Major advertising networks now require publishers to gain GDPR consent before showing personalized ads. In this guide you’ll find out how you can meet this requirement with the IAB Transparency and Consent Framework and our Cookie Solution.
Our support of IAB’s TCF v2.0 is now live! Read our transition guide to understand all the features and benefits that come with the new version, and what action you need to take in order to make the switch.
The IAB Europe Transparency and Consent Framework is an initiative of IAB Tech Lab — a non-profit organization made up of digital publishers, ad-tech companies, marketers, and other companies involved in interactive marketing. The board is made up of some pretty well-known brands such as Google, AppNexus, LinkedIn, Microsoft and others.
The association behind the Tech Lab – IAB Europe – is the leading industry association for the online advertising ecosystem. This association represents over 5,500 organizations at the EU-level and its mission it is to shape the regulatory environment by developing harmonized business practices in order to promote the development and ensure the sustainability of the digital advertising sector while demonstrating the value that such innovative sector brings to the EU economy. Starting May 25, 2018, the General Data Protection Regulation (GDPR) went into effect and became fully enforceable, meaning that those that fall within its scope are expected to comply and, if found to be non-compliant, would risk heavy fines and sanctions.
As essentially all parties within the digital advertising ecosystem process personal data in some way (e.g collecting user data or accessing user devices), they are required to comply with the GDPR.
Under GDPR there are six possible legal bases for the processing of personal data. Of these six, three are particularly relevant to digital advertising:
Under the Regulation, the particulars of which legal basis can apply may differ based on the processing activities of the individual company, however, one inescapable determining factor is the applicability of other relevant laws — in this case, the ePrivacy Directive. The ePrivacy Directive or ‘Cookie Law’ requires that users be conspicuously informed of a site’s use of any cookies and that active consent be collected before running scripts related to non-exempt cookies.
IAB Europe founded the GDPR Implementation Working Group (GIG), a group consisting of parties from both the supply and demand sides of the digital advertising ecosystem, in 2017. The GIG is aimed at helping member companies, and the digital advertising industry at large, to understand EU rules on data protection and privacy in a practical way and collaborates on guidance and solutions to the GDPR.
Though GDPR is primarily a legal challenge, a technological response was also necessary to meet the transparency and control requirements that arise as a result of GDPR implementation. It was out of this necessity that the IAB Tech Lab GDPR Technical Working Group was formed within the IAB Tech Lab.
The Technical group’s efforts resulted in the development of the IAB Europe Transparency & Consent Framework (TCF). The Framework and the associated Consent Management Provider API was developed as a way to “give the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content”.
In practice, the TCF provides a standardized process for getting users’ informed consent and allows the seamless signaling of users’ s consent preferences across the advertising supply chain.
It’s made up of an ever-growing list of publishers and advertisers that have agreed to be bound by its standards and use the framework to facilitate user choice via a convenient, easy to use interface.
The IAB Transparency and Consent Framework is, ideally, meant for first-party publishers who work with third-party advertisers (i.e publishers who run ads on their website). It’s highly recommended that you enable this feature if you fall within this category as some advertising networks may limit access to their network if not implemented, which could, in turn, potentially decrease your ad revenue.
Publishers further stand to benefit from this initiative in that it makes it easier to be more transparent with users and allows you as the data controller, to have more control over how your users’ data are processed and for which purposes.
If you run ads on your website it’s highly recommended that you enable this feature: some advertising networks may limit access to their network if not implemented, which could, in turn, potentially decrease your ad revenue.
View a live demo and have your questions answered in real time by attending our free english “Consent management for publishers” webinar. Discover in practice how you can meet both compliance and advertising industry requirements while ensuring that your ad-reach is maximized.
Attend our free webinarOnline advertising is a complex ecosystem with many different players, the main actors paying within the Transparency and Consent Framework are:
Vendors who decide to participate to the IAB TCF are bound to adhere to the standard Framework protocol and policies and are also requested to register on the Global Vendor List (GVL), a centralized, dynamic list of vendors, their purposes and their privacy policy URLs. Within the TCF and related GVL the purposes for data processing are also standardized and each purpose, as well as each vendor, has a unique ID. This unique vendor ID allows vendors to retrieve and interpret user consent preferences in regards to their and other vendors’ services.
In the middle, helping to facilitate this process are the companies operating as Consent Management Providers (CMPs). CMPs can read and/or set a user’s consent status for the vendors, and make this information available to vendors that publishers choose to work with. CMPs must adhere to the standard TCF protocol and policies in order to register in a centralized CMPs list, where they are also assigned a unique ID.
The TCF provides a standard JavaScript API that allows everyone in the ecosystem to speak the same language. The JavaScript API enables the retrieval of the GVL, keeps it updated to the latest versions and facilitates the requesting of consent.
The IAB Transparency and Consent Framework supports both Server-specific consent and Global consent. The former is given by the consumer to a Publisher or Vendor to access their browser and/or perform the requested processing purposes where a Publisher or vendor requires consent for their site, while the latter is given by the consumer to access their browser and/or perform the requested processing purposes across the internet. It is up to the publisher to decide what type of consent should be obtained.
The collected consent and vendors signals are represented by binary values and compressed into as small a data structure possible (Base64) and are then stored in browser cookies. Global consents are stored in a global third-party cookie. Publisher’s approved vendors, purposes and consents (and per-site vendor consents) are stored in first-party cookies, under the domain of that Publisher.
The TCF’s support of global consent is intended to minimize repeated solicitations for the same parties which may be present on multiple sites.
Regarding the collection of consent, the IAB Transparency and Consent Framework behaves differently according to the following variables:
CMPs have to resolve the conflict between Server specific consent and Global specific consent before transmitting any consent signal in the DaisyBit mechanism. The standard logic to reconcile conflicting signals is that Server-specific consent status overrules a Global consent status for that vendor.
For Example:
A user gives global consent for data processing by a particular vendor on Site A. The user later visits Site B and is prompted for publisher-specific consent but refuses to grant consent on this site. As a result, the vendor has global consent except on Site B.
When comparing two like signals, for example, both conveying publisher-specific consent, then the signal with the most recent timestamp prevails.
The scripts of Vendors that are part of the GVL are automatically blocked prior to receiving user consent. Each vendor can check its consent status by first pinging the CMP and then waiting for a call back for the ID that they pass, that lets them know whether or not they have consent.
Vendors get a single consent value with possible values of:
Consent not found (0)
which could include new users, users who have said no, or users who have revoked consent;Consent found (1)
Despite being a relatively new initiative, the IAB Transparency and Consent Framework is rapidly becoming the industry standard with many huge vendors such as Google, Adobe and AdRoll involved in its implementation.
As a registered Consent Management Platform, we’ve worked hard to ensure that our Cookie Solution integrates seamlessly with and complies with the policies and specifications of this Framework, hereby giving you, our users, the additional option to easily enable and use it for your website and apps.
Now the end-user, at the banner level, has various options:
*There might be cases where the users will see all or single purposes or vendors already switched on. This is possible when Users have already expressed their consent and vendors preferences on another website that is part of the TCF and has opted for Global consent. In such cases, the consent and vendors information collected on the first website are transmitted to the second one, and as such, these preferences are displayed in their current state to the user in the user interface.
Some vendors may relay on legitimate interest instead of consent for the processing of personal data. The User Interface specifies if a specific vendor is relating on legitimate interest as legal basis, meaning that that vendor will process user’s data for the declared purposes without asking for their consent.
The presence of vendors relying on legitimate interest is the reason why within the user interface, even if a user has switched on one specific purpose, not all vendors processing data for that purpose will be displayed as switched on. In fact, those vendors processing data for that specific purpose, relying only on legitimate interest will be displayed as switched off.
Only by globally accepting all purposes and vendors (by accepting use of cookies at the banner level or by clicking the “Accept all” button at the top of the TCF settings screen) will all vendors, including those relying on legitimate interest, will be displayed as switched on.
The User has the right to object to such processing and may exercise that right by visiting the privacy policies of the respective vendors.
The Cookie Solution gives you the option to allow your users to customize their advertising tracking preferences directly from your website. While this feature is optional, it is heavily recommended that publishers, in particular, enable this feature as failure to do so can potentially result in reduced reach and ad revenue.
As mentioned in the section above, once enabled, the TCF feature gives your users additional options for granting consent. In cases where users consent to the use of cookies by your site at the banner level (without opening the advertising preferences dialog), consent is registered for all purposes and selected vendors as per usual. When the advertising preferences dialogue is opened, users can adjust their preferences by opting into all or individual purposes and vendors.
Additionally, once enabled in the Cookie Solution, this feature automatically blocks the scripts of advertisers that are a part of the IAB Vendor Network (provided that the individual advertisers adhere to the standards of the network) prior to receiving user consent.
When enabling the IAB Transparency and Consent Framework (TCF) you agree to implement the transparency and consent settings compatible with TCF policies. If you customize the content or look of the banner or the TCF-related elements, please ensure that you meet IAB’s minimum configuration requirements.
Breach of these policies may get your account suspended or removed in accordance with our terms of service.
This tutorial assumes that you’ve already activated the Cookie Solution and generated your cookie policy. If you haven’t already done this, you can read that tutorial here.
To enable this feature, head to your dashboard and click on the website that you’d like to update. Next, click the <>EMBED button in the Cookie Solution area:
This will take you to the embed section for the Cookie Solution.
This feature is available on all channels.
In older versions of the Cookie Solution, this feature was available only on the beta channel. If you’re using a previous installation of the Cookie Solution, we strongly recommend that you upgrade by simply copying the new code here (Dashboard > [Your website/app] > Cookie Solution > Embed) to avoid any CSS related conflicts and to access all the new features of the latest version.
To enable, scroll to the bottom of this section and click the checkbox on the bottom left (as pictured below):
Note: you can enable this option also on the Cookie Solution customization panel (Cookie Solution > Edit).
The minimal configuration requirements you’ll need for adherence to the TCF are to:
banner: { acceptButtonDisplay: true, customizeButtonDisplay: true }
, see snippet below); andIn terms of content, the banner notice for TCF v2.0 should provide:
To make sure that your cookie banner meets IAB’s minimum configuration requirements, we’ve recently introduced these changes:
Please remember that with these updates, any previous changes to the banner text will be nullified when the TCF is enabled. Therefore, if you’ve previously edited the HTML or banner text, re-test with the default text and the buttons enabled.
If you want to edit the HTML, you must necessarily include our default text by including the %{banner_content}
shortcode in the input, an element with the class="iubenda-cs-accept-btn"
attribute and an element with the class="iubenda-cs-customize-btn"
attribute.
If you’ve edited (or wish to edit) the text of the notice, make sure you check the requirements and reach out to us via chat or email to have the modifications approved.
Once enabled, your Cookie Solution embed code will go from this:
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"lang": "en",
"siteId": XXXXXX, //use your siteId
"cookiePolicyId": YYYYYY, //use your cookiePolicyId
"countryDetection": true,
"consentOnContinuedBrowsing": false,
"perPurposeConsent": true,
"banner": {
"acceptButtonDisplay": true,
"customizeButtonDisplay": true,
"rejectButtonDisplay": true,
"position": "float-top-center"
}
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>
To this (note the stub-v2.js
script, "enableCMP": true
and other TCF options):
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"lang": "en",
"siteId": XXXXXX, //use your siteId
"cookiePolicyId": YYYYYY, //use your cookiePolicyId
"countryDetection": true,
"consentOnContinuedBrowsing": false,
"perPurposeConsent": true,
"enableCMP": true,
"googleAdditionalConsentMode": true,
"isTCFConsentGlobal": false,
"banner": {
"acceptButtonDisplay": true,
"customizeButtonDisplay": true,
"rejectButtonDisplay": true,
"position": "float-top-center"
}
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>
To function properly, the embed code must be added at the very beginning of the head
, right after the <head>
tag opening.
If you’re a publisher serving ads via Google and use the TCF, please note that you must use the first blocking method detailed below (under “Directly blocking the vendor scripts”) in order to avoid error 2.1a (explained in detail here).
Now, if you intend to serve personalized ads to users, you’ll need to ensure that explicit consent to ad personalization is collected before you can display personalized ads for end-users (Google will not serve ads, not even non-personalized ads, if the user has not expressed a preference in regards to cookies).
In order for vendors to read the consent collected, __tcfapi
function that the CMP (iubenda) makes available must be present. This function is only available after consent has been collected. In order for vendors to read the consent properly, two methods are available:
__tcfapi
function is loaded before the vendor scripts are loaded, through some specific configuration, but this will only work from the second page view, when consent is already present on the page. This method is easier to implement and it’s very high-performing in terms of load speed, however, in this situation, you have less direct control as you must rely on the vendor’s adherence to IAB’s guidelines for compliance.Here are the implementation instructions:
If you’d like to manually block Google’s scripts, you can also directly reference the examples here for Google AdSense and Google Publisher Tag.
You can read Google’s release on publisher integration with the IAB TCF v2.0 here.
Our Cookie Solution offers various tools for the prior blocking of scripts that may install cookies. More in our introduction to the prior blocking of scripts.
Please note that if you’ve enabled the Cookie Solution’s per-category consent feature, you’ll need to tag TCF scripts as “purpose 1” (strictly necessary).
Vendors have a maximum time (generally 300ms, usually non-configurable) to wait for consent from the CMP. In cases where the CMP does not respond within a maximum of 300ms, vendors’ Sell-Side Platform uses the opt-out status of the user instead. Meaning that in such cases, your end-users will be served with non-personalized ads.
In order to make sure that the consent is read within 300ms from the vendor scripts being executed, we created an extra script (safe-tcf-v2.js
) that has the only job of reading the TCF cookie and releasing the __tcfapi
function.
To add the safe-tcf-v2.js
script to your Cookie Solution snippet, tick the Synchronous activator checkbox you’ll find within the configurator under Advanced view > IAB Transparency and Consent Framework.
Once enabled, your Cookie Solution embed code will become:
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"lang": "en",
"siteId": XXXXXX, //use your siteId
"cookiePolicyId": YYYYYY, //use your cookiePolicyId
"countryDetection": true,
"consentOnContinuedBrowsing": false,
"perPurposeConsent": true,
"enableCMP": true,
"googleAdditionalConsentMode": true,
"isTCFConsentGlobal": false,
"banner": {
"acceptButtonDisplay": true,
"customizeButtonDisplay": true,
"rejectButtonDisplay": true,
"position": "float-top-center"
}
};
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/safe-tcf-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>
The safe-tcf-v2.js
script is executed synchronously at the very beginning of the page, guaranteeing for the 300ms threshold to be respected. The stub-v2.js
and safe-tcf-v2.js
can also be embedded inline or self-hosted, if necessary. Read this guide for more optimization tips.
To read the consent from the __tcfapi
function, you can open the browser console and launch these commands:
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) });
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) }, [1,2]);
window.__tcfapi('ping', 2, function(result) { console.log(result) });
This TCF feature gives you the option to let your visitors update their advertising tracking preferences even after closing the cookie banner.
To implement, just add the iubenda-advertising-preferences-link
class to a custom link or button, for example:
<a href="#" class="iubenda-advertising-preferences-link">Update your advertising tracking preferences</a>
And place anywhere on your site (typically added to the site footer). Once clicked, the link/button will trigger the opening of the advertising tracking settings modal:
To meet IAB’s requirements, please note that if you don’t implement the iubenda-advertising-preferences-link
class, we’ll automatically display a small widget that hovers on your pages:
The IAB feature allows users to consent/reject cookies both on an individual basis or as a bulk action, for the convenience of your website users.
When enabled, return users who have accepted cookies on your site prior to the activation of the IAB feature will see the cookie banner and be asked for fresh consent, hereby allowing these users the equal opportunity to individually modify their preferences as the other users of your site.
You can find this setting under Advanced view > IAB Transparency and Consent Framework.
If the parameter isTCFConsentGlobal
is set to true (default setting), the TCF consent is saved on both consensu.org and local. If set to false, the TCF consent is saved only on the local domain, meaning the TCF cookie won’t be shared with other publishers. This value proxies the IAB CMP JS API hasGlobalScope
value.
You can activate/deactivate this setting via the “Share consent with other sites” checkbox within the configurator under Advanced view > IAB Transparency and Consent Framework.
Since the IAB vendor list is updated almost weekly, you may want to choose how to handle new consent requests, avoiding showing the cookie banner to users who have already given consent a few days or weeks before.
On Advanced view > IAB Transparency and Consent Framework, you’ll find a section called Request new consent at vendor list update, where you can choose between three different values:
Please note that this feature is not available when pointing directly to a specific version of the Cookie Solution (e.g. cdn.iubenda.com/cs/versions/iubenda_cs-1.7.0.js), but only through the official Current/Beta endpoints.
Some vendors may ask you to explicitly provide gdpr
and gdpr_consent
parameters into their request. Here’s a snippet to meet this requirement:
<script type="text/javascript">
__tcfapi('addEventListener', 2, function(tcData) {
if (tcData.eventStatus !== 'useractioncomplete' && tcData.eventStatus !== 'tcloaded') {
return;
}
var gdpr = tcData.gdprApplies ? 1 : 0;
var gdpr_consent = tcData.tcString;
console.log({ gdpr: gdpr, gdpr_consent: gdpr_consent });
// Remove event listener to avoid invoking the ads multiple times
__tcfapi('removeEventListener', 2, function(success) {
console.log('event listener removed', success);
}, tcData.listenerId);
});
</script>
Once replaced the console.log
line with the request to the vendor by using the gdpr
and gdpr_consent
variables, add this snippet below the iubenda_cs.js
script, and it will automatically invoke the vendor script with the correct consent data.
Now when your users click on the “Learn more and customize” button (or the “advertising preferences panel” link) in your cookie banner in order to manage their preferences, they will see the following options:
Note: when the user indicates that they would like to manage preferences by opening the preference window, all cookies are “turned off” by default as a positive affirmative/ “Opt-in” action is legally required for valid consent.