General Data Protection Regulation (GDPR)

Following General Data Protection Regulation (GDPR) definitions, the Commerce Grid is considered to be a separate and independent data controller for the personal data it receives and processes in connection with the Commerce Grid services. The Commerce Grid processes such personal data as required for the performance of its agreements to carry out its services and as described in the Privacy Policy.

As the Commerce Grid does not directly provide any services to end users/data subjects, the Commerce Grid does not gather GDPR consent and relies on publishers to obtain and document user consent for its stated purposes and to include the Commerce Grid as a declared data controller.

• Publishers (or their Consent Management Provider), being the ones who gather user consent, should include it in bid requests sent to the Commerce Grid using the user consent string.

• The Commerce Grid passes this information to buyers in its protocol using regs.gdpr and user.ext.consent fields. The Commerce Grid supports the TCF v2.0 consent string format for the processing of its own consented purposes. For more information, see the following links:

  • https://iabeurope.eu/transparency-consent-framework/

  • https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework

  • https://gdpr-info.eu/

  • https://iabtcf.com/#/encode

• For user syncing, the Commerce Grid supports the gdpr, gdpr_pd, and gdpr_consent macros in the sync URL.