NextRoll’s Approach to GDPR and ePrivacy

Learn how NextRoll helps customers run targeted ads under the new General Data Protection Regulation (GDPR) and the existing ePrivacy Directive in the EU.

What is GDPR?

The General Data Protection Regulation (also known as “GDPR”) is a regulation that establishes new requirements on companies to give European Union (EU) citizens more control over their personal data. Aiming to increase trust and accountability, GDPR increases the obligations on companies that collect, use, and share personal data from EU citizens to do so in more transparent and secure ways.

There are also serious penalties for companies that don’t comply. Companies that don’t comply include fines of up to €20 million or 4% of a company’s global revenue, whichever is larger.

When does GDPR apply?

GDPR came into effect on May 25, 2018, so it applies now. And it doesn’t just apply to EU-based businesses. GDPR applies to any business that controls or processes personal data of EU citizens. And the definition of “personal data” under the GDPR is very broad.

As a practical matter, most of the common data used by digital advertisers, including cookies, mobile IDs, and location data, will be considered personal data under GDPR.

How can my business prepare?

GDPR requires every company collecting personal data from EU citizens to take measures to comply with the regulation including, but not limited to, carefully determining a legal basis for processing data, respecting user data rights, and providing strong information security practices. You can learn more about the six legal bases for processing data in the resources listed below.

While we at NextRoll have been hard at work preparing for GDPR, we are also committed to empowering our customers to do the same with respect to their AdRoll and RollWorks marketing and advertising activities.

In addition to the general guidance in our Trust Center and Help Center, we have built a cookie consent tool for our customers, and have joined industry leaders partnering with the IAB EU to create an industry-wide solution to provide transparency, and where appropriate, to verify consent for advertising and other technologies that support digital media.

You can learn more about GDPR generally and the existing Cookie Consent laws below:

IMPORTANT: We can’t tell you exactly how GDPR applies to your company or even how to apply it to your marketing and advertising activities. The same holds true for the consent tool you choose and what you include in your Privacy Notice and Terms of Service (or their equivalents). As there aren’t clear regulations around consent tools in particular, these guidelines may change over time to reflect updated best practices. This is not legal advice and you should check with your own internal teams and your lawyers to on your overall GDPR compliance and cookie consent solution. The products, services, and other capabilities described on our sites and in our materials are not suitable for all situations and may have restricted availability.

Frequently Asked Questions

We’re committed to empowering our customers to come into compliance with the GDPR and ePrivacy Directive with respect to their AdRoll and RollWorks marketing and advertising activities, helping customers run ads that comply with GDPR. Not only have we joined the advertising industry’s transparency and consent framework, but we also support customers with:

Our easy-to-use cookie consent tool.

A custom-built option to gather consent from consumers for your AdRoll or RollWorks activities which you can quickly launch in a few clicks.

Learn More

Best practices for using other tools.

Simple recommendations for tools to work best with our platforms.

Learn more

Please see our Privacy Notice.

Yes. NextRoll, and many other marketing vendors, are still able to offer cookie-based ad targeting to businesses under GDPR. The GDPR requires more robust consent obligations and these obligations apply to the existing ePrivacy Directive, which governs advertising cookie placement.

Three important changes are:

  • The consent language needs to tell end users more than the cookie consent banners you have seen in the past (for example, specifically name the companies that want to drop cookies and why they are collecting data).
  • Consent must be unambiguous and affirmative.
  • You need consent before you start tracking with cookies.

You will need to manage consent for cookies for many of your marketing activities and there are some tools on the market to help you do this, including our own tool.

Every business is unique and we highly recommend speaking with your lawyer to determine the right cookie consent strategy for your advertising.

In general, if your company is based in the European Union, all of your traffic (EU and non-EU) is covered by GDPR. If your company is based outside of EU, only your EU traffic is covered by GDPR and would require cookie consent.

For more information, please see our additional guidance on Cookie Consent Tools (also known as consent management platforms, or CMPs).

If you are based in a country outside the EU, or have already accepted a consent banner, you may not be able to see your consent banner when you go to your site. Here are some steps you can take to check your banner!

  • Make sure you have a EU IP (if not, follow the steps below to use a VPN)
  • Close all your private/incognito windows and open a new one to clear any remaining cookies
  • Visit your site’s URL
  • You should see the banner pop up on the site

Still not seeing it?

For NextRoll’s banner:

  • NextRoll’ Groups banner will pop up on the right side corner
  • Verify that you have selected NextRoll’s banner selected in GDPR Settings.
  • Please allow up to 10-20 minutes for the banner to show for applicable audiences.

How can I VPN to see what EU individuals would see online?

A virtual private network (VPN) creates a virtual encrypted connection between you and a remote server operated by a VPN service. All external internet traffic is routed through this tunnel, so your computer appears to have the IP address of the VPN server. This allows you to test the web experience of the EU individuals who experience your banner.

There are many companies that provide VPN services at little to no cost. We recommend you research the right VPN solution for your business needs and check with your IT department to see if you currently have a tool in place to use for checking the browser.

The IAB Europe Transparency & Consent Framework (Framework) is a cross-industry, open-source effort to collect and communicate consent status across the many parties that provide supporting technology and advertising services for digital media.

The Framework operates behind the scenes, ensuring that various consent interfaces (for example, consent banners seen on websites) operated by individual companies, including AdRoll and others, feed into a shared infrastructure behind the scenes for the industry. AdRoll is a supporter of the Framework and is working towards adoption across our marketing touch points in the EU.

As an advertiser, making sure your consent management platform (or “CMP”) is registered and integrated with the Framework is imperative to make sure the ecosystem is able to effectively honor end user’s consent choices and to minimize unnecessary repeated consent requests. Many companies are planning to rely on Framework communicated consent signals, and over time you may find that certain critical website functions or advertising services cease to operate without these signals, resulting in poor user experience and reduced advertising revenue.

In addition, your retargeting campaigns may be reduced in reach, as some exchanges will only send bids and serve ads where there is a positive Framework consent signal.

NextRoll collects various forms of user data in order to make advertising more relevant. Please refer to section 2 in our Privacy Notice for more information.

When collecting data through the AdRoll pixel and cookie, NextRoll is considered a ‘controller’ of data under the GDPR definition. A Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.

If agreed to by the Advertiser, and on a contractual basis, we may process clear emails on behalf of that Advertiser only to increase reach for display ads, or to send relevant email directly to their clients. In this case, NextRoll is a ‘processor’ under GDPR.

We may disclose information about you with third parties to provide our services. Please refer to section 5 in our Privacy Notice for more information. We do not sell customer data to third parties.

Our data retention practices are aligned with GDPR. Please refer to section 8 in our Privacy Notice for more information.

If you are located in the European Territories you may have the right to access, correct, update, or delete some of the information we hold about you. Please note that in some cases, we process identifiable information only on behalf of our Advertiser clients as a processor. In those cases we will direct you to contact the Advertiser directly as they are the Controller of the data.

If eligible, please contact us at at any time to exercise any of the following rights:

  • If you wish to access, correct, update or request deletion of your personal information.
  • If you’re a resident of the European Territories and object to processing of your personal information or want to restrict processing of your personal information.
  • Other than for opting out of receiving ads through our services (which is explained above), if we have collected and process your personal information with your consent, but you’ve chosen to withdraw your consent. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Please see Section 11 of our Privacy Notice. If you are unsatisfied with how we have responded to your requests, you can contact our Data Protection Officer at

"European Territories" mean the European Economic Area and Switzerland. For the purpose of this Privacy Notice, the term "European Territories" shall continue to include the United Kingdom, even after the United Kingdom leaves the European Economic Area following Brexit.