Iubenda logo
Start generating

Documentation

Table of Contents

The complete guide to iubenda Consent Management Platform (CMP) and IAB TCF 2.0 & 2.1

Laws like the GDPR, Cookie Law and CCPA have made consent management platforms (CMPs) necessary for businesses operating in the EU and US, including publishers. This guide breaks down what a consent management platform is, why publishers need it, and how to enable the industry-standard Transparency and Consent Framework in our Cookie Solution.

In short

  • If you use cookies or other trackers for purposes like behavioral advertisinganalyticsremarketing and content personalization (and/or the CCPA applies to you), you likely need a Consent Management Platform like our Cookie Solution.
  • Major advertising networks require publishers to gain GDPR consent before showing personalized ads 
  • If you display third-party ads on your site/app, you can meet this requirement with the one-click activation of the IAB Transparency and Consent Framework (TCF) in our Cookie Solution.

What is a Consent Management Platform (CMP)

CMP is short for Consent Management Platform or, less commonly, Consent Management Provider. CMPs are also responsible for passing user consent along with the Transparency and Consent Framework (TCF) and must therefore be registered and meet TCF standards and policies.

Simply stated, a CMP helps you provide transparency to the users regarding the access and storage of their personal information (through cookies and other trackers) in compliance with major data privacy laws like the GDPR, the ePrivacy Directive, the CCPA and more.

More specifically, CMPs help you gather, store, and use users’ preferences to collect and process their personal information for specific purposes (e.g., analytics, advertising, and retargeting strategies).

As a certified CMP, iubenda allows you to manage consent preferences for the ePrivacy, GDPR, and CCPA.

Do I need a Consent Management Platform (CMP)?

Short answer: yes, you probably need one. 

A) The GDPR/ePrivacy Directive or UK GDPR/PECR applies to you (not sure? Take our 1-minute quiz), and your site/app (or any third-party service run by your site/app) uses cookies or other trackers to process personal information.

Why?

Because according to the ePrivacy Directive (as well as PECR, its UK transposition), you must clearly and visibly inform users of your site/app’s use of any cookies (or trackers) and collect active consent before running scripts related to non-exempt cookies/trackers

For example, let’s consider publishers operating in Europe. Cookies and trackers are their bread and butter since they help them monetize their site/app via third-party advertisers. The use of trackers for purposes like behavioral advertising, remarketing, and content personalization requires obtaining users’ informed consent before installing those trackers. 

What is a publisher?

Generally, a publisher is any site/app operator that monetizes its content via third-party advertisers. Blogs and online newspapers that display ads on their site/app are examples of publishers.

B) The California Consumer Privacy Act (CCPA) applies to you (not sure? Take our 1-minute quiz), and you share user data (e.g. IP address) with third parties, which legally obligates you to:

In general, given the rapid emergence of privacy laws worldwide, it’s hard to imagine a site or app that doesn’t need a Consent Management Platform

As a registered CMP, we’ve integrated IAB Europe’s industry-standard TCF and CCPA Compliance Framework with our Cookie Solution to help publishers comply with the law while meeting industry requirements and maximizing ad revenue.

What is the IAB GDPR Transparency and Consent Framework (TCF)

The IAB Transparency and Consent Framework (TCF) is a digital advertising initiative that helps publishers, technology vendors, agencies, and advertisers meet the transparency, consent, and choice requirements of the GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on users devices (such as cookies, advertising identifiers, device identifiers, and other tracking technologies).

The IAB TCF provides a standard process for getting GDPR user consent and signaling those consent preferences across the advertising supply chain (You can read the framework policies here)

The TCF and Brexit / UK Law

Currently, the requirements of the UK’s General Data Protection Regulation (UK GDPR) and the UK’s Privacy and Electronic Communications Regulations are identical to that of their EU counterparts (the GDPR and ePrivacy). Therefore, the TCF Framework also helps companies meet the current requirements of both UK Regulations. 

The TCF provides a system (a standard JavaScript API) that allows the different advertising ecosystem players to speak the same language and communicate the user’s preferences between them. The main actors of this system are publishers, vendors (third parties advertisers who collect end-users data from the publisher’s site/app through the use of cookies or other trackers, in connection with surfacing content to the publisher’s end users), and CMPs like iubenda.

Publishers, vendors and CMPs who decide to participate in the IAB TCF are all bound to adhere to the standard Framework protocol and policies. Vendors are also requested to register on the Global Vendor List (GVL), a centralized, dynamic list of vendors, their purposes, maximum storage and access duration, and privacy policy URLs. Within the TCF and related GVL the purposes for data processing are also standardized and each purpose and each vendor have a unique ID. This unique vendor ID allows vendors to retrieve and interpret user consent preferences regarding their and other vendors’ services. 

The user choices and vendor signals collected via the CMP UI are represented by binary values, compressed into as small a data structure possible (Base64), and transmitted throughout the online advertising ecosystem via a Daisy Chain.

The scripts of vendors that are part of the GVL are automatically blocked before receiving user choices. Each vendor can check its status by first pinging the CMP and then waiting for a call back for the ID they pass, which lets them know whether they can process personal data.

Why publishers should enable the Transparency and Consent Framework

Despite being a relatively new initiative, the IAB TCF 2.0 is rapidly becoming the industry standard, with vendors like Google, Adobe and AdRoll involved in its implementation.

While not strictly mandatory, enabling the TCF 2.0 offers many benefits for publishers and users, maximizing ad revenue and allowing publishers to smoothly collect and transmit user preferences to the third-party ad vendors they work with, while exercising stricter control over how they process users’ data.

TCF benefits for publishers

  • Secure your ad revenue: Some advertising networks may limit access to their network or serve only non-personalized ads where TCF 2.0 consent is not passed to vendors. This means that your ad revenue could potentially be decreased if you’re not using the framework.
  • Enhanced options and control
    • More granular purposes: an extended list of purposes that includes more granular options. There are now 10 purposes, 2 special purposes, 2 features and 2 special features, giving you more opportunities to collect consent. 
    • Purposes and legal basis restrictions: you have full control over which third-party ad vendors you want to work with and disclose to your users and for what purposes you allow these vendors to process personal information.
      Why is important to select a restricted number of vendors to work with.

      Choosing to provide transparency and help establish legal basis within the Framework for a large number of Vendors may reduce the ability for users to make informed choices and increase publisher and vendor legal risk. It may therefore result in vendors refusing to work with publishers disclosing too many vendors and negatively impacting publisher ad revenue.

      The Belgian DPA (APD) in a decision on IAB Europe and the TCF has explicitly stated that providing transparency for a large number of vendors would need a disproportionate amount of time for the user to read this information and would result to be incompatible with the condition of sufficiently informed consent as required by GDPR.

      To restrict the number of vendors, select “Only allow the vendors disclosed in your privacy and cookie policy” in the TCF settings of our Cookie Solution.

    • You can specify the legal basis upon which you require vendors to operate
    • You can determine at your discretion that, for specific purposes and vendors, only consent (or legitimate interest) is a viable legal basis.
      What’s a legal basis and why it is important to restrict it.

      A legal basis is a lawful ground under which personal data are processed. According to GPDR, there are six possible legal basis. In the advertising sector, two legal bases are commonly used:

      • consent of the data subject; and
      • legitimate interest of the data controller.

      The TCF supports both, but some national DPAs, like in Italy and Belgium, have excluded the use of legitimate interest as a valid legal basis, that’s why it’s important to restrict it to “Consent only” if you operate in those countries (you can read more about country-specific requirements in our Cookie Consent Cheatsheet). 

Google fully supports TCF 2.0 (and later versions). Google is now part of the TCF global vendor list: this means that, if you’re using Adsense, AdMob or Ad Manager, separate Google ad personalization settings are no longer needed (you can read Google’s release on publisher integration with the IAB TCF 2.0 here).

What about ad vendors that are not yet part of the TCF? 
While the framework comprises an ever-growing list of ad vendors, some advertisers are not yet part of the TCF. That’s the case with some of Google’s partners. To circumvent this problem, Google has defined a temporary technical specification called Additional Consent Mode, intended only for use alongside TCF 2.0 to serve as a bridge for Google’s Ad Tech Providers who are not yet registered on the TCF 2.0 Global Vendor List.

📌 iubenda CMP fully supports TCF integration requirements set by Google, including the Additional Consent Mode.

TCF benefits for end-users

  • Enhanced transparency
    • grater granularity at the purpose level that will enable users to make more informed choices regarding the processing of their personal data; 
    • detailed and easily understandable descriptions of the purposes of data processing; 
    • specific information about the duration of information stored on a user’s device. This is the most important news of TCF 2.1: IAB has amended the TCF policies in order to comply with the changes required by the Planet49 ruling. This update is turned out to be what we now call TCF 2.1
  • Enhanced control: not only users can easily provide, deny or withdraw consent for each vendor or purpose but you will also offer them a streamlined means of exercising their right to object to processing on the basis of a legitimate interest. 

iubenda and the IAB Transparency and Consent Framework (TCF 2.0 and 2.1) 

Our cookie consent manager for the ePrivacy, GDPR and CCPA allows you to display a fully customizable cookie banner, collect cookie consent and implement prior blocking. 

Also, as a registered Consent Management Platform (id number 123), the iubenda Cookie Solution lets users set advertising preferences and is compatible with the IAB GDPR Transparency and Consent Framework. This feature allows users to toggle advertising preferences for advertisers on the IAB’s extensive global vendor list.

1. Enable the IAB Transparency and Consent Framework

To enable the TCF 2.0+ on your Cookie Solution, head to your dashboard and click on the site/app that you’d like to update. Next, click the Edit button in the Cookie Solution area (if you haven’t already activated the Cookie Solution, here’s a tutorial on getting started).

edit cookie policy

Now enable the IAB TCF option. You’ll immediately notice that:

  • The banner text will be lengthened to meet IAB requirements. The additional text (only editable upon request) contains essential disclosures related to the enhanced options that we mention in the sections below.
  • “Accept” and “Learn more and customize” buttons will be force-enabled, as required by IAB.
What the banner notice for TCF v2.0 needs to contain
  • information about the fact that information is stored on and/or accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data);
  • information about the fact that personal data is processed, and the nature of the personal data processed (e.g. unique identifiers, browsing data);
  • a link to the list of vendors;
  • a list of purposes (using the GVL standardized names and/or stack names);
  • information about the special features used by the vendors (using the GVL standardized names and/or stack names);
  • information about the fact that the user can withdraw their consent at any time, and how to resurface the Framework UI in order to do so;
  • a call to action for the user to express their consent
  • a call to action for the user to customise their choices 

Furthermore, you’ll have the chance to enable Google’s Additional Consent Mode option, a feature that allows you to gather consent for Google ad partners that are not yet part of the Transparency and Consent Framework, but are on Google’s Ad Tech Providers (ATP) list.

Editing the cookie banner

Please note that any previous changes to the banner text will be nullified when the TCF is enabled. Therefore, if you’ve previously edited the HTML or banner text, re-test with the default text and the buttons enabled.

HTML

If you want to edit the HTML, you must necessarily include our default text by including the %{banner_content} shortcode in the input, an element with the class="iubenda-cs-accept-btn" attribute and an element with the class="iubenda-cs-customize-btn" attribute.

Text

By enabling the TCF, the banner text will only be editable upon request. If you wish to edit the text of the cookie banner, make sure you check the IAB requirements and reach out to us via chat or email to have the modifications approved.

Cookie Solution snippet

Once enabled, your Cookie Solution embed code will go from this:

<script type="text/javascript">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": XXXXXX, //use your siteId
        "cookiePolicyId": YYYYYY, //use your cookiePolicyId
        "consentOnContinuedBrowsing": false,
        "perPurposeConsent": true,
        "invalidateConsentWithoutLog": true,
        "floatingPreferencesButtonDisplay": "bottom-right",
        "banner": {
            "acceptButtonDisplay": true,
            "rejectButtonDisplay": true
            "closeButtonRejects": true,
            "customizeButtonDisplay": true,
            "explicitWithdrawal": true,
            "listPurposes": true,
            "position": "float-top-center"
        }
    };
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

To this (note the stub-v2.js script, "enableTcf": true and other TCF options):

<script type="text/javascript">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": XXXXXX, //use your siteId
        "cookiePolicyId": YYYYYY, //use your cookiePolicyId
        "consentOnContinuedBrowsing": false,
        "perPurposeConsent": true,
        "invalidateConsentWithoutLog": true,
        "floatingPreferencesButtonDisplay": "bottom-right",
        "enableTcf": true,
        "googleAdditionalConsentMode": true,
        "tcfPurposes": {
            "1": true,
            "2": "consent_only",
            "3": "consent_only",
            "4": "consent_only",
            "5": "consent_only",
            "6": "consent_only",
            "7": "consent_only",
            "8": "consent_only",
            "9": "consent_only",
            "10": "consent_only"
        },
        "banner": {
            "acceptButtonDisplay": true,
            "rejectButtonDisplay": true
            "closeButtonRejects": true,
            "customizeButtonDisplay": true,
            "explicitWithdrawal": true,
            "listPurposes": true,
            "position": "float-top-center"
        }
    };
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/tcf/stub-v2.js"></script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

Now that you’ve pasted the Cookie Solution code inside  body of your pages, let’s talk about prior blocking the vendor scripts.

The iubenda CMP provides the __tcfapi function in order for vendors to read the consent properly.
We use a script (safe-tcf-v2.js) that has the only job of reading the TCF cookie and releasing the __tcfapi function and not directly blocking the vendor scripts. It is a synchronous activator that runs at the very beginning of the page, guaranteeing that the consent is read within 500ms from the vendor scripts being executed.

This is the default behavior when enabling the Iab TCF options of our configurator.
It works from the second pageview (when consent is already present on the page) and it allows to achieve high-performing in terms of load speed.

However, it may result in some incompatibilities with Google Ad Manager, AdSense, and AdMob. If you want to directly block the vendor scripts you can see below.

Further implementations and optimization – Google Ads users

Vendors have a maximum time (generally 500ms, usually non-configurable) to wait for consent from the CMP. 
In cases where the CMP does not respond within a maximum of 500ms, vendors’ Sell-Side Platform uses the opt-out status of the user instead, which means that in such cases, your end-users will be served with non-personalized ads.

This might happen if you use Google’s advertising services such as Ad Manager, AdSense and AdMob.
To prevent these issues, you can directly block the vendors’ scripts using one of the prior blocking methods supported by our Cookie Solution, then execute them only after consent has been collected.

You can use this to have more direct control regarding ensuring compliance and serving personalized ads from the first pageview when consent hasn’t been collected yet. It also allows you to avoid error 2.1a (for Google Ad Manager, AdSense, and AdMob users).

Our Cookie Solution offers various tools for the prior blocking of scripts that may install cookies. More in our introduction to the prior blocking of scripts. To block Google’s scripts, you can directly reference the examples for Google AdSense and Google Publisher Tag.

Per-category consent

Please note that if you’ve enabled the Cookie Solution’s per-category consent feature, you’ll need to tag TCF scripts as “purpose 1” (strictly necessary).

The stub-v2.js and safe-tcf-v2.js can also be embedded inline or self-hosted, if necessary. Read this guide for more optimization tips.

To read the consent from the __tcfapi function, you can open the browser console and launch these commands:

window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) });
window.__tcfapi('getTCData', 2, function(result,success) { console.log(result) }, [1,2]);
window.__tcfapi('ping', 2, function(result) { console.log(result) });

Finally, as required by IAB, you have to provide a link or button (e.g. in the footer) that allows your visitors to update their advertising tracking preferences even after closing the cookie banner. 

Let’s see how.

To implement, just add the iubenda-advertising-preferences-link class to a custom link or button:

<a href="#" class="iubenda-advertising-preferences-link">
    Update your advertising tracking preferences
</a>

Place it anywhere on your site (typically added to the footer). Once clicked, the link above will trigger the opening of the advertising tracking settings modal:

open-preferences

To meet IAB’s requirements, please note that if you don’t implement the iubenda-advertising-preferences-link class, we’ll automatically display a small widget that hovers on your pages:

Additional features and settings

Under the IAB TCF tile you’ll find these enhanced publisher options:

Under the IAB TCF tile you’ll find these enhanced publisher options:

To do this, select “Only allow the vendors disclosed in your privacy and cookie policy” under the “Restrictions” section of your TCF settings.

Only allow the vendors disclosed in your privacy and cookie policy

Vendors will soon be required to provide additional information inside the Global Vendor List (GVL), making it easier for publishers to decide which vendors to work with.

To do this select the “Restrict Purposes” option, decide which purposes you want to enable, and finally select the legal basis under which personal data can be processed for active purposes. 

restrict purposes

Note: if you are not sure about this aspect, consider that “Consent only” is usually the safest option and definitely best practice for purposes related to profiling.

We’ve already mentioned the importance of restricting the number of vendors you want to work with. Another advantage of providing transparency for a limited number of vendors is the possibility to basically eliminate the problem of requesting new consent at the global vendor list update. In fact, the IAB vendor list is updated almost weekly. 

If, nevertheless, you decide not to limit the number of vendors to work with, you may want to choose how to handle new consent requests, avoiding showing the cookie banner to users who have already given consent a few days or weeks before.

Inside the tile IAB TCF, you’ll find a section called Request new consent at vendor list update, where you can choose between three different values:

  • Never (default value) – users who have already given consent will not be shown the cookie banner again. Consent for new vendors will be set to off.
  • Immediately – users will get prompted with a new consent request whenever the vendor list is updated.
  • With a delay – users will get prompted with a new consent request x days after the update of the vendor list (you’ll have to specify the number of days).
request new consent

Please note that this feature is not available when pointing directly to a specific version of the Cookie Solution (e.g. cdn.iubenda.com/cs/versions/iubenda_cs-1.7.0.js), but only through the official Current/Beta endpoints.

Some vendors may ask you to explicitly provide gdpr and gdpr_consent parameters into their request. Here’s a snippet to meet this requirement:

<script type="text/javascript">
    __tcfapi('addEventListener', 2, function(tcData) {
        if (tcData.eventStatus !== 'useractioncomplete' && tcData.eventStatus !== 'tcloaded') {
            return;
        }
        var gdpr = tcData.gdprApplies ? 1 : 0;
        var gdpr_consent = tcData.tcString;
        console.log({ gdpr: gdpr, gdpr_consent: gdpr_consent });
        // Remove event listener to avoid invoking the ads multiple times
        __tcfapi('removeEventListener', 2, function(success) {
            console.log('event listener removed', success);
        }, tcData.listenerId);
    });
</script>

Once replaced the console.log line with the request to the vendor by using the gdpr and gdpr_consent variables, add this snippet below the iubenda_cs.js script, and it will automatically invoke the vendor script with the correct consent data.

Now when your users click on the Learn more and customize button (or the advertising preferences panel link) in your cookie banner in order to manage their preferences, they’ll see the following options:

Note: when the user indicates that they would like to manage preferences by opening the preference window, all cookies are “turned off” by default as a positive affirmative/opt-in action is legally required for valid consent.

IAB - Interactive Advertising Bureau

See also