Dynamic Yield

Overview

Dynamic Yield is an AI-powered experience optimization platform owned by Mastercard (acquired in 2023, having previously been owned by McDonald's). It enables e-commerce and digital businesses to personalize website content, product recommendations, and page layouts in real time based on visitor behavioral profiles, segment membership, and machine learning predictions. The platform is used by major retailers, travel brands, and financial services companies to run A/B tests, multivariate experiments, and algorithmic personalization at scale — modifying what each visitor sees on the page based on who they are and what they have done previously.

What This Script Does

Initialization and configuration fetch: Dynamic Yield's script loads from cdn.dynamicyield.com (primary) or a site-configured first-party proxy domain. On page load, the script makes a synchronous or asynchronous request to Dynamic Yield's API (rcom.dynamicyield.com or st.dynamicyield.com) to fetch the current visitor's personalization configuration — which campaigns are active, which experience variants apply to this visitor, and which recommendation algorithms to invoke.

Visitor identity and cookies:

• _dyid (2-year expiry, first-party) — the primary visitor identifier, a UUID assigned on first visit that persists across sessions and is the foundation for all behavioral profiling
• _dyid_server (2-year expiry, first-party) — server-side counterpart to _dyid for cross-channel attribution
• _dyjsession (session-scoped) — current session identifier for grouping events within a visit
• _dy_geo (session-scoped) — stores IP-derived geolocation for experience targeting by location
• _dy_csc (session-scoped) — experiment and campaign assignment cache for the current session

Behavioral event collection: The SDK tracks page views (URL, category, page type), product views (product ID, SKU, price, category, brand, availability), cart interactions (add, remove, update with product details), checkout steps, and completed purchases (order ID, revenue, items). These events are transmitted to Dynamic Yield's servers and update the visitor's behavioral profile in near real time.

Content personalization: Based on the visitor's profile and active campaigns, Dynamic Yield injects modified DOM content: alternative hero banners, personalized product carousels (algorithmically ranked based on affinity scores), A/B test variants (different button text, layouts, pricing display), and targeted promotional messages. Content modifications happen client-side after the base page loads.

Machine learning models: Product recommendation algorithms (collaborative filtering, content-based filtering, trending items) use the visitor's event history to rank and select which products appear in recommendation widgets. Model inference happens server-side; results are delivered in the configuration fetch response.

Cross-device and cross-channel: Dynamic Yield supports cross-device identity resolution through hashed email matching when users are identified, extending behavioral profiles across web and app sessions.

Consent & Compliance

Dynamic Yield spans functional, analytics, and marketing consent categories. The consent analysis is complex because the platform performs three distinct functions with different legal bases:

A/B testing without behavioral profiling: Simple layout experiments with random bucket assignment (no cookie-based persistence across sessions) could potentially run on legitimate interest. However, Dynamic Yield's default configuration uses the persistent _dyid cookie for experiment continuity, which requires consent.

Analytics: Behavioral event collection (page views, product interactions, purchase events) is analytics processing requiring consent under ePrivacy for the cookie storage and under GDPR for the profile enrichment.

Personalization and recommendation targeting: This is the most privacy-intensive component. Building behavioral profiles across sessions using _dyid (2-year persistent identifier) and using ML models trained on that behavioral history to modify content constitutes profiling under GDPR Article 4(4). This requires explicit consent.

Under the ePrivacy Directive, all five named cookies (_dyid, _dyid_server, _dyjsession, _dy_geo, _dy_csc) require consent before being set, as none qualify for the strictly necessary exemption. Under CCPA/CPRA, behavioral profiling for personalization constitutes personal information processing that must be disclosed, and sharing with Dynamic Yield (a Mastercard entity) must be addressed in privacy policies.

Dynamic Yield is headquartered in New York. EU/EEA data transfers rely on Standard Contractual Clauses. As part of Mastercard, Dynamic Yield is subject to Mastercard's global privacy program and DPA framework.

Should You Block This Without Consent?

Conditional. Dynamic Yield's default configuration immediately sets 2-year persistent tracking cookies and begins building behavioral profiles on page load. In this configuration it must be blocked until consent is obtained. If the platform can be configured to run only non-persistent A/B tests without behavioral profiling for anonymous visitors, a legitimate interest basis may apply for that narrow use — but this requires careful platform configuration and legal review. In standard deployment, require analytics and marketing consent before loading.