Records
Keep logs of every consent decision, including the timestamp, the version of your consent notice, and the specific purposes and vendors the visitor approved. This evidence is what you present during a DPA investigation.
Revenue Impact and Practical Trade-Offs
Compliant consent collection reduces the share of visitors with full ad personalisation. Consent rates for advertising cookies typically range between 40% and 70% depending on banner design, placement, and the visitor's jurisdiction.
For visitors who decline consent, contextual advertising - targeting based on page content rather than user data - fills the gap. Contextual CPMs are generally lower than personalised CPMs, but the gap has narrowed as contextual targeting technology has improved.
The alternative to compliance is not more revenue - it is regulatory risk. With CNIL's 2025 enforcement total reaching nearly half a billion euros and the ICO signalling that cookie fines can now reach 4% of global turnover, the financial argument for cutting corners has disappeared.
Frequently Asked Questions
Do publishers need consent for every ad tech vendor's cookies?
Yes. Under the ePrivacy Directive and GDPR, consent is required before any non-essential cookie is placed on a visitor's device. Each ad tech vendor's tracking cookie is classified as non-essential, so your CMP must collect consent for each one.
Can I use legitimate interest instead of consent for programmatic advertising cookies?
No. IAB TCF v2.2 removed legitimate interest as a legal basis for targeted advertising and content personalisation. Explicit opt-in consent is required for these processing purposes across the EEA and UK.
What happens to ad revenue if visitors reject cookies?
Visitors who reject cookies can still be shown contextual ads based on page content. Contextual CPMs tend to be lower than personalised CPMs, but the revenue difference has shrunk as contextual targeting has become more sophisticated.
Does server-side header bidding eliminate the need for cookie consent?
No. Server-side bidding reduces the number of cookies set in the browser, but visitor data is still shared with demand partners server-to-server. A lawful basis for processing that data is still required.
How do I stop Prebid.js from firing before consent is given?
Enable Prebid's GDPR Enforcement Module and configure it to delay auction activity until a valid TCF consent string is available. Set gdpr.defaultGdprScope to true so that GDPR rules apply by default.
Is a TCF-certified CMP required for Google Ad Manager?
Yes. Google's EU User Consent Policy requires publishers serving ads to EEA or UK visitors to use a Google-certified CMP that integrates with IAB TCF. Without it, Google demand sources will not participate in auctions.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
