Xandr and Data Protection – What Website Operators Need to Know

If a website operator uses Xandr (Microsoft Advertising), they process visitor and interaction data for the purpose of programmatic advertising and audience building on the basis of consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. This information is based on the provider's statements and publicly available sources.

A. Purpose and Function of Xandr

Xandr (originally AppNexus, since 2023 known as Microsoft Advertising) is a Supply-Side Platform (SSP) and ad exchange platform that enables website operators, app publishers and advertising networks to manage and monetize digital advertising space and audience data. In contrast to The Trade Desk (DSP, buyer side), Xandr focuses on the supplier side – publishers are thereby offered a marketplace where advertisers can book spaces.

Website operators (publishers) integrate a Xandr tag or code snippet into their website. When a visitor loads the website, Xandr captures data about that visitor, stores it and makes it available to advertisers in the auction of advertising spaces. The publisher thereby earns better revenue from their ad placements, since advertisers can book in a more targeted and efficient manner.

Technically: The Xandr tag is an asynchronous JavaScript code snippet that is executed when the page loads. It sets a cookie on the visitor's device (mostly under the domain "adnxs.com" or similar) and sends a request to Xandr's servers. In this request, context data (e.g. from other cookies, geo-IP) is transmitted. Xandr uses this data to prepare bidding.

B. Mandatory Disclosures in the Privacy Policy regarding Xandr

The GDPR requires website operators to transparently explain the following points:

• Processing purposes (Art. 13(1)(c)): Why is data processed?
• Legal bases (Art. 13(1)(c)): On what legal basis does the processing take place?
• Legitimate interests (Art. 13(1)(d), if relevant): If legitimized via legitimate interests, present these
• Recipients or categories of recipients (Art. 13(1)(e)): To whom is data shared?
• Third-country transfers (Art. 13(1)(f)): Is data transferred to countries outside the EU/EEA? Via which mechanisms?
• Storage duration (Art. 13(2)(a)): How long is data stored?

Common error: Tool-specific text templates from providers' privacy policies contradict the transparency requirement of Art. 12(1) GDPR. A topic-oriented approach is better: The privacy policy should be structured by processing purposes, not by individual tools. The tools used can be listed in a recipient list.

C. Provider of Xandr: Microsoft (Xandr Inc.)

Note: Xandr was consolidated by Microsoft in 2023 under the brand Microsoft Advertising. For data protection issues, the current legal entity should be verified.

D. Data Processing by Xandr – Workflow

E. Data Collected when Using Xandr

Xandr collects a wide range of visitor data:

• Unique cookie ID or Xandr identifier
• IP address
• Timestamp and duration of the page visit
• URL of the visited page and referrer
• Device type and operating system
• Browser name, version and language setting
• Screen resolution and viewport size
• Coarse location data (based on IP)
• User agent and other technical identifiers
• External data (e.g. from Google Analytics, if forwarded)

This data can be classified into the following standardized data type classes:

• Web server log data: IP address, date/time/time zone, URL, referrer, browser/OS/device, technical metadata
• Click paths: Visited pages incl. referrer, clicked links/buttons with date/time
• Device data: Device type, operating system, screen resolution/size, orientation, touch support
• Browser information: Browser name, browser version, installed extensions
• Coarse location data: IP-based coarse location at city/municipality level
• Technical telemetry data: Error rates, loading times, data availability
• User profiles: Interest categorizations, segment assignments, usage histories

F. Purposes of Use when Using Xandr

Xandr processes data for the following purposes:

• Provision of functionality: Enabling the ad space auction mechanism
• General marketing: Targeting of advertising campaigns, performance measurement and optimization
• User profile creation: Segmentation and categorization of website visitors
• Security and abuse protection: Fraud detection, validation of impressions
• General product improvement: Optimization of the platform based on anonymized analyses
• User-individual marketing: Audience-targeted advertising via the platform

G. Legal Bases for Xandr

Category: Xandr is a tracking tool for programmatic advertising and ad space management (SSP/Ad Exchange).

Legal basis: Consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

The website operator (publisher) must obtain the visitor's consent before loading the Xandr tag. This consent must:

• Be specific and informed: The visitor should understand that Xandr captures their data and uses it for advertising purposes
• Be obtained before the processing
• Be documented (duty of proof on the operator)
• Be granularly structured – ideally Xandr or at least the category "advertising / ad tech" should be approvable individually

Consent mechanism: A cookie banner or consent management system (CMP) must ask before loading Xandr whether the visitor consents to this data processing.

Note: In each case, the legal basis should be reviewed with a lawyer. Special rules may apply to B2B websites.

H. Special Features and Notes regarding Xandr

• Opt-out option: Visitors can opt out of Xandr tracking at https://www.xandr.com/privacy/ (opt-out link). This should be mentioned in the privacy policy.
• Microsoft ownership: Xandr was sold by AT&T to Microsoft in 2021 and consolidated under the brand Microsoft Advertising in 2023. This may affect the processing and sharing of data.
• Role of the website operator: The website operator is the controller for collecting consent. Xandr acts as an independent controller, not as a processor.
• No processor activity: A classic DPA relationship does not exist. Xandr is a data recipient within the meaning of Art. 13(1)(e) GDPR.
• European locations: Xandr has local offices in Hamburg, Berlin, Amsterdam and Paris. The operator should verify whether data is also processed in the EU.
• Data protection concerns: Xandr has been the subject of data protection investigations by European authorities. The current status should be reviewed.

I. FAQ on Xandr

J. Conclusion and Recommendation regarding Xandr

Summary: Xandr is a tracking tool for programmatic advertising on the supplier side. It requires the visitor's explicit, specific consent.

Why text templates are problematic: The privacy policy should not simply copy Xandr's privacy policy. This contradicts Art. 12(1) GDPR. Visitors should understand that their behavior is being tracked – not be confused by technical jargon.

Recommended approach: A topic-oriented privacy policy with transparent explanation of advertising monetization is clearer and more legally compliant. The statement should, for example, explain under "Ad space management" that visitor data is collected and shared with advertisers.