Iubenda logo
Start generating


Table of Contents

The complete guide to IAB GDPR Framework and iubenda’s Consent Management Platform

Major advertising networks now require publishers to gain GDPR consent before showing personalized ads. In this guide you’ll find out how you can meet this requirement with the IAB Transparency and Consent Framework and our Cookie Solution.

Transparency & Consent Framework v2.0

Our support of IAB’s TCF v2.0 is now live! Read our transition guide to understand all the features and benefits that come with the new version, and what action you need to take in order to make the switch.


What’s the IAB Transparency and Consent Framework (TCF)?

The IAB Europe Transparency and Consent Framework is an initiative of IAB Tech Lab — a non-profit organization made up of digital publishers, ad-tech companies, marketers, and other companies involved in interactive marketing. The board is made up of some pretty well-known brands such as Google, AppNexus, LinkedIn, Microsoft and others.

The association behind the Tech Lab – IAB Europe – is the leading industry association for the online advertising ecosystem. This association represents over 5,500 organizations at the EU-level and its mission it is to shape the regulatory environment by developing harmonized business practices in order to promote the development and ensure the sustainability of the digital advertising sector while demonstrating the value that such innovative sector brings to the EU economy. Starting May 25, 2018, the General Data Protection Regulation (GDPR) went into effect and became fully enforceable, meaning that those that fall within its scope are expected to comply and, if found to be non-compliant, would risk heavy fines and sanctions.

As essentially all parties within the digital advertising ecosystem process personal data in some way (e.g collecting user data or accessing user devices), they are required to comply with the GDPR.

Under GDPR there are six possible legal bases for the processing of personal data. Of these six, three are particularly relevant to digital advertising:

  • Consent of the data subject
  • Performance of a contract
  • Legitimate interests of the data controller

Under the Regulation, the particulars of which legal basis can apply may differ based on the processing activities of the individual company, however, one inescapable determining factor is the applicability of other relevant laws — in this case, the ePrivacy Directive. The ePrivacy Directive or ‘Cookie Law’ requires that users be conspicuously informed of a site’s use of any cookies and that active consent be collected before running scripts related to non-exempt cookies.

IAB Europe founded the GDPR Implementation Working Group (GIG), a group consisting of parties from both the supply and demand sides of the digital advertising ecosystem, in 2017. The GIG is aimed at helping member companies, and the digital advertising industry at large, to understand EU rules on data protection and privacy in a practical way and collaborates on guidance and solutions to the GDPR.

Though GDPR is primarily a legal challenge, a technological response was also necessary to meet the transparency and control requirements that arise as a result of GDPR implementation. It was out of this necessity that the IAB Tech Lab GDPR Technical Working Group was formed within the IAB Tech Lab.

The Technical group’s efforts resulted in the development of the IAB Europe Transparency & Consent Framework (TCF). The Framework and the associated Consent Management Provider API was developed as a way to “give the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content”.

In practice, the TCF provides a standardized process for getting users’ informed consent and allows the seamless signaling of users’ s consent preferences across the advertising supply chain.

It’s made up of an ever-growing list of publishers and advertisers that have agreed to be bound by its standards and use the framework to facilitate user choice via a convenient, easy to use interface.

Who should enable the TCF / Who does it best apply to

The IAB Transparency and Consent Framework is, ideally, meant for first-party publishers who work with third-party advertisers (i.e publishers who run ads on their website). It’s highly recommended that you enable this feature if you fall within this category as some advertising networks may limit access to their network if not implemented, which could, in turn, potentially decrease your ad revenue.

Publishers further stand to benefit from this initiative in that it makes it easier to be more transparent with users and allows you as the data controller, to have more control over how your users’ data are processed and for which purposes.

If you run ads on your website it’s highly recommended that you enable this feature: some advertising networks may limit access to their network if not implemented, which could, in turn, potentially decrease your ad revenue.

Ask our experts live

View a live demo and have your questions answered in real time by attending our free english “Consent management for publishers” webinar. Discover in practice how you can meet both compliance and advertising industry requirements while ensuring that your ad-reach is maximized.

Attend our free webinar

Online advertising is a complex ecosystem with many different players, the main actors paying within the Transparency and Consent Framework are:

  • Vendors: “a third party (SSPs, DSPs, ad servers, etc.) that a website operator is using in connection with surfacing content to its end users that either (1) accesses an end user’s device or browser (for setting cookies), or (2) collects personal data from the actions of the website operator’s end users”.
  • Publisher: website operators — in this case, operators who monetize their content via third-party advertisers.
  • CMPs: “a company operating as a consent management platform, that can read and/or set the user’s consent status for the vendors chosen by a website operator”.

Vendors who decide to participate to the IAB TCF are bound to adhere to the standard Framework protocol and policies and are also requested to register on the Global Vendor List (GVL), a centralized, dynamic list of vendors, their purposes and their privacy policy URLs. Within the TCF and related GVL the purposes for data processing are also standardized and each purpose, as well as each vendor, has a unique ID. This unique vendor ID allows vendors to retrieve and interpret user consent preferences in regards to their and other vendors’ services.

In the middle, helping to facilitate this process are the companies operating as Consent Management Providers (CMPs). CMPs can read and/or set a user’s consent status for the vendors, and make this information available to vendors that publishers choose to work with. CMPs must adhere to the standard TCF protocol and policies in order to register in a centralized CMPs list, where they are also assigned a unique ID.

The TCF provides a standard JavaScript API that allows everyone in the ecosystem to speak the same language. The JavaScript API enables the retrieval of the GVL, keeps it updated to the latest versions and facilitates the requesting of consent.

The IAB Transparency and Consent Framework supports both Server-specific consent and Global consent. The former is given by the consumer to a Publisher or Vendor to access their browser and/or perform the requested processing purposes where a Publisher or vendor requires consent for their site, while the latter is given by the consumer to access their browser and/or perform the requested processing purposes across the internet. It is up to the publisher to decide what type of consent should be obtained.

The collected consent and vendors signals are represented by binary values and compressed into as small a data structure possible (Base64) and are then stored in browser cookies. Global consents are stored in a global third-party cookie. Publisher’s approved vendors, purposes and consents (and per-site vendor consents) are stored in first-party cookies, under the domain of that Publisher.

The TCF’s support of global consent is intended to minimize repeated solicitations for the same parties which may be present on multiple sites.

How it behaves

Regarding the collection of consent, the IAB Transparency and Consent Framework behaves differently according to the following variables:

  • GlobalScope is set to true: if GlobalScope is true, a remote consent was found. The consent is stored both in first-party cookies under the domain of that Publisher and in a third party cookie under consensu.org domain. The third-party cookie facilitates the ability to read and share consent and vendors signals from one website to another, providing a smoother user experience (consent will not need to be requested redundantly as it makes it possible to reuse it from one website to another). The consent and vendor information are transmitted throughout the online advertising ecosystem via a Daisy Chain.
  • GlobalScope is set to false: if GlobalScope is false, a remote consent was not found. The consent is saved on the local Publisher domain only instead of both on consensu.org and local domains. The consent and vendors information are transmitted throughout the online advertising ecosystem via a Daisy Chain.

CMPs have to resolve the conflict between Server specific consent and Global specific consent before transmitting any consent signal in the DaisyBit mechanism. The standard logic to reconcile conflicting signals is that Server-specific consent status overrules a Global consent status for that vendor.

For Example:
A user gives global consent for data processing by a particular vendor on Site A. The user later visits Site B and is prompted for publisher-specific consent but refuses to grant consent on this site. As a result, the vendor has global consent except on Site B.

When comparing two like signals, for example, both conveying publisher-specific consent, then the signal with the most recent timestamp prevails.

The scripts of Vendors that are part of the GVL are automatically blocked prior to receiving user consent. Each vendor can check its consent status by first pinging the CMP and then waiting for a call back for the ID that they pass, that lets them know whether or not they have consent.

Vendors get a single consent value with possible values of:

  • Consent not found (0) which could include new users, users who have said no, or users who have revoked consent;
  • Consent found (1)
  • The cookie banner will be displayed any time a user visits your site for the first time or when you have decided to add a new vendor to your list of vendors (since it’s a new disclosure and potentially a consent request for that vendor may be required).
  • The maximum lifespan of consent is of 13 months. Consequently, a refresh or reminder will be provided to the user before that timeframe elapses. Users can at any time change their mind and resurface the User Interface on your website in order to withdraw their consent or exercise their right to object.

Despite being a relatively new initiative, the IAB Transparency and Consent Framework is rapidly becoming the industry standard with many huge vendors such as Google, Adobe and AdRoll involved in its implementation.

As a registered Consent Management Platform, we’ve worked hard to ensure that our Cookie Solution integrates seamlessly with and complies with the policies and specifications of this Framework, hereby giving you, our users, the additional option to easily enable and use it for your website and apps.

How to enable the IAB TCF in the Cookie Solution

The Cookie Solution gives you the option to allow your users to customize their advertising tracking preferences directly from your website. While this feature is optional, it is heavily recommended that publishers, in particular, enable this feature as failure to do so can potentially result in reduced reach and ad revenue.

As mentioned in the section above, once enabled, the TCF feature gives your users additional options for granting consent. In cases where users consent to the use of cookies by your site at the banner level (without opening the advertising preferences dialog), consent is registered for all purposes and selected vendors as per usual. When the advertising preferences dialogue is opened, users can adjust their preferences by opting into all or individual purposes and vendors.

Additionally, once enabled in the Cookie Solution, this feature automatically blocks the scripts of advertisers that are a part of the IAB Vendor Network (provided that the individual advertisers adhere to the standards of the network) prior to receiving user consent.


When enabling the IAB Transparency and Consent Framework (TCF) you agree to implement the transparency and consent settings compatible with TCF policies. If you customize the content or look of the banner or the TCF-related elements, please ensure that you meet IAB’s minimum configuration requirements.

Breach of these policies may get your account suspended or removed in accordance with our terms of service.

This tutorial assumes that you’ve already activated the Cookie Solution and generated your cookie policy. If you haven’t already done this, you can read that tutorial here.

To enable this feature, head to your dashboard and click on the website that you’d like to update. Next, click the <>EMBED button in the Cookie Solution area:

Consent Solution Embed button

This will take you to the embed section for the Cookie Solution.
This feature is available on all channels.


In older versions of the Cookie Solution, this feature was available only on the beta channel. If you’re using a previous installation of the Cookie Solution, we strongly recommend that you upgrade by simply copying the new code here (Dashboard > [Your website/app] > Cookie Solution > Embed) to avoid any CSS related conflicts and to access all the new features of the latest version.

To enable, scroll to the bottom of this section and click the checkbox on the bottom left (as pictured below):

How to enable IAB Transparency and Consent Framework for the Cookie Solution

Note: you can enable this option also on the Cookie Solution customization panel (Cookie Solution > Edit).


IAB’s minimum configuration requirements

The minimal configuration requirements you’ll need for adherence to the TCF are to:

  • provide explicit accept and customize buttons for your site users (i.e. banner: { acceptButtonDisplay: true, customizeButtonDisplay: true }, see snippet below); and
  • provide a link or button (e.g. in the footer) that allows your users to reopen the consent modal and edit their preferences.

In terms of content, the banner notice for TCF v2.0 should provide:

  • information about the fact that information is stored on and/or accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data); 
  • information about the fact that personal data is processed, and the nature of the personal data processed (e.g. unique identifiers, browsing data);
  • a link to the list of vendors;
  • a list of purposes (using at least the standardized names and/or stack names);
  • information about the special features used by the vendors;
  • information about the scope of the consent choice;
  • information about the fact that the user can withdraw their consent at any time, and how to resurface the Framework UI in order to do so;
  • a link to a relevant layer of the Framework UI dealing with processing on the basis of legitimate interests where more information can be found.
Editing your banner text and other changes (September 2020)

To make sure that your cookie banner meets IAB’s minimum configuration requirements, we’ve recently introduced these changes:

  • Accept and Learn More buttons are now force-enabled.
  • The option to edit consent preferences is now force-enabled. Unless you explicitly add the option to edit preferences as a link in the footer, it’s automatically displayed as a small widget that hovers on the page. This feature allows the user to access and edit tracking preferences at any time after setting their initial preferences.
  • The banner text is now only editable upon request.

Please remember that with these updates, any previous changes to the banner text will be nullified when the TCF is enabled. Therefore, if you’ve previously edited the HTML or banner text, re-test with the default text and the buttons enabled.

If you want to edit the HTML, you must necessarily include our default text by including the %{banner_content} shortcode in the input, an element with the class="iubenda-cs-accept-btn" attribute and an element with the class="iubenda-cs-customize-btn" attribute.

If you’ve edited (or wish to edit) the text of the notice, make sure you check the requirements and reach out to us via chat or email to have the modifications approved.

Cookie Solution snippet

Once enabled, your Cookie Solution embed code will go from this:

<script type="text/javascript">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": XXXXXX, //use your siteId
        "cookiePolicyId": YYYYYY, //use your cookiePolicyId
        "countryDetection": true,
        "consentOnContinuedBrowsing": false,
        "perPurposeConsent": true,
        "banner": {
            "acceptButtonDisplay": true,
            "customizeButtonDisplay": true,
            "rejectButtonDisplay": true,
            "position": "float-top-center"
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

To this (note the stub-v2.js script, "enableTcf": true and other TCF options):

<script type="text/javascript">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": XXXXXX, //use your siteId
        "cookiePolicyId": YYYYYY, //use your cookiePolicyId
        "countryDetection": true,
        "consentOnContinuedBrowsing": false,
        "perPurposeConsent": true,
        "enableTcf": true,
        "googleAdditionalConsentMode": true,
        "banner": {
            "acceptButtonDisplay": true,
            "customizeButtonDisplay": true,
            "rejectButtonDisplay": true,
            "position": "float-top-center"
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

Consent to ad personalisation


If you’re a publisher serving ads via Google and use the TCF, please note that you must use the first blocking method detailed below (under “Directly blocking the vendor scripts”) in order to avoid error 2.1a (explained in detail here).

Now, if you intend to serve personalized ads to users, you’ll need to ensure that explicit consent to ad personalization is collected before you can display personalized ads for end-users (Google will not serve ads, not even non-personalized ads, if the user has not expressed a preference in regards to cookies).

In order for vendors to read the consent collected, __tcfapi function that the CMP (iubenda) makes available must be present. This function is only available after consent has been collected. In order for vendors to read the consent properly, two methods are available:

  • Directly blocking the vendor scripts (using another prior blocking method), then executing them only after consent has been collected. This method requires more implementation work and it’s a bit slower in terms of execution time, but it allows personalized ads to be served from the first page view (where consent hasn’t been collected yet) and gives you more direct and solid control in regards to ensuring compliance.
  • Not directly blocking the vendor scripts, but rather, ensuring that the __tcfapi function is loaded before the vendor scripts are loaded, through some specific configuration, but this will only work from the second page view, when consent is already present on the page. This method is easier to implement and it’s very high-performing in terms of load speed, however, in this situation, you have less direct control as you must rely on the vendor’s adherence to IAB’s guidelines for compliance.

Here are the implementation instructions:

If you’d like to manually block Google’s scripts, you can also directly reference the examples here for Google AdSense and Google Publisher Tag.

You can read Google’s release on publisher integration with the IAB TCF v2.0 here.

Our Cookie Solution offers various tools for the prior blocking of scripts that may install cookies. More in our introduction to the prior blocking of scripts.

Please note that if you’ve enabled the Cookie Solution’s per-category consent feature, you’ll need to tag TCF scripts as “purpose 1” (strictly necessary).

Vendors have a maximum time (generally 300ms, usually non-configurable) to wait for consent from the CMP. In cases where the CMP does not respond within a maximum of 300ms, vendors’ Sell-Side Platform uses the opt-out status of the user instead. Meaning that in such cases, your end-users will be served with non-personalized ads.

In order to make sure that the consent is read within 300ms from the vendor scripts being executed, we created an extra script (safe-tcf-v2.js) that has the only job of reading the TCF cookie and releasing the __tcfapi function.

To add the safe-tcf-v2.js script to your Cookie Solution snippet, tick the Synchronous activator checkbox you’ll find within the configurator under Advanced view > IAB Transparency and Consent Framework.

Cookie Solution - IAB TCF synchronous activator

Once enabled, your Cookie Solution embed code will become:

<script type="text/javascript">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": XXXXXX, //use your siteId
        "cookiePolicyId": YYYYYY, //use your cookiePolicyId
        "countryDetection": true,
        "consentOnContinuedBrowsing": false,
        "perPurposeConsent": true,
        "enableTcf": true,
        "googleAdditionalConsentMode": true,
        "banner": {
            "acceptButtonDisplay": true,
            "customizeButtonDisplay": true,
            "rejectButtonDisplay": true,
            "position": "float-top-center"
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

The safe-tcf-v2.js script is executed synchronously at the very beginning of the page, guaranteeing for the 300ms threshold to be respected. The stub-v2.js and safe-tcf-v2.js can also be embedded inline or self-hosted, if necessary. Read this guide for more optimization tips.

To read the consent from the __tcfapi function, you can open the browser console and launch these commands:

  • window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) });
  • window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) }, [1,2]);
  • window.__tcfapi('ping', 2, function(result) { console.log(result) });

Allow users to update their TCF preferences even after closing the cookie banner

This TCF feature gives you the option to let your visitors update their advertising tracking preferences even after closing the cookie banner.

To implement, just add the iubenda-advertising-preferences-link class to a custom link or button, for example:

<a href="#" class="iubenda-advertising-preferences-link">Update your advertising tracking preferences</a>

And place anywhere on your site (typically added to the site footer). Once clicked, the link/button will trigger the opening of the advertising tracking settings modal:

IAB TCF - Allow users to update their advertising preferences even after closing the cookie banner

To meet IAB’s requirements, please note that if you don’t implement the iubenda-advertising-preferences-link class, we’ll automatically display a small widget that hovers on your pages:

Additional Features & Settings

Multiple options for accepting/rejecting cookies

The IAB feature allows users to consent/reject cookies both on an individual basis or as a bulk action, for the convenience of your website users.

IAB TCF - Consent/reject cookies both on an individual basis or as a bulk action

Request new consent

When enabled, return users who have accepted cookies on your site prior to the activation of the IAB feature will see the cookie banner and be asked for fresh consent, hereby allowing these users the equal opportunity to individually modify their preferences as the other users of your site.

You can find this setting under Advanced view > IAB Transparency and Consent Framework.

IAB Transparency and Consent Framework - Request new consent

Since the IAB vendor list is updated almost weekly, you may want to choose how to handle new consent requests, avoiding showing the cookie banner to users who have already given consent a few days or weeks before.

IAB Transparency and Consent Framework - Request new consent at vendor list update

On Advanced view > IAB Transparency and Consent Framework, you’ll find a section called Request new consent at vendor list update, where you can choose between three different values:

  • Never (default value) – users who have already given consent will not be shown the cookie banner again. Consent for new vendors will be set to off.
  • Immediately – users will get prompted with a new consent request whenever the vendor list is updated.
  • With a delay – users will get prompted with a new consent request x days after the update of the vendor list (you’ll have to specify the number of days).

Please note that this feature is not available when pointing directly to a specific version of the Cookie Solution (e.g. cdn.iubenda.com/cs/versions/iubenda_cs-1.7.0.js), but only through the official Current/Beta endpoints.

Provide gdpr and gdpr_consent parameters into the request to the vendor

Some vendors may ask you to explicitly provide gdpr and gdpr_consent parameters into their request. Here’s a snippet to meet this requirement:

<script type="text/javascript">
    __tcfapi('addEventListener', 2, function(tcData) {
        if (tcData.eventStatus !== 'useractioncomplete' && tcData.eventStatus !== 'tcloaded') {
        var gdpr = tcData.gdprApplies ? 1 : 0;
        var gdpr_consent = tcData.tcString;
        console.log({ gdpr: gdpr, gdpr_consent: gdpr_consent });

        // Remove event listener to avoid invoking the ads multiple times
        __tcfapi('removeEventListener', 2, function(success) {
            console.log('event listener removed', success);
        }, tcData.listenerId);

Once replaced the console.log line with the request to the vendor by using the gdpr and gdpr_consent variables, add this snippet below the iubenda_cs.js script, and it will automatically invoke the vendor script with the correct consent data.

Visual result

Now when your users click on the “Learn more and customize” button (or the “advertising preferences panel” link) in your cookie banner in order to manage their preferences, they will see the following options:

Cookie Solution with IAB Transparency and Consent Framework enabled

Note: when the user indicates that they would like to manage preferences by opening the preference window, all cookies are “turned off” by default as a positive affirmative/ “Opt-in” action is legally required for valid consent.

IAB - Interactive Advertising Bureau

See also