Articles in this section

See more

Cookiebot and the IAB Consent Framework

Avatar
Jacob Buch
  • Updated
Follow

PLEASE NOTE: The IAB Transparency and Consent Framework (TCF) is in the final stages of phasing out v1.1 for the new v2.0 of the framework. As the two versions are incompatible, your users will automatically be asked for new consent when entering your site the first time after the transition. Cookiebot has supported IAB TCF v2.0 since our solution was approved and certified by the IAB in April 2020.

As a Cookiebot customer already using our IAB integration you do not need to do anything to complete the transition.

UPDATE May 14, 2020: The TCF Steering Group has decided to extend technical support for TCF v1.1 beyond the previously announced date of 30 June to a new date of 15th August 2020. According to the steering group, the extension of technical support for v1.1 does not impact companies’ ability to implement TCF v2.0 before the new and final cut-off date of 15th August 2020.
Publishers can roll back from TCF version 2 to version 1.1 in Cookiebot (e.g. if not all ad tech vendors are ready for v. 2) by using the value "IAB1" in the Cookiebot tag-attribute 'data-framework' as described below. On August 15, 2020, this implementation will automatically migrate from v.1.1. to v. 2.

UPDATE June 21, 2020: Google have introduced "Additional Consent Mode" (Google AC) as a bridge for vendors who are not yet registered on the IAB Europe Global Vendor List (GVL). Google AC is supported by Cookiebot as of June 21, 2020. Learn more about this integration below.

 

To support publishers, technology vendors and advertisers in meeting the transparency and user consent requirements of the GDPR and ePrivacy Directive, IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework.

As the framework is widely supported by the online advertising industry, Cookiebot is registered with IAB as a consent management provider (CMP) and has adopted the framework as an optional supplement to the core consent framework already included in the Cookiebot solution.

 

Concept

IAB’s consent model is fundamentally different from Cookiebot’s core consent model. In general, IAB’s model puts control in the hands of advertisers and vendors by signaling the user's consent to advertising vendors, whereas Cookiebot can block non-consented vendors and thereby gives control to the publisher, who is liable for all tracking performed by third parties on the publisher’s website. Nevertheless, the two consent models can co-exist on a single website.

When using the Cookiebot integration with IAB TCF, an extra panel with the title "Ad Settings" will be available to the end user on the cookie banner's details-layer:

mceclip0.png
 
From this panel, the user can choose between IAB purposes, features and vendors before submitting a consent. The resulting IAB Consent String is stored in the existing "CookieConsent" cookie on the user's device. The same consent string is included when you download the consent log from the Cookiebot manager.
 
The pre-ticked state of all purposes and vendors on the Ad Settings panel follows the pre-ticked state of the overall "Marketing"-category, as configured in Cookiebot. If the user clicks the overall "Marketing" checkbox in the banner, all purposes and vendors will change state to match the overall "Marketing"-choice. The user may change selection for any specific IAB purpose and vendor at any time.
 
Please note that the consent settings on the panel only applies to IAB-registered vendors. If you are using other vendors on your website, e.g. for ads, widgets, videos, analytics and the like, you need to implement prior consent on these tags as described in Cookiebot's implementation guide.

To ensure that vendors honor the user’s consent, Cookiebot’s scanner monitors all cookies and similar trackers used on the website. If an IAB-vendor does not honor the user’s consent, cookies set by the vendor will be marked up in the scan report with “Prior consent enabled: No”.

 

Implementation

Enabling the IAB framework with Cookiebot is straightforward: Just add the attribute “data-framework” to your existing Cookiebot tag with the value “IAB”, e.g.:

<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="00000000-0000-0000-0000-000000000000" data-framework="IAB" type="text/javascript" async></script>

If you are using Cookiebot with a tag manager, e.g. Google Tag Manager (GTM), which automatically strips all attributes but "src" from the script tag, you can enable the IAB framework by including the URL query "framework=IAB" in the tag src-attribute, e.g. "https://consent.cookiebot.com/uc.js?cdid=00000000-0000-0000-0000-000000000000&framework=IAB"

From there, Cookiebot will automatically signal consent to any vendor using the IAB framework on your website.

IAB suggests that you replace the default cookie-banner introduction with the following (based on TCF2 stack 42):
 
"
We and our partners process your personal data, e.g. your IP-number, using technology such as cookies in order to serve personalised ads and content, ad and content measurement, audience insights and product development. You have choice in who uses your data and for what purposes.  
 
Some partners do not ask for your consent, instead, they rely on their legitimate business interest. View our list of partners to see the purposes they believe they have legitimate interest for and how you can object to it.
 
Find out more about how your personal data is processed and set your preferences in the details section. You can change or withdraw your consent any time from the Cookie Declaration at the bottom of this page.
"
We recommend that you create a link from "list of partners" to "javascript:CookieConsentDialog.ShowIABVendors()" to display the partner-list on click.
 
Also, you may create a link from "the details section" to "javascript:CookieConsentDialog.toggleDetails()" as a shortcut to open the details panel.
 
Make sure to adjust the wording to the actual use of cookies and personal data on your website, if not covered by the suggested introduction.
 
The IAB Framework currently supports 30 languages: BG, CA, CS, DA, DE, EL, EN, ES, ET, FI, FR, HR, HU, IT, JA, LT, LV, MT, NL, NO, PL, PT, RO, SR (latin), RU, SK, SL, SV, TR, ZH
 

Publisher restrictions

A new feature in TCF 2.0 is the ability for publishers to restrict Vendors and Purposes. By configuring and inserting the following snippet on your website, before the standard Cookiebot tag, you will be able to control which Vendors you allow access to your website users and for which Purposes, both in general and per specific Vendor. The Cookiebot consent banner UI will automatically adopt this configuration when displayed to the user: 
<script id="CookiebotConfiguration" type="application/json" data-cookieconsent="ignore">
    {
        "Frameworks": {
        "IABTCF2": {
            "AllowedVendors": [2, 6, 8],
            "AllowedGoogleACVendors": []
            "AllowedPurposes": [1,2],
            "AllowedSpecialPurposes": [],
            "AllowedFeatures": [1],
            "AllowedSpecialFeatures": [1],
            "VendorRestrictions": [
            {
                "VendorId":  2,
                "DisallowPurposes": [2,3,4]
            }
            ]
        }
        }
    }
</script>
The numeric id values to use for Vendors, Purposes and Features are available in IAB's Global Vendor List: https://vendorlist.consensu.org/v2/vendor-list.json
 
Special Purposes, and Features will always be disclosed if at least one of the Vendors disclosed has declared itself using them. Also, the concept of Stacks (pre-defined groups of purposes) is not required by IAB policies and not supported by Cookiebot.
 
The array " AllowedGoogleACVendors " contains a list of vendor Id's from Google's list of ad technology providers not registered with the IAB: https://storage.googleapis.com/tcfac/additional-consent-providers.csv. If omitted, a default selection of the vendors are included in the cookie banner's partner selection list for end users to choose from. The default selection is made on basis of vendors that "are part of a commonly used list", according to Google: https://support.google.com/admanager/answer/9012903. If you leave the array empty, no Google ad tech partners will be displayed in the cookie banner unless they support TCF2.
 
Please note that Cookiebot as an IAB registered CMP is under the obligation to work only with publishers that are in full compliance with the IAB Framework policies. By activating the IAB framework in Cookiebot as described above, you confirm to comply with these policies. Please also make an attestation of compliance in a prominent location on your website, such as in a privacy policy.
 

Google Additional Consent Mode

Cookiebot supports Google's Additional Consent Mode (Google AC) which enables publishers to get consent for ad tech vendors who are not part of IAB TCF 2 but are one of the Google Ad Tech Providers.

Google AC Vendors can be selected in the array "AllowedGoogleACVendors" as described above and will be added to the end of the existing IAB partner list in a separate section.

 

For IAB Vendors

This means that vendors can read out the user's consent state from the tcData object and string when Cookiebot is loaded and exposes the stub function "__tcfapi": 
__tcfapi('getTCData', 2, (tcData, success) => { if(success) { console.log(tcData) }});
 
To respond to changes in the user's consent state, vendors may subscribe a callback function to an event listener: 
__tcfapi('addEventListener', 2, (tcData, success) => { if(success) { console.log(tcData) }});


The Google AC string is included in the tcData object with the property name "addtlConsent" as suggested by Google on https://support.google.com/admanager/answer/9681920.

 

Other resources

Using IAB TCF in a Custom Banner

Your Cookiebot banner when using the IAB TCF v2.0 integration

Related articles

Comments

3 comments

Sort by Date Votes

Please sign in to leave a comment.