Most GDPR compliance work happens at the surface: cookie banners, consent management platforms, privacy notices, the visible furniture of a website’s relationship with its users. A deadline arriving on June 30, 2026 moves the obligation somewhere most marketing and compliance teams rarely look — into the server-to-server API calls that carry personal data between advertisers and Amazon Ads.

On that date, Amazon’s second consent-signal enforcement deadline takes effect, extending mandatory consent requirements to the Amazon Ad Tag, the Conversions API (CAPI), and the Events API. For any organization advertising on Amazon and transmitting data from UK or EEA users, this is not an optional optimization. Data sent without a valid consent signal will be rejected or restricted — and the underlying transmission may constitute a GDPR violation regardless of what Amazon does with it.

Background: how we got here

Since February 7, 2025, Amazon has required all advertisers transmitting personal data from UK or EEA users to send a verified consent signal alongside that data. The first wave covered the most common integration paths. The June 30, 2026 deadline closes the remaining gaps, bringing the Ad Tag, Conversions API, and the newer Events API into the same enforced regime.

The driver is the GDPR’s core requirement that there be a valid lawful basis — in this context, consent — before personal data is processed for advertising and measurement. Amazon, as a recipient and processor of that data, has built consent verification into its ingestion layer so that it will not accept EU/UK personal data unless the advertiser can demonstrate the user agreed. In effect, Amazon is enforcing a slice of GDPR compliance contractually and technically, on top of whatever the regulators do.

Under the June 30 requirements, advertisers must pass a valid consent signal using one of three accepted frameworks, alongside a two-character ISO 3166 country code, whenever personal information is transmitted to Amazon Ads from UK or EEA markets. The accepted frameworks are:

  • IAB TCF (Transparency and Consent Framework)
  • GPP (Global Privacy Platform)
  • Amazon Consent Signal (ACS) — Amazon’s own proprietary signal

The country code is not incidental. It tells Amazon which jurisdiction’s rules apply to the record, making consent provenance jurisdiction-aware at the data level.

Why the API layer changes the compliance problem

The reason this deadline deserves dedicated attention — rather than being folded into routine cookie-consent maintenance — is that server-side data transmission breaks the assumptions most consent setups rely on.

A traditional cookie-consent implementation works because the browser is present: the consent management platform reads the user’s choice, stores it client-side, and the tag fires (or doesn’t) based on that stored state. Server-to-server APIs have no browser in the loop. That changes everything:

The Conversions API consent signal cannot be read from a cookie. It must be explicitly included in the API payload. Advertisers sending data through CAPI have to transmit the TCF, GPP, or ACS consent information alongside each event record. The payload must carry the framework type, the encoded consent string or ACS parameters, and the ISO 3166 country code. If your server-side integration was built to fire conversions without carrying consent state forward, it will fail after June 30.

The Events API demands record-level consent. The Events API — currently in open beta with the same June 30, 2026 enforcement deadline — requires a dedicated consent object within each individual event payload. Not at the session level. Not once per batch. At the record level. This is the most granular consent architecture Amazon has deployed, and it makes consent provenance traceable through the entire data pipeline. It also means your data infrastructure must preserve and attach consent metadata to every single event from the point of collection through to transmission.

This is the deeper compliance lesson: consent is no longer a gate at the front door; it is metadata that must travel with the data. Every system that touches a personal-data record between collection and transmission to Amazon has to carry the consent state forward intact. That is an architecture problem, not a banner-configuration problem.

The dual consequence of non-compliance

Failing to implement a valid consent signal creates two distinct categories of harm, and it is important to understand both.

Regulatory exposure. Transmitting EU/UK personal data for advertising purposes without a valid lawful basis is a GDPR compliance failure on its own terms. European data protection authorities assessed roughly €1.2 billion in GDPR fines in 2025 and have shown sustained appetite for enforcement around lawful basis, transparency, and cross-border data flows — themes we examined in our coverage of the TikTok GDPR fine and Irish DPC proceedings. Ad-tech data transmission sits at the intersection of all three.

Operational and commercial harm. Independent of any regulator, Amazon will reject or restrict the use of non-compliant data for targeting, retargeting, and conversion attribution. For performance-marketing teams, this is immediate and tangible: campaigns lose measurement signal, attribution models degrade, and audiences shrink. The compliance deadline and the marketing-performance deadline are the same date.

This dual structure is why the consent-signal requirement tends to get traction internally where pure compliance mandates sometimes stall — the marketing organization has its own reason to care.

What to do before June 30

The window is short, and the work spans compliance, marketing operations, and engineering. Concrete steps:

  1. Inventory every Amazon Ads data path. Identify where you use the Amazon Ad Tag, the Conversions API, and the Events API, and which of those paths carry EU or UK personal data.
  2. Choose and confirm your consent framework. Decide whether you are standardizing on IAB TCF, GPP, or Amazon’s ACS, and verify your consent management platform can produce a valid, encoded signal for each transmission path.
  3. Plumb consent into the payload. For CAPI and the Events API, ensure your server-side integration attaches the framework type, the consent string or ACS parameters, and the ISO 3166 country code to every record. Confirm the Events API integration carries a consent object at the individual-event level.
  4. Verify consent provenance end to end. Trace a single record from the moment of collection to the moment it reaches Amazon, and confirm the consent state survives every intermediate system, ETL job, and data store.
  5. Test before the deadline, not after. Validate that compliant payloads are accepted and that records without consent are correctly withheld — and confirm your measurement still functions for the consented population.
  6. Document the lawful basis and the architecture. Keep records demonstrating how consent is captured, encoded, and transmitted. In a GDPR inquiry, the ability to show consent provenance at the record level is exactly the evidence regulators expect.

The broader signal

The Amazon consent-signal deadline is a small, specific obligation with a large, general lesson: privacy compliance is migrating from the presentation layer into the data layer. As more processing moves server-side — driven by the deprecation of third-party cookies, the rise of conversion APIs, and the appetite for first-party data — the old model of “consent as a one-time browser interaction” no longer holds. Consent has to become a property of the data itself, carried through every pipeline that processes it.

Organizations that build that capability now — record-level consent metadata, jurisdiction-aware data flows, provenance you can prove — will be ready not just for June 30, but for the direction every major data recipient and regulator is heading. Those treating it as a one-off Amazon checkbox will be back in the same scramble at the next platform’s deadline.

This article is provided for informational purposes only and does not constitute legal advice.