Overview
Following the definitions of the General Data Protection Regulation (GDPR), Commerce Grid is considered a separate and independent data controller for the personal data it receives and processes in connection with the Commerce Grid services.
Commerce Grid processes such personal data as required for:
The performance of its agreements to carry out its services; and
As further described in the Criteo Privacy Policy.
As Commerce Grid does not directly provide any services to end users/data subjects, Commerce Grid does not gather GDPR consent itself. Instead, it relies on publishers to:
Obtain and document user consent for its stated purposes; and
Include Criteo as a declared data controller where required.
How consent is transmitted to Commerce Grid
Publishers (or their Consent Management Platform, CMP), being the ones who gather user consent, should include the appropriate consent information in all bid requests sent to Commerce Grid.
In OpenRTB bid requests, Commerce Grid expects:
regs.gdpr– to indicate whether GDPR applies; anduser.ext.consent– to convey the TCF consent string when TCF is used.
Commerce Grid passes this information to buyers in its protocol using the same regs.gdpr and user.ext.consent fields in outbound bid requests.