Iubenda logo
Start generating

Documentation

Table of Contents

The complete guide to iubenda CMP and IAB TCF 2.2

With the introduction of IAB TCF 2.2, the landscape of consent management is experiencing noteworthy developments. Laws like the GDPR, Cookie Law, and US State Laws have made consent management platforms (CMPs) necessary for businesses operating in the EU and US, including publishers. This guide breaks down what a consent management platform is, why publishers need it, and how to enable the industry-standard Transparency and Consent Framework (TCF v. 2.2) in our Privacy Controls and Cookie Solution.

Understanding Google IAB TCF, TCF 2.0, and IAB Europe is crucial. This guide sheds light on these essential aspects, answering the question of “What is TCF?” and explaining its significance in the digital landscape 👇

In short

What is a Consent Management Platform (CMP)

CMP is short for Consent Management Platform or, less commonly, Consent Management Provider. CMPs are also responsible for passing user consent along with the Transparency and Consent Framework (TCF) and must therefore be registered and meet TCF standards and policies.

Simply stated, a CMP helps you provide transparency to the users regarding the access and storage of their personal information (through cookies and other trackers) in compliance with major data privacy laws like the GDPR, the ePrivacy Directive, the US State Privacy Laws and more.

More specifically, CMPs help you gather, store, and use users’ preferences to collect and process their personal information for specific purposes (e.g., analytics, advertising, and retargeting strategies).

Do I need a Consent Management Platform (CMP)?

Short answer: yes, you probably need one. 

A) The GDPR/ePrivacy Directive or UK GDPR/PECR applies to you (not sure? Take our 1-minute quiz), and your site/app (or any third-party service run by your site/app) uses cookies or other trackers to process personal information.

Why?

Because according to the ePrivacy Directive (as well as PECR, its UK transposition), you must clearly and visibly inform users of your site/app’s use of any cookies (or trackers) and collect active consent before running scripts related to non-exempt cookies/trackers

For example, let’s consider publishers operating in Europe. Cookies and trackers are their bread and butter since they help them monetize their site/app via third-party advertisers. The use of trackers for purposes like behavioral advertising, remarketing, and content personalization requires obtaining users’ informed consent before installing those trackers. 

What is a publisher?

Generally, a publisher is any site/app operator that monetizes its content via third-party advertisers. Blogs and online newspapers that display ads on their site/app are examples of publishers.

B) Beyond the EU regulations, there are other compelling reasons to consider implementing a Consent Management Platform (CMP), particularly when addressing specific requirements in US state laws.

In the United States, some US State Laws, such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), introduce precise guidelines for the format and labeling of the link leading to Privacy Controls, now named “Your Privacy Choices“.

In the context of user consent, it’s important to note that while the United States doesn’t have the same high level of requirements as Europe, where opt-in consent is the norm, a number of U.S. states still operate under an opt-out system. Nevertheless, implementing a Consent Management Platform (CMP) remains a valuable step in providing users with the ability to opt out and, and facilitate businesses in reobtaining consent. This is particularly important when considering initiatives such as Global Privacy Controls (GPC), which allow users to opt out automatically through their browsers.

In general, given the rapid emergence of privacy laws worldwide, it’s hard to imagine a site or app that doesn’t need a Consent Management Platform. Such a platform streamlines the compliance process, making it more manageable and efficient, allowing businesses to stay ahead of the ever-changing privacy landscape.

💡 As a certified CMP, we’ve integrated IAB Europe’s industry-standard TCF and US State Laws Compliance Framework with our Privacy Controls and Cookie Solution to help publishers comply with the law while meeting industry requirements and maximizing ad revenue.

What is the IAB TCF? GDPR Transparency and Consent Framework

The IAB Transparency and Consent Framework (TCF) is a digital advertising initiative that helps publishers, technology vendors, agencies, and advertisers meet the transparency, consent, and choice requirements of the GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on users devices (such as cookies, advertising identifiers, device identifiers, and other tracking technologies).

The IAB TCF provides a standard process for getting GDPR user consent and signaling those consent preferences across the advertising supply chain (You can read the framework policies here)

The IAB TCF and Brexit / UK Law

Currently, the requirements of the UK’s General Data Protection Regulation (UK GDPR) and the UK’s Privacy and Electronic Communications Regulations are identical to that of their EU counterparts (the GDPR and ePrivacy). Therefore, the TCF Framework also helps companies meet the current requirements of both UK Regulations. 

The TCF provides a system (a standard JavaScript API) that allows the different advertising ecosystem players to speak the same language and communicate the user’s preferences between them. The main actors of this system are publishers, vendors (third parties advertisers who collect end-users data from the publisher’s site/app through the use of cookies or other trackers, in connection with surfacing content to the publisher’s end users), and CMPs like iubenda.

Publishers, vendors and CMPs who decide to participate in the IAB TCF are all bound to adhere to the standard Framework protocol and policies. Vendors are also requested to register on the Global Vendor List (GVL), a centralized, dynamic list of vendors, their purposes, maximum storage and access duration, and privacy policy URLs. Within the TCF and related GVL the purposes for data processing are also standardized and each purpose and each vendor have a unique ID. This unique vendor ID allows vendors to retrieve and interpret user consent preferences regarding their and other vendors’ services. 

The user choices and vendor signals collected via the CMP UI are represented by binary values, compressed into as small a data structure possible (Base64), and transmitted throughout the online advertising ecosystem via a Daisy Chain.

The scripts of vendors that are part of the GVL are automatically blocked before receiving user choices. Each vendor can check its status by first pinging the CMP and then waiting for a call back for the ID they pass, which lets them know whether they can process personal data.

Why publishers should enable the Transparency and Consent Framework

The IAB TCF, initially launched as 2.0, has rapidly evolved to establish itself as the unequivocal industry standard, with the collaboration of major vendors such as Google, Adobe, AdRoll, and a wide range more contributing to its implementation. The most recent iteration, IAB TCF 2.2, introduces substantial enhancements, meticulously designed to align more proficiently with regulatory mandates and to cater more effectively to user needs.

Enabling the TCF 2.2 offers many benefits for publishers and users, maximizing ad revenue and allowing publishers to smoothly collect and transmit user preferences to the third-party ad vendors they work with, while exercising stricter control over how they process users’ data.

IAB TCF 2.2 benefits for publishers

  • Secure your ad revenue
    • Advertising networks may limit access to their network or serve only non-personalized ads where TCF 2.2 consent is not passed to vendors. This means that your ad revenue could potentially decrease if you’re not using the framework. Publishers in Europe and the UK who use Google publisher products should especially consider IAB TCF, as non-compliance with TCF v2.2 could lead to a reduction in ad revenue.
    • Implementing TCF 2.2 can boost ad revenue as it grants publishers more control and flexibility in establishing the legal basis for collaborating with vendors. This approach allows them to maintain ad revenue generation while adhering to privacy-compliant data processing.
    • The Framework also empowers organizations to foster trust among users through transparency and choice, thus promoting increased engagement with ads as users feel assured of their privacy being respected.
  • Enhanced options and control
    • Purposes: you have full control over which third-party ad vendors you want to work with and disclose to your users and for what purposes you allow these vendors to process personal information.
    • A new Purpose 11 (Use limited data to select content) intended to cover processing activities such as the selection and delivery of non-advertising content based on real-time data (e.g. information about the page content or non-precise geolocation data), and controlling the frequency or order in which content is presented to a user.
    • Legal Basis: Vendors, previously able to declare reliance on both consent and legitimate interest for purposes 2 to 10 in TCF 2.0, can now, in TCF 2.2, only rely on consent for purposes 3, 4, 5, and 6. While stricter data usage and consent collection might impact ad targeting capabilities and revenue, the enhanced trust and user engagement potentially counterbalance the negative impacts, leading to increased user satisfaction.
    • Publishers must now select partners diligently and ensure that these partners comply with TCF standards, reinforcing their ethical standing and allowing the development of partnerships with entities sharing a commitment to user privacy.
    • TCF 2.2 establishes a standardized platform for publishers and third-party vendors, facilitating compliance and enabling adherence to data privacy regulations like the GDPR and the ePrivacy Directive.

Publishers are now required to disclose, prominently on the first level of their CMP user interface, the total number of third party vendors they work with. While the TCF Policy does not set a specific limit on the number of vendors, publishers are strongly encouraged to work only with those vendors that best meet their needs and objectives.

An inappropriately large number of vendors may affect the ability of users to make informed decisions and may increase legal risks for both publishers and vendors.

In order to facilitate publishers to determine which vendors they wish to establish transparency and consent for, a comprehensive Vendor Information List, known as the “B2B GVL“, is available. This resource provides valuable guidance to help publishers identify relevant vendors. Specifically, the B2B GVL provides information that helps publishers avoid seeking user consent from vendors operating in irrelevant technical environments and jurisdictions. It also helps to understand the scope of each TCF vendor’s operations and whether they are involved in data transfers outside the EEA.

👉 To further streamline this process, we strongly recommend using our Privacy and Cookie Policy Generator as the 🎖️ Preferred Method for selecting relevant vendors and in order for the Privacy Controls and Cookie Solution to automatically update accordingly. For those looking for more flexibility, you can also manually add vendors using the Privacy Controls and Cookie Solution Configurator.

A legal basis is a lawful ground under which personal data are processed. According to GPDR, there are six possible legal basis. In the advertising sector, two legal bases are commonly used:

  • consent of the data subject; and
  • legitimate interest of the data controller.

The TCF supports both, but in the latest version of TCF 2.2, legitimate interest is no longer an acceptable legal basis for purposes 3, 4, 5 and 6. Therefore, for these purposes, Vendors can now only rely on consent.

Furthermore, consider that some national DPAs, like in Italy and Belgium, have excluded the use of legitimate interest as a valid legal basis in general in the advertising context and that’s why it’s important to restrict it to “Consent only” if you operate in those countries (you can read more about country-specific requirements in our Cookie Consent Cheatsheet).

No, the new TCF Policies do not require re-establishing legal bases and therefore do not require CMPs to resurface the interface. TCF v2.2 brings further standardization of the minimum information and choices that should be provided to users over the processing of their personal data. Publishers should review the information they provide in their CMPs interfaces in addition to the minimum standard information required under TCF v2.1, and make a case-by-case determination whether re-establishing legal bases is necessary taking into account their specific needs, the context in which they operate and their local Data Protection Authority’s requirements.

Google and IAB TCF v2.2

Google fully supports IAB TCF v2.2 and is part of the TCF global vendor list. The latest Google requirements implies that now you need to use a Google-certified Consent Management Platform if you’re serving ads via Google’s publisher products — AdSense, Ad Manager, or AdMob — in the UK or European Economic Area. This platform ensures users in Europe and the UK give consent to see the ads.

💡 iubenda, as a certified IAB TCF Consent Management Platform (CMP) and a Google CMP Partner, aligns with TCF 2.2, offering all the assistance and support you require. Therefore, using iubenda’s tool allows you to comply with Google’s standards when displaying ads to audiences in Europe and the UK.

With these actions, Google aims to clarify and enhance the reliability of ad consent requests. They also aim to ensure ad displays uphold individuals’ privacy rights.

What about ad vendors that are not yet part of the TCF?

While the framework comprises an ever-growing list of ad vendors, some advertisers are not yet part of the TCF. That’s the case with some of Google’s partners. To circumvent this problem, Google has defined a technical specification called Additional Consent Mode, intended only for use alongside TCF 2.2 to serve as a bridge for Google’s Ad Tech Providers who are not yet registered on the TCF 2.2 Global Vendor List.

💡  iubenda CMP fully supports TCF integration requirements set by Google, including the Additional Consent Mode.

IAB TCF v2.2 Benefits for End-Users

The enhancements in TCF v2.2 focus on bringing a higher level of standardization to the information and choices available to users regarding the processing of their personal data, as well as clarifying how these choices should be recorded, conveyed, and honored. Here are the benefits for end-users:

  • Consent-Centric Processing: The TCF v2.2 eliminates the legitimate interest legal basis for advertising & content personalization for certain purposes, ensuring vendors rely solely on consent as the acceptable legal basis for processing user data for purposes 3, 4, 5, and 6.
  • Enhanced User Information: The framework provides more user-friendly descriptions and real-use case examples, replacing complex legal text. This change improves user understanding of the purposes and features of data processing, facilitating more informed choices.
  • Standardized Vendor Information: Vendors are mandated to disclose more comprehensive information about their data processing activities, which includes:
    • Types of data collected
    • Data retention periods for each purpose
    • Any legitimate interests involved
    • Multilingual support for URL declaration
    • This disclosure enables users to receive detailed insights into vendors’ data practices.
  • Transparent Vendor Count: Publishers must disclose the total number of vendors seeking to establish a legal basis on the primary layer of their user interfaces, promoting transparency and informed decision-making for users.
  • Facilitated Consent Withdrawal: Publishers and CMPs are required to provide easy options for users to revisit the consent interface and withdraw their consent effortlessly. It also mandates vendors to retrieve the Transparency & Consent String in real-time when necessary.

iubenda and the IAB Transparency and Consent Framework (TCF 2.2) 

Implementation Timeline

⚠️ Please take note of the following deadlines for implementation:

📌 6th November 2023:

  • The default value of tcfVersion in the Privacy Controls and Cookie Solution will change to 2.2. Users who prefere to use version 2.1 after this date will need to manually select it on the Privacy Controls and Cookie Solution Configurator or declare the value tcfVersion=“2” in their configuration.

📌 20th November 2023 (End of Implementation Period):

  • iubenda, as a certified CMP, has successfully implemented the new guidelines and specifications by the specified date.
  • Compliance with TCF 2.2 will be strictly verified by IAB Europe as part of their ongoing monitoring of live installations to ensure adherence to all the requisite norms and specifications of GDPR and ePrivacy regulations.
  • After this date, signals from TCF v. 2.1 won’t be valid anymore; users must switch to v. 2.2 to obtain valid consents.

💡 Our cookie consent manager for the ePrivacy, GDPR, and US State Privacy Laws allows you to display a fully customizable cookie banner, collect cookie consent and implement prior blocking. 

Also, as a registered Consent Management Platform (id number 123), the iubenda Privacy Controls and Cookie Solution lets users set advertising preferences and is compatible with the IAB GDPR Transparency and Consent Framework. This feature allows users to toggle advertising preferences for advertisers on the IAB’s extensive global vendor list.

1. Enable the IAB Transparency and Consent Framework

With the introduction of IAB TCF 2.2, a set of new features and settings have been added. iubenda has precisely integrated these upgrades to provide even more sophisticated consent management. For optimal convenience and usability, the use of our Privacy and Cookie Policy Generator (Preferred Method 🎖️) is recommended. For those who need more flexibility, Manual insertion of vendors is also available on the Privacy Controls and Cookie Solution Configurator, allowing users to adjust services according to their particular needs.

To enable the TCF v. 2.2, head to your dashboard and click on the site/app that you’d like to update.

⚠️ The very first action that we suggest is to select the vendors you’re using through our Privacy and Cookie Policy Generator.

Use our Privacy and Cookie Policy Generator (🎖️ Preferred Method)

  1. On the Privacy and Cookie Policy Generator
    • Select TCF-related vendors from the services modal.
  2. Then, on the Privacy Controls and Cookie Solution Configurator:
    • Activate the TCF tile (if it is not already enabled) → Once activated, open the TCF tile by clicking “EDIT” → Select the TCF v. 2.2 version from the available options.
    • The Privacy Controls and Cookie Solution updates automatically with any addition or removal of any TCF service on the Privacy and Cookie Policy. Subsequently, the Configurator will display the number of providers added, and the banner will adjust its display, affecting the TCF panel accordingly.

(If you haven’t already activated the Privacy Controls and Cookie Solution, here’s a tutorial on getting started.

💡 Are you looking to manage Consent Mode parameters?

Activate the “Manage Google Consent Mode consents status within the TCF string” option to instruct Google to infer Consent Mode consents for ad_storage, ad_user_data, and ad_personalization directly from the TCF string.

Manually Insert Vendors

  1. You can manually add vendors by selecting “Manually enter the list of TCF vendors you want to display” and then adding the vendor IDs, separated by commas. The list and additional vendor information can be obtained by consulting the Global Vendor List and the additional vendor information list.
  2. IAB TCF
  3. If the TCF v2.2 is enabled on the Privacy Controls and Cookie Solution Configurator, the system will promptly display an alert if it can’t find any TCF vendors.

⚠️ Note: Without a selection, the Privacy Controls and Cookie Solution will display all TCF vendors, potentially breaching TCF policies.

Managing Purpose Options:

Users have the capability to manage all the purpose options, which are kept updated with the latest policy version. This means updated definitions, the exclusion of legitimate interest for purposes from 3 to 6, and the inclusion of the new purpose 11.

Once enabled the IAB TCF option, you’ll immediately notice that:

  • The banner text will be lengthened to meet IAB requirements. The additional text (only editable upon request) contains essential disclosures related to the enhanced options that we mention in the sections below.
  • “Accept” and “Learn more and customize” buttons will be force-enabled, as required by IAB.
IAB TCF

What the banner notice for TCF v2.2 needs to contain

  • information about the fact that information is stored on and/or accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data);
  • information about the fact that personal data is processed, and the nature of the personal data processed (e.g. unique identifiers, browsing data);
  • a link to the list of vendors and the number of third party vendors;
  • a list of purposes (using the GVL version 3 standardized names and/or stack names);
  • information about the special features used by the vendors (using the GVL standardized names and/or stack names);
  • information about the fact that the user can withdraw their consent at any time, and how to resurface the Framework UI in order to do so;
  • a call to action for the user to express their consent
  • a call to action for the user to customise their choices 

Furthermore, you’ll have the chance to enable Google’s Additional Consent Mode option, a feature that allows you to gather consent for Google ad partners that are not yet part of the Transparency and Consent Framework, but are on Google’s Ad Tech Providers (ATP) list.

Editing the cookie banner

Please note that any previous changes to the banner text will be nullified when the TCF is enabled. Therefore, if you’ve previously edited the HTML or banner text, re-test with the default text and the buttons enabled.

HTML

If you want to edit the HTML, you must necessarily include our default text by including the %{banner_content} shortcode in the input, an element with the class="iubenda-cs-accept-btn" attribute and an element with the class="iubenda-cs-customize-btn" attribute.

Text

By enabling the TCF, the banner text will only be editable upon request. If you wish to edit the text of the cookie banner, make sure you check the IAB requirements and reach out to us via chat or email to have the modifications approved.

Privacy Controls and Cookie Solution snippet

Once enabled, your Privacy Controls and Cookie Solution embed code will go from this:

<script type="text/javascript">
  var _iub = _iub || [];
  _iub.csConfiguration = {
    "siteId": XXXXXX, // your siteId,
    "cookiePolicyId": YYYYYY, // your cookiePolicyId,
    "lang": "en"
  };
</script>
<script type="text/javascript" src="https://cs.iubenda.com/autoblocking/3095420.js"></script>
<script type="text/javascript" src="///cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

To this (note the stub-v2.js script, "enableTcf": true and other TCF options):

<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
  "siteId":3156898, //use your siteId
"cookiePolicyId":36614288, //use your cookiePolicyId
 "lang":"en"
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/beta/iubenda_cs.js" charset="UTF-8" async></script>
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
 "askConsentAtCookiePolicyUpdate":true,
 "enableTcf":true, //enable IAB TCF 
 "tcfVendors":"628,1111,92", //(OPTIONAL) use this parameter to select manually the vendors you're using
 
 /*
 (OPTIONAL) Limit the legal basis and choose which TCF purposes to prompt 
 "tcfPurposes": {
 "1":"true",
 "2":"consent_only",
 "3":"consent_only",
 "4":"consent_only",
 "5":"consent_only",
 "6":"consent_only",
 "7":"consent_only",
 "8":"consent_only",
 "9":"consent_only",
 "10":"consent_only",
 "11":"consent_only"
 },
 */
 "floatingPreferencesButtonDisplay":"bottom-right",
 "googleAdditionalConsentMode":true,
 "lang":"en",
 "perPurposeConsent":true, //enable per-category consent
 "siteId":3156898, //use your siteId
 "cookiePolicyId":36614288, //use your cookiePolicyId
 
 "banner":{ 
 "acceptButtonDisplay":true,
 "closeButtonDisplay":false,
 "customizeButtonDisplay":true,
 "explicitWithdrawal":true,
 "listPurposes":true,
 "position":"float-top-center",
 "rejectButtonDisplay":true 
 }
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/beta/iubenda_cs.js" charset="UTF-8" async></script>

Now that you’ve pasted the Privacy Controls and Cookie Solution code inside the body of your pages, let’s talk about prior blocking the vendor scripts.

The iubenda CMP provides the __tcfapi function in order for vendors to read the consent properly.
We use a script (safe-tcf-v2.js) that has the only job of reading the TCF cookie and releasing the __tcfapi function and not directly blocking the vendor scripts. It is a synchronous activator that runs at the very beginning of the page, guaranteeing that the consent is read within 500ms from the vendor scripts being executed.

This is the default behavior when enabling the Iab TCF options of our configurator.
It works from the second pageview (when consent is already present on the page) and it allows to achieve high-performing in terms of load speed.

However, it may result in some incompatibilities with Google Ad Manager, AdSense, and AdMob. If you want to directly block the vendor scripts you can see below.

Further implementations and optimization – Google Ads users

Vendors have a maximum time (generally 500ms, usually non-configurable) to wait for consent from the CMP. 
In cases where the CMP does not respond within a maximum of 500ms, vendors’ Sell-Side Platform uses the opt-out status of the user instead, which means that in such cases, your end-users will be served with non-personalized ads.

This might happen if you use Google’s advertising services such as Ad Manager, AdSense and AdMob.
To prevent these issues, you can directly block the vendors’ scripts using one of the prior blocking methods supported by our Privacy Controls and Cookie Solution, then execute them only after consent has been collected.

You can use this to have more direct control regarding ensuring compliance and serving personalized ads from the first pageview when consent hasn’t been collected yet. It also allows you to avoid error 2.1a (for Google Ad Manager, AdSense, and AdMob users).

Our Privacy Controls and Cookie Solution offers various tools for the prior blocking of scripts that may install cookies. More in our introduction to the prior blocking of scripts. To block Google’s scripts, you can directly reference the examples for Google AdSense and Google Publisher Tag.

Per-category consent

Please note that if you’ve enabled the Privacy Controls and Cookie Solution’s per-category consent feature, you’ll need to tag TCF scripts as “purpose 1” (Necessary).

The stub-v2.js and safe-tcf-v2.js can also be embedded inline or self-hosted, if necessary. Read this guide for more optimization tips.

To read the consent from the __tcfapi function, you can open the browser console and launch these commands:

window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) });
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) }, [1,2]);
window.__tcfapi('ping', 2, function(result) { console.log(result) });

Finally, as required by IAB, you have to provide a link or button (e.g. in the footer) that allows your visitors to update their advertising tracking preferences even after closing the cookie banner. 

Let’s see how.

To implement, just add the iubenda-advertising-preferences-link class to a custom link or button:

<a href="#" class="iubenda-advertising-preferences-link">
    Update your advertising tracking preferences
</a>

Place it anywhere on your site (typically added to the footer). Once clicked, the link above will trigger the opening of the advertising tracking settings modal:

open-preferences

To meet IAB’s requirements, please note that if you don’t implement the iubenda-advertising-preferences-link class, we’ll automatically display a small widget that hovers on your pages:

IAB TCF

Additional features and settings

Under the IAB TCF tile you’ll find these enhanced publisher options:

To do this scroll to the “Restrictions of purposes and legal basis” option, decide which purposes you want to enable, and finally select the legal basis under which personal data can be processed for active purposes. 

restrict purposes

Note: if you are not sure about this aspect, consider that “Consent only” is usually the safest option and definitely best practice for purposes related to profiling.

We’ve already mentioned the importance of restricting the number of vendors you want to work with. Another advantage of providing transparency for a limited number of vendors is the possibility to basically eliminate the problem of requesting new consent at the global vendor list update. In fact, the IAB vendor list is updated almost weekly. 

If, nevertheless, you decide not to limit the number of vendors to work with, you may want to choose how to handle new consent requests, avoiding showing the cookie banner to users who have already given consent a few days or weeks before.

Inside the tile IAB TCF v. 2.2, you’ll find a section called Request new consent from users that had previously provided consent, if the IAB Framework preference is not found

request new consent

Some vendors may ask you to explicitly provide gdpr and gdpr_consent parameters into their request. Here’s a snippet to meet this requirement:

<script type="text/javascript">
    __tcfapi('addEventListener', 2, function(tcData) {
        if (tcData.eventStatus !== 'useractioncomplete' && tcData.eventStatus !== 'tcloaded') {
            return;
        }
        var gdpr = tcData.gdprApplies ? 1 : 0;
        var gdpr_consent = tcData.tcString;
        console.log({ gdpr: gdpr, gdpr_consent: gdpr_consent });
        // Remove event listener to avoid invoking the ads multiple times
        __tcfapi('removeEventListener', 2, function(success) {
            console.log('event listener removed', success);
        }, tcData.listenerId);
    });
</script>

Once replaced the console.log line with the request to the vendor by using the gdpr and gdpr_consent variables, add this snippet below the iubenda_cs.js script, and it will automatically invoke the vendor script with the correct consent data.

Now when your users click on the Learn more and customize button in your cookie banner in order to manage their preferences, they’ll see the following options:

Note: when the user indicates that they would like to manage preferences by opening the preference window, all cookies are “turned off” by default as a positive affirmative/opt-in action is legally required for valid consent.

Frequently Asked Questions

Do publishers need to resurface the banner to obtain new consent?

In alignment with IAB’s guidelines, we’ll not force any reconsent; however, publishers should evaluate this on a case-by-case basis. Publishers must limit the vendors to those they actively collaborate with and clearly state this in the privacy policy. By doing so and avoiding from adding new vendors, there should be no need to resurface the banner or re-establish consent, especially as they are already restricting Legitimate Interest. This means there should be no issues with changes in legal basis. However, publishers should evaluate their specific circumstances and make determinations accordingly.

If I have my own Privacy and Cookie Policy, can I use the iubenda generator for specifying only the TCF-related services/vendors and my own for the rest?

Yes, you can. However, we recommend an additional step: when an iubenda Privacy and Cookie Policy is detected, the purposes displayed in the second layer are derived from the added services. To ensure correct handling of all purposes, users should choose the custom option of granular control by category under GDPR.

IAB - Interactive Advertising Bureau

See also