With the introduction of IAB TCF 2.2, the landscape of consent management is experiencing noteworthy developments. Laws like the GDPR, Cookie Law, and US State Laws have made consent management platforms (CMPs) necessary for businesses operating in the EU and US, including publishers. This guide breaks down what a consent management platform is, why publishers need it, and how to enable the industry-standard Transparency and Consent Framework (TCF v. 2.2) in our Privacy Controls and Cookie Solution.
Understanding Google IAB TCF, TCF 2.0, and IAB Europe is crucial. This guide sheds light on these essential aspects, answering the question of “What is TCF?” and explaining its significance in the digital landscape 👇
CMP is short for Consent Management Platform or, less commonly, Consent Management Provider. CMPs are also responsible for passing user consent along with the Transparency and Consent Framework (TCF) and must therefore be registered and meet TCF standards and policies.
Simply stated, a CMP helps you provide transparency to the users regarding the access and storage of their personal information (through cookies and other trackers) in compliance with major data privacy laws like the GDPR, the ePrivacy Directive, the US State Privacy Laws and more.
More specifically, CMPs help you gather, store, and use users’ preferences to collect and process their personal information for specific purposes (e.g., analytics, advertising, and retargeting strategies).
💡 As a certified CMP, iubenda allows you to manage consent preferences for the ePrivacy, GDPR, and US State Laws like the CPRA, VCDPA and more.
Short answer: yes, you probably need one.
A) The GDPR/ePrivacy Directive or UK GDPR/PECR applies to you (not sure? Take our 1-minute quiz), and your site/app (or any third-party service run by your site/app) uses cookies or other trackers to process personal information.
Because according to the ePrivacy Directive (as well as PECR, its UK transposition), you must clearly and visibly inform users of your site/app’s use of any cookies (or trackers) and collect active consent before running scripts related to non-exempt cookies/trackers.
For example, let’s consider publishers operating in Europe. Cookies and trackers are their bread and butter since they help them monetize their site/app via third-party advertisers. The use of trackers for purposes like behavioral advertising, remarketing, and content personalization requires obtaining users’ informed consent before installing those trackers.
Generally, a publisher is any site/app operator that monetizes its content via third-party advertisers. Blogs and online newspapers that display ads on their site/app are examples of publishers.
B) Beyond the EU regulations, there are other compelling reasons to consider implementing a Consent Management Platform (CMP), particularly when addressing specific requirements in US state laws.
In the United States, some US State Laws, such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), introduce precise guidelines for the format and labeling of the link leading to Privacy Controls, now named “Your Privacy Choices“.
In the context of user consent, it’s important to note that while the United States doesn’t have the same high level of requirements as Europe, where opt-in consent is the norm, a number of U.S. states still operate under an opt-out system. Nevertheless, implementing a Consent Management Platform (CMP) remains a valuable step in providing users with the ability to opt out and, and facilitate businesses in reobtaining consent. This is particularly important when considering initiatives such as Global Privacy Controls (GPC), which allow users to opt out automatically through their browsers.
In general, given the rapid emergence of privacy laws worldwide, it’s hard to imagine a site or app that doesn’t need a Consent Management Platform. Such a platform streamlines the compliance process, making it more manageable and efficient, allowing businesses to stay ahead of the ever-changing privacy landscape.
💡 As a certified CMP, we’ve integrated IAB Europe’s industry-standard TCF and US State Laws Compliance Framework with our Privacy Controls and Cookie Solution to help publishers comply with the law while meeting industry requirements and maximizing ad revenue.
The IAB Transparency and Consent Framework (TCF) is a digital advertising initiative that helps publishers, technology vendors, agencies, and advertisers meet the transparency, consent, and choice requirements of the GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on users devices (such as cookies, advertising identifiers, device identifiers, and other tracking technologies).
The IAB TCF provides a standard process for getting GDPR user consent and signaling those consent preferences across the advertising supply chain (You can read the framework policies here).
Currently, the requirements of the UK’s General Data Protection Regulation (UK GDPR) and the UK’s Privacy and Electronic Communications Regulations are identical to that of their EU counterparts (the GDPR and ePrivacy). Therefore, the TCF Framework also helps companies meet the current requirements of both UK Regulations.
The TCF provides a system (a standard JavaScript API) that allows the different advertising ecosystem players to speak the same language and communicate the user’s preferences between them. The main actors of this system are publishers, vendors (third parties advertisers who collect end-users data from the publisher’s site/app through the use of cookies or other trackers, in connection with surfacing content to the publisher’s end users), and CMPs like iubenda.
Publishers, vendors and CMPs who decide to participate in the IAB TCF are all bound to adhere to the standard Framework protocol and policies. Vendors are also requested to register on the Global Vendor List (GVL), a centralized, dynamic list of vendors, their purposes, maximum storage and access duration, and privacy policy URLs. Within the TCF and related GVL the purposes for data processing are also standardized and each purpose and each vendor have a unique ID. This unique vendor ID allows vendors to retrieve and interpret user consent preferences regarding their and other vendors’ services.
The user choices and vendor signals collected via the CMP UI are represented by binary values, compressed into as small a data structure possible (Base64), and transmitted throughout the online advertising ecosystem via a Daisy Chain.
The scripts of vendors that are part of the GVL are automatically blocked before receiving user choices. Each vendor can check its status by first pinging the CMP and then waiting for a call back for the ID they pass, which lets them know whether they can process personal data.
The IAB TCF, initially launched as 2.0, has rapidly evolved to establish itself as the unequivocal industry standard, with the collaboration of major vendors such as Google, Adobe, AdRoll, and a wide range more contributing to its implementation. The most recent iteration, IAB TCF 2.2, introduces substantial enhancements, meticulously designed to align more proficiently with regulatory mandates and to cater more effectively to user needs.
Enabling the TCF 2.2 offers many benefits for publishers and users, maximizing ad revenue and allowing publishers to smoothly collect and transmit user preferences to the third-party ad vendors they work with, while exercising stricter control over how they process users’ data.
Publishers are now required to disclose, prominently on the first level of their CMP user interface, the total number of third party vendors they work with. While the TCF Policy does not set a specific limit on the number of vendors, publishers are strongly encouraged to work only with those vendors that best meet their needs and objectives.
An inappropriately large number of vendors may affect the ability of users to make informed decisions and may increase legal risks for both publishers and vendors.
In order to facilitate publishers to determine which vendors they wish to establish transparency and consent for, a comprehensive Vendor Information List, known as the “B2B GVL“, is available. This resource provides valuable guidance to help publishers identify relevant vendors. Specifically, the B2B GVL provides information that helps publishers avoid seeking user consent from vendors operating in irrelevant technical environments and jurisdictions. It also helps to understand the scope of each TCF vendor’s operations and whether they are involved in data transfers outside the EEA.
👉 To further streamline this process, we strongly recommend using our Privacy and Cookie Policy Generator as the 🎖️ Preferred Method for selecting relevant vendors and in order for the Privacy Controls and Cookie Solution to automatically update accordingly. For those looking for more flexibility, you can also manually add vendors using the Privacy Controls and Cookie Solution Configurator.
A legal basis is a lawful ground under which personal data are processed. According to GPDR, there are six possible legal basis. In the advertising sector, two legal bases are commonly used:
The TCF supports both, but in the latest version of TCF 2.2, legitimate interest is no longer an acceptable legal basis for purposes 3, 4, 5 and 6. Therefore, for these purposes, Vendors can now only rely on consent.
Furthermore, consider that some national DPAs, like in Italy and Belgium, have excluded the use of legitimate interest as a valid legal basis in general in the advertising context and that’s why it’s important to restrict it to “Consent only” if you operate in those countries (you can read more about country-specific requirements in our Cookie Consent Cheatsheet).
No, the new TCF Policies do not require re-establishing legal bases and therefore do not require CMPs to resurface the interface. TCF v2.2 brings further standardization of the minimum information and choices that should be provided to users over the processing of their personal data. Publishers should review the information they provide in their CMPs interfaces in addition to the minimum standard information required under TCF v2.1, and make a case-by-case determination whether re-establishing legal bases is necessary taking into account their specific needs, the context in which they operate and their local Data Protection Authority’s requirements.
Google fully supports IAB TCF v2.2 and is part of the TCF global vendor list. The latest Google requirements implies that now you need to use a Google-certified Consent Management Platform if you’re serving ads via Google’s publisher products — AdSense, Ad Manager, or AdMob — in the UK or European Economic Area. This platform ensures users in Europe and the UK give consent to see the ads.
💡 iubenda, as a certified IAB TCF Consent Management Platform (CMP) and a Google CMP Partner, aligns with TCF 2.2, offering all the assistance and support you require. Therefore, using iubenda’s tool allows you to comply with Google’s standards when displaying ads to audiences in Europe and the UK.
With these actions, Google aims to clarify and enhance the reliability of ad consent requests. They also aim to ensure ad displays uphold individuals’ privacy rights.
While the framework comprises an ever-growing list of ad vendors, some advertisers are not yet part of the TCF. That’s the case with some of Google’s partners. To circumvent this problem, Google has defined a technical specification called Additional Consent Mode, intended only for use alongside TCF 2.2 to serve as a bridge for Google’s Ad Tech Providers who are not yet registered on the TCF 2.2 Global Vendor List.
💡 iubenda CMP fully supports TCF integration requirements set by Google, including the Additional Consent Mode.
The enhancements in TCF v2.2 focus on bringing a higher level of standardization to the information and choices available to users regarding the processing of their personal data, as well as clarifying how these choices should be recorded, conveyed, and honored. Here are the benefits for end-users:
⚠️ Please take note of the following deadlines for implementation:
📌 6th November 2023:
tcfVersion in the Privacy Controls and Cookie Solution will change to 2.2. Users who prefere to use version 2.1 after this date will need to manually select it on the Privacy Controls and Cookie Solution Configurator or declare the value tcfVersion=“2” in their configuration.📌 20th November 2023 (End of Implementation Period):
💡 Our cookie consent manager for the ePrivacy, GDPR, and US State Privacy Laws allows you to display a fully customizable cookie banner, collect cookie consent and implement prior blocking.
Also, as a registered Consent Management Platform (id number 123), the iubenda Privacy Controls and Cookie Solution lets users set advertising preferences and is compatible with the IAB GDPR Transparency and Consent Framework. This feature allows users to toggle advertising preferences for advertisers on the IAB’s extensive global vendor list.
With the introduction of IAB TCF 2.2, a set of new features and settings have been added. iubenda has precisely integrated these upgrades to provide even more sophisticated consent management. For optimal convenience and usability, the use of our Privacy and Cookie Policy Generator (Preferred Method 🎖️) is recommended. For those who need more flexibility, Manual insertion of vendors is also available on the Privacy Controls and Cookie Solution Configurator, allowing users to adjust services according to their particular needs.
⚠️ The very first action that we suggest is to select the vendors you’re using through our Privacy and Cookie Policy Generator.
(If you haven’t already activated the Privacy Controls and Cookie Solution, here’s a tutorial on getting started.
Activate the “Manage Google Consent Mode consents status within the TCF string” option to instruct Google to infer Consent Mode consents for ad_storage, ad_user_data, and ad_personalization directly from the TCF string.
⚠️ Note: Without a selection, the Privacy Controls and Cookie Solution will display all TCF vendors, potentially breaching TCF policies.
Users have the capability to manage all the purpose options, which are kept updated with the latest policy version. This means updated definitions, the exclusion of legitimate interest for purposes from 3 to 6, and the inclusion of the new purpose 11.
Furthermore, you’ll have the chance to enable Google’s Additional Consent Mode option, a feature that allows you to gather consent for Google ad partners that are not yet part of the Transparency and Consent Framework, but are on Google’s Ad Tech Providers (ATP) list.
Please note that any previous changes to the banner text will be nullified when the TCF is enabled. Therefore, if you’ve previously edited the HTML or banner text, re-test with the default text and the buttons enabled.
HTMLIf you want to edit the HTML, you must necessarily include our default text by including the %{banner_content} shortcode in the input, an element with the class="iubenda-cs-accept-btn" attribute and an element with the class="iubenda-cs-customize-btn" attribute.
By enabling the TCF, the banner text will only be editable upon request. If you wish to edit the text of the cookie banner, make sure you check the IAB requirements and reach out to us via chat or email to have the modifications approved.
Once enabled, your Privacy Controls and Cookie Solution embed code will go from this:
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"siteId": XXXXXX, // your siteId,
"cookiePolicyId": YYYYYY, // your cookiePolicyId,
"lang": "en"
};
</script>
<script type="text/javascript" src="https://cs.iubenda.com/autoblocking/3095420.js"></script>
<script type="text/javascript" src="///cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>To this (note the stub-v2.js script, "enableTcf": true and other TCF options):
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"siteId":3156898, //use your siteId
"cookiePolicyId":36614288, //use your cookiePolicyId
"lang":"en"
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/beta/iubenda_cs.js" charset="UTF-8" async></script>
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"askConsentAtCookiePolicyUpdate":true,
"enableTcf":true, //enable IAB TCF
"tcfVendors":"628,1111,92", //(OPTIONAL) use this parameter to select manually the vendors you're using
/*
(OPTIONAL) Limit the legal basis and choose which TCF purposes to prompt
"tcfPurposes": {
"1":"true",
"2":"consent_only",
"3":"consent_only",
"4":"consent_only",
"5":"consent_only",
"6":"consent_only",
"7":"consent_only",
"8":"consent_only",
"9":"consent_only",
"10":"consent_only",
"11":"consent_only"
},
*/
"floatingPreferencesButtonDisplay":"bottom-right",
"googleAdditionalConsentMode":true,
"lang":"en",
"perPurposeConsent":true, //enable per-category consent
"siteId":3156898, //use your siteId
"cookiePolicyId":36614288, //use your cookiePolicyId
"banner":{
"acceptButtonDisplay":true,
"closeButtonDisplay":false,
"customizeButtonDisplay":true,
"explicitWithdrawal":true,
"listPurposes":true,
"position":"float-top-center",
"rejectButtonDisplay":true
}
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/beta/iubenda_cs.js" charset="UTF-8" async></script>Now that you’ve pasted the Privacy Controls and Cookie Solution code inside the body of your pages, let’s talk about prior blocking the vendor scripts.
The iubenda CMP provides the __tcfapi function in order for vendors to read the consent properly.
We use a script (safe-tcf-v2.js) that has the only job of reading the TCF cookie and releasing the __tcfapi function and not directly blocking the vendor scripts. It is a synchronous activator that runs at the very beginning of the page, guaranteeing that the consent is read within 500ms from the vendor scripts being executed.
This is the default behavior when enabling the Iab TCF options of our configurator.
It works from the second pageview (when consent is already present on the page) and it allows to achieve high-performing in terms of load speed.
However, it may result in some incompatibilities with Google Ad Manager, AdSense, and AdMob. If you want to directly block the vendor scripts you can see below.
Vendors have a maximum time (generally 500ms, usually non-configurable) to wait for consent from the CMP.
In cases where the CMP does not respond within a maximum of 500ms, vendors’ Sell-Side Platform uses the opt-out status of the user instead, which means that in such cases, your end-users will be served with non-personalized ads.
This might happen if you use Google’s advertising services such as Ad Manager, AdSense and AdMob.
To prevent these issues, you can directly block the vendors’ scripts using one of the prior blocking methods supported by our Privacy Controls and Cookie Solution, then execute them only after consent has been collected.
You can use this to have more direct control regarding ensuring compliance and serving personalized ads from the first pageview when consent hasn’t been collected yet. It also allows you to avoid error 2.1a (for Google Ad Manager, AdSense, and AdMob users).
Our Privacy Controls and Cookie Solution offers various tools for the prior blocking of scripts that may install cookies. More in our introduction to the prior blocking of scripts. To block Google’s scripts, you can directly reference the examples for Google AdSense and Google Publisher Tag.
Please note that if you’ve enabled the Privacy Controls and Cookie Solution’s per-category consent feature, you’ll need to tag TCF scripts as “purpose 1” (Necessary).
The stub-v2.js and safe-tcf-v2.js can also be embedded inline or self-hosted, if necessary. Read this guide for more optimization tips.
To read the consent from the __tcfapi function, you can open the browser console and launch these commands:
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) });
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) }, [1,2]);
window.__tcfapi('ping', 2, function(result) { console.log(result) });Finally, as required by IAB, you have to provide a link or button (e.g. in the footer) that allows your visitors to update their advertising tracking preferences even after closing the cookie banner.
Let’s see how.
To implement, just add the iubenda-advertising-preferences-link class to a custom link or button:
<a href="#" class="iubenda-advertising-preferences-link">
Update your advertising tracking preferences
</a>Place it anywhere on your site (typically added to the footer). Once clicked, the link above will trigger the opening of the advertising tracking settings modal:
To meet IAB’s requirements, please note that if you don’t implement the iubenda-advertising-preferences-link class, we’ll automatically display a small widget that hovers on your pages:
Under the IAB TCF tile you’ll find these enhanced publisher options:
To do this scroll to the “Restrictions of purposes and legal basis” option, decide which purposes you want to enable, and finally select the legal basis under which personal data can be processed for active purposes.
Note: if you are not sure about this aspect, consider that “Consent only” is usually the safest option and definitely best practice for purposes related to profiling.
We’ve already mentioned the importance of restricting the number of vendors you want to work with. Another advantage of providing transparency for a limited number of vendors is the possibility to basically eliminate the problem of requesting new consent at the global vendor list update. In fact, the IAB vendor list is updated almost weekly.
If, nevertheless, you decide not to limit the number of vendors to work with, you may want to choose how to handle new consent requests, avoiding showing the cookie banner to users who have already given consent a few days or weeks before.
Inside the tile IAB TCF v. 2.2, you’ll find a section called Request new consent from users that had previously provided consent, if the IAB Framework preference is not found
Some vendors may ask you to explicitly provide gdpr and gdpr_consent parameters into their request. Here’s a snippet to meet this requirement:
<script type="text/javascript">
__tcfapi('addEventListener', 2, function(tcData) {
if (tcData.eventStatus !== 'useractioncomplete' && tcData.eventStatus !== 'tcloaded') {
return;
}
var gdpr = tcData.gdprApplies ? 1 : 0;
var gdpr_consent = tcData.tcString;
console.log({ gdpr: gdpr, gdpr_consent: gdpr_consent });
// Remove event listener to avoid invoking the ads multiple times
__tcfapi('removeEventListener', 2, function(success) {
console.log('event listener removed', success);
}, tcData.listenerId);
});
</script>Once replaced the console.log line with the request to the vendor by using the gdpr and gdpr_consent variables, add this snippet below the iubenda_cs.js script, and it will automatically invoke the vendor script with the correct consent data.
Now when your users click on the Learn more and customize button in your cookie banner in order to manage their preferences, they’ll see the following options:
Note: when the user indicates that they would like to manage preferences by opening the preference window, all cookies are “turned off” by default as a positive affirmative/opt-in action is legally required for valid consent.
In alignment with IAB’s guidelines, we’ll not force any reconsent; however, publishers should evaluate this on a case-by-case basis. Publishers must limit the vendors to those they actively collaborate with and clearly state this in the privacy policy. By doing so and avoiding from adding new vendors, there should be no need to resurface the banner or re-establish consent, especially as they are already restricting Legitimate Interest. This means there should be no issues with changes in legal basis. However, publishers should evaluate their specific circumstances and make determinations accordingly.
Yes, you can. However, we recommend an additional step: when an iubenda Privacy and Cookie Policy is detected, the purposes displayed in the second layer are derived from the added services. To ensure correct handling of all purposes, users should choose the custom option of granular control by category under GDPR.
