The Trade Desk and Data Protection – What Website Operators Need to Know

If a website operator uses The Trade Desk, they process visitor and interaction data for the purpose of programmatic advertising and audience building on the basis of consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. This information is based on the provider's statements and publicly available sources.

A. Purpose and Function of The Trade Desk

The Trade Desk is a Demand-Side Platform (DSP) for programmatic advertising, i.e. a software platform that enables advertisers to book advertising space on the internet automatically, in a targeted manner and in real time. Website operators integrate a small code snippet – the so-called TTD pixel or TTD tag – into their website. This pixel is executed when a visitor loads the website.

The pixel collects data about the visitor and forwards it to The Trade Desk. The Trade Desk uses this data to segment the visitor into target groups (audiences) and later display targeted advertising to them on other websites – for example while visiting news portals or social media. This procedure is called retargeting or remarketing.

Technically, the integration works as follows: The TTD pixel is inserted as JavaScript code into the <head> or <body> area of the website. When the page loads, The Trade Desk sets a tracking cookie on the visitor's device via the pixel. In addition, cookie data from other partners (e.g. Google Analytics) can also be transmitted to The Trade Desk.

B. Mandatory Disclosures in the Privacy Policy regarding The Trade Desk

The GDPR requires website operators to transparently explain the following points in their privacy policy:

• Processing purposes (Art. 13(1)(c) GDPR): Why is data processed?
• Legal bases (Art. 13(1)(c) GDPR): On what legal basis does the processing take place?
• Legitimate interests (Art. 13(1)(d) GDPR, if relevant): If legitimation is based on legitimate interests, these must be disclosed.
• Recipients or categories of recipients (Art. 13(1)(e) GDPR): To whom is data shared?
• Third-country transfers (Art. 13(1)(f) GDPR): Is data transferred to countries outside the EU/EEA? What safeguards apply to the transfer?
• Storage duration (Art. 13(2)(a) GDPR): How long is data stored?

Common error: Many website operators use tool-specific text templates directly from the providers' privacy policies. This contradicts the transparency requirement of Art. 12(1) GDPR. Instead, it is recommended to choose a topic-oriented approach: The privacy policy should be structured by processing purposes (e.g. "web analytics", "advertising", "CRM"), not by individual tools. The tools used can then be listed in an appendix or recipient list.

C. Provider of The Trade Desk: The Trade Desk Inc. / The Trade Desk GmbH

D. Data Processing by The Trade Desk – Workflow

E. Data Collected when Using The Trade Desk

The Trade Desk collects a wide range of data about website visitors. This includes:

• The unique identifier of the visitor (cookie ID or TTD Unified ID)
• IP address (partly hashed)
• Time and duration of the website visit
• All pages visited on the website (URL and referrer)
• Clicked links and buttons
• Scroll movements and time spent on pages
• Device type, operating system, screen resolution
• Browser name and browser version
• Coarse location data based on the IP address
• External data that the website operator passes to The Trade Desk (e.g. from CRM systems)

This data can be classified into the following standardized data type classes:

• Web server log data: IP address, date/time/time zone, URL, referrer, browser/OS/device, technical metadata
• Click paths: Visited pages incl. referrer, clicked links/buttons with date/time
• Device data: Device type, operating system, screen resolution/size, orientation, touch support
• Browser information: Browser name, browser version, installed extensions
• Coarse location data: IP-based coarse location at city/municipality level
• Interaction data: Scroll movements, mouse movements, key presses, clicks
• Usage profiles: Interest categorizations, audience assignments, usage histories

F. Purposes of Use when Using The Trade Desk

The Trade Desk processes data for the following purposes:

• General marketing: Targeting of advertising campaigns overall, performance measurement and optimization of ad placements
• User profile creation: Automatic segmentation of visitors into target groups (audience building), categorization by interests and behavior
• User-individual marketing: Remarketing and retargeting for targeted personalized advertising campaigns that the visitor sees on other websites
• General product improvement: Optimization and development of platform functionality through evaluation of usage data

These purposes are necessary for the operation of the platform and are legitimized by the website operator via consent.

G. Legal Bases for The Trade Desk

Category: The Trade Desk is a tracking tool for programmatic advertising.

Legal basis: Consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (Telecommunications Telemedia Data Protection Act).

Under German law, a website operator may only set a tracking cookie or use a tracking technology with the visitor's prior consent. This consent must:

• Be specific, informed and unambiguous (Art. 4(11) GDPR)
• Be obtained before the data processing
• Be documented (duty of proof)
• Be granularly structured – i.e. different tracking purposes should be approved individually

Consent mechanism: The website operator should use a cookie banner or a consent management tool (CMP) that asks before The Trade Desk pixel loads: "May The Trade Desk track your behavior for the purpose of advertising?" A simple "Accept all cookies" is not sufficient – the consent must be specific to The Trade Desk (or at least to the category "marketing tracking").

Note: In each case, the legal basis should be reviewed with a lawyer. Special rules may apply to B2B websites.

H. Special Features and Notes regarding The Trade Desk

• Opt-out option: Visitors can opt out of The Trade Desk tracking at https://www.thetradedesk.com/us/privacy (opt-out link). This should be mentioned in the privacy policy.
• TTD Unified ID: The Trade Desk is working on a first-party alternative (TTD Unified ID) to ensure targeting functionality after the end of third-party cookies. This technology is not yet widely deployed.
• Role of the website operator: The website operator is the controller for collecting consent; The Trade Desk is the data recipient and acts under its direction.
• No independent processor relationship: The Trade Desk does not act as the website operator's processor, but as an independent controller. There is no classic processor relationship (DPA).
• DPF certification: The Trade Desk is certified under the Data Privacy Framework, which ensures the legal compliance of data transfers to the USA.

I. FAQ on The Trade Desk

J. Conclusion and Recommendation regarding The Trade Desk

Summary: The Trade Desk is an invasive tracking technology for programmatic advertising. It requires the visitor's explicit, specific and informed consent. Without consent, its use is unlawful.

Why text templates are problematic: Many website operators simply copy The Trade Desk's privacy policy into their own privacy policy. This is not compliant with Art. 12(1) GDPR, which requires clarity and readability. Visitors should understand which of their data is being processed and why – not be confused by the provider's legal documentation.

Recommended approach: A topic-oriented privacy policy with a recipient appendix is clearer and more legally compliant. The statement should, for example, explain under the heading "Programmatic advertising and remarketing" that visitor data is collected, stored and shared with advertising networks such as The Trade Desk – transparently, comprehensibly, without jargon.