Cookiebot and the IAB Consent Framework – Cookiebot Support

IAB TCF v2 Certified CMP To support publishers, technology vendors and advertisers in meeting the transparency and user consent requirements of the GDPR and ePrivacy Directive, IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework (TCF v2.0).

As the framework is widely supported by the online advertising industry, Cookiebot is registered and certified with IAB as a consent management provider (CMP id 134) and has adopted the framework as an optional supplement to the core consent framework already included in the Cookiebot solution. The integration also covers Google's "Additional Consent Mode" (Google AC) as a bridge for vendors who are not yet registered on the IAB Europe Global Vendor List (GVL).

Concept

IAB’s consent model is fundamentally different from Cookiebot’s core consent model. In general, IAB’s model puts control in the hands of advertisers and vendors by signaling the user's consent to advertising vendors, whereas Cookiebot can block non-consented vendors and thereby gives control to the publisher, who is liable for all tracking performed by third parties on the publisher’s website. Nevertheless, the two consent models can co-exist on a single website.

With version 2 of TCF, IAB have introduced strict policies on the wording and configuration of the cookie consent banner. When using the Cookiebot integration with IAB TCF, a standard, non-editable, IAB-certified message will be displayed in your banner before the text that you have defined in the Cookiebot Manager. Read more about the standard message and auto-configuration of the banner here: https://support.cookiebot.com/hc/en-us/articles/360015693200.

An extra panel with the title "Ad Settings" will automatically be available to the end user on the cookie banner:

From this panel, the user can choose between IAB purposes, features and vendors before submitting a consent. The resulting IAB Consent String is stored in the existing "CookieConsent" cookie on the user's device. The same consent string is included when you download the consent log from the Cookiebot manager.

The pre-ticked state of all purposes and vendors on the Ad Settings panel follows the pre-ticked state of the overall "Marketing"-category, as configured in Cookiebot. If the user clicks the overall "Marketing" checkbox in the banner, all purposes and vendors will change state to match the overall "Marketing"-choice. The user may change selection for any specific IAB purpose and vendor at any time.

Please note that the consent settings on the panel only applies to IAB-registered vendors. If you are using other vendors on your website, e.g. for ads, widgets, videos, analytics and the like, you need to implement prior consent on these tags as described in Cookiebot's implementation guide.

To ensure that vendors honor the user’s consent, Cookiebot CMP’s scanner monitors all cookies and similar trackers used on the website. If an IAB-vendor does not honor the user’s consent, cookies set by the vendor will be marked up in the scan report with “Prior consent enabled: No”.

Implementation

Enabling the IAB framework with Cookiebot CMP is straightforward: Just add the data-framework attribute to your existing Cookiebot tag with the value “IAB”, e.g.:

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  data-framework="IAB"
  type="text/javascript"
  async
></script>

If you are using Cookiebot with a tag manager, e.g. Google Tag Manager (GTM), which automatically strips all attributes but "src" from the script tag, you can enable the IAB framework by including the "framework=IAB" query parameter to the tag src-attribute, e.g. "https://consent.cookiebot.com/uc.js?cbid=00000000-0000-0000-0000-000000000000&data-framework=IAB".

If you are using the standard Cookiebot template from the Google Tag Manager Gallery, you can check the "Enable IAB Transparency and Consent Framework" option to enable TCF on your site.

You will also need to add the following line of code above your global site tag or Google Tag Manager snippet on all pages where you have Google Ads tags:

window ['gtag_enable_tcf_support'] = true;

From there, Cookiebot will automatically signal consent to any vendor using the IAB framework on your website.

Publisher restrictions

A new feature in TCF 2.0 is the ability for publishers to restrict Vendors and Purposes. By configuring and inserting the following snippet on your website, before the standard Cookiebot tag, you will be able to control which Vendors you allow access to your website users and for which Purposes, both in general and per specific Vendor. The Cookiebot consent banner UI will automatically adopt this configuration when displayed to the user:

<script id="CookiebotConfiguration" type="application/json" data-cookieconsent="ignore">
    {
        "Frameworks": {
            "IABTCF2": {
                "AllowedVendors": [2, 6, 8],
                "AllowedGoogleACVendors": [],
                "AllowedPurposes": [1, 2],
                "AllowedSpecialPurposes": [],
                "AllowedFeatures": [1],
                "AllowedSpecialFeatures": [1],
                "VendorRestrictions": [
                    {
                        "VendorId": 2,
                        "DisallowPurposes": [2, 3, 4]
                    }
                ]
            }
        }
    }
</script>

All attributes under "IABTCF2" are optional and must only be included if you require a restriction on a specific attribute. The numeric id values to use for Vendors, Purposes and Features are available in IAB's Global Vendor List: https://vendor-list.consensu.org/v2/vendor-list.json

Special Purposes, and Features will always be disclosed if at least one of the Vendors disclosed has declared itself using them. Also, the concept of Stacks (pre-defined groups of purposes) is not required by IAB policies and not supported by Cookiebot.

The array " AllowedGoogleACVendors " contains a list of vendor Id's from Google's list of ad technology providers not registered with the IAB https://storage.googleapis.com/tcfac/additional-consent-providers.csv. If omitted, a default selection of the vendors are included in the cookie banner's partner selection list for end users to choose from. The default selection is made on basis of vendors that "are part of a commonly used list", according to Google: https://support.google.com/admanager/answer/9012903. If you leave the array empty, no Google ad tech partners will be displayed in the cookie banner unless they support TCF 2.0.

Please note that Cookiebot as an IAB registered CMP is under the obligation to work only with publishers that are in full compliance with the IAB Framework policies. By activating the IAB framework in Cookiebot as described above, you confirm to comply with these policies. Please also make an attestation of compliance in a prominent location on your website, such as in a privacy policy.

Google Additional Consent Mode

Cookiebot supports Google's Additional Consent Mode (Google AC) which enables publishers to get consent for ad tech vendors who are not part of IAB TCF 2.0 but are one of the Google Ad Tech Providers.

Google AC Vendors can be selected in the array "AllowedGoogleACVendors" as described above and will be added to the end of the existing IAB partner list in a separate section.

For IAB Vendors

Cookiebot exposes the standard IAB TCF 2.0 CMP API specification as described on https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#how-does-the-cmp-provide-the-api

This means that vendors can read out the user's consent state from the tcData object and string when Cookiebot is loaded and exposes the stub function "__tcfapi":

__tcfapi('getTCData', 2, (tcData, success) => {
    success && console.log(tcData);
});

To respond to changes in the user's consent state, vendors may subscribe a callback function to an event listener:

__tcfapi('addEventListener', 2, (tcData, success) => {
    success && console.log(tcData);
});

The Google AC string is included in the tcData object with the property name "addtlConsent" as suggested by Google on https://support.google.com/admanager/answer/9681920.

Other resources

Using IAB TCF in a Custom Banner

Your Cookiebot banner when using the IAB TCF v2.0 integration