To support publishers, technology vendors and advertisers in meeting the transparency and user consent requirements of the GDPR and ePrivacy Directive, IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework (TCF v2.0).
As the framework is widely supported by the online advertising industry, Cookiebot is registered and certified with IAB as a consent management provider (CMP id 134) and has adopted the framework as an optional supplement to the core consent framework already included in the Cookiebot solution. The integration also covers Google's "Additional Consent Mode" (Google AC) as a bridge for vendors who are not yet registered on the IAB Europe Global Vendor List (GVL).
Concept
IAB’s consent model is fundamentally different from Cookiebot’s core consent model. In general, IAB’s model puts control in the hands of advertisers and vendors by signaling the user's consent to advertising vendors, whereas Cookiebot can block non-consented vendors and thereby gives control to the publisher, who is liable for all tracking performed by third parties on the publisher’s website. Nevertheless, the two consent models can co-exist on a single website.
With version 2 of TCF, IAB have introduced strict policies on the wording and configuration of the cookie consent banner. When using the Cookiebot integration with IAB TCF, a standard and non-editable, IAB-certified message will be displayed in your banner before the text that you have defined in the Cookiebot Manager. Read more about the standard message and auto-configuration of the banner here: https://support.cookiebot.com/hc/en-us/articles/360015693200.
Also an extra panel with the title "Ad Settings" will automatically be available to the end user on the cookie banner's details-layer:
To ensure that vendors honor the user’s consent, Cookiebot’s scanner monitors all cookies and similar trackers used on the website. If an IAB-vendor does not honor the user’s consent, cookies set by the vendor will be marked up in the scan report with “Prior consent enabled: No”.
Implementation
Enabling the IAB framework with Cookiebot is straightforward: Just add the attribute “data-framework” to your existing Cookiebot tag with the value “IAB”, e.g.:
<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="00000000-0000-0000-0000-000000000000" data-framework="IAB" type="text/javascript" async></script>
If you are using Cookiebot with a tag manager, e.g. Google Tag Manager (GTM), which automatically strips all attributes but "src" from the script tag, you can enable the IAB framework by including the URL query "framework=IAB" in the tag src-attribute, e.g. "https://consent.cookiebot.com/uc.js?cdid=00000000-0000-0000-0000-000000000000&framework=IAB".
If you are using the standard Cookiebot template from the GTM Gallery, you need to check the "Enable IAB Transparency and Consent Framework" option to enable TCF on your site.
You will also need to add the following line of code above your global site tag or Google Tag Manager snippet on all pages where you have Google Ads tags:
window ['gtag_enable_tcf_support'] = true;
From there, Cookiebot will automatically signal consent to any vendor using the IAB framework on your website.
Publisher restrictions
<script id="CookiebotConfiguration" type="application/json" data-cookieconsent="ignore">
{
"Frameworks": {
"IABTCF2": {
"AllowedVendors": [2, 6, 8],
"AllowedGoogleACVendors": [],
"AllowedPurposes": [1, 2],
"AllowedSpecialPurposes": [],
"AllowedFeatures": [1],
"AllowedSpecialFeatures": [1],
"VendorRestrictions": [
{
"VendorId": 2,
"DisallowPurposes": [2, 3, 4]
}
]
}
}
}
</script>
Google Additional Consent Mode
Google AC Vendors can be selected in the array "AllowedGoogleACVendors" as described above and will be added to the end of the existing IAB partner list in a separate section.
For IAB Vendors
This means that vendors can read out the user's consent state from the tcData object and string when Cookiebot is loaded and exposes the stub function "__tcfapi":
__tcfapi('getTCData', 2, (tcData, success) => {
success && console.log(tcData);
});
To respond to changes in the user's consent state, vendors may subscribe a callback function to an event listener:
__tcfapi('addEventListener', 2, (tcData, success) => {
success && console.log(tcData);
});
The Google AC string is included in the tcData object with the property name "addtlConsent" as suggested by Google on https://support.google.com/admanager/answer/9681920.
Other resources
Using IAB TCF in a Custom Banner
Your Cookiebot banner when using the IAB TCF v2.0 integration
Comments
12 comments
Hi. One of my ad agencies ask me to provide a 'consent string' as described on https://blog.smartadserver.com/gdpr/gdpr-understanding-iab-europes-transparency-consent-framework/
Is there any way to get such a string from Cookiebot?
TIA,
I answer to myself: there is a forum post that address the issue I was asking for: https://support.cookiebot.com/hc/en-us/community/posts/360025082294-IAB-framework-consent-string-and-CookieBot
I really wish you would take the time to update your documentation. Even though you recently updated this page to address IAB version 2.0, your information about Google Tag Implementation is still outdated. (You now have 3rd party Cookiebot tags available in GTM, that when used, only require a checkbox next to IAB to be checked in order to implement the IAB functionality.)
Unfortunately, Brians article at https://support.cookiebot.com/hc/en-us/articles/360015693200-Your-Cookiebot-banner-when-using-the-IAB-TCF-v2-0-integration is closed for comments, so I add them here:
Now that Cookiebot is strictly enforcing the new banner template when IAB is enabled on a site, we expect to see a dramatic drop of cookie acceptance due to the now exposed "necessary only" button.
There are Publishers out there running CMPs with a much more "relaxed" template, especially without a "necessary cookies only" . This is our competition, and not having that button is a huge advantage the have over us.
I think that the Publisher should be in charage of what is displayed ... without IAB, we can (and do) use custom templates that might be seen controversial - but we do so at our own risk. The same should be possible if IAB is enabled ...
Ulrich, IAB is holding all TCF2 CMP's including Cookiebot responsible for compliance with TCF2 policies, not the individual publisher, which would seem more logical, as it is the publisher's property we are serving. If just a single site does not comply, IAB will block TCF2 for all sites across independent publishers using the same CMP. This is why we as a CMP have no choice to allow publishers to implement their own configuration.
That said, we are currently discussing with IAB whether removing the opt-out-button would comply with the TFC policy, if the consent banner at the same time provides non-preticked checkboxes along with the "Allow Selection" button, which is in fact a full opt-out and also increases general opt-in rates by about 20% in avarage.
As IAB is currently changing other parts of their policy, we will post an update soon when we have adapted those changes. In the meantime, IAB's recommendation is to report non-compliant competitors to framework@iabeurope.eu.
The article says:
"Please also make an attestation of compliance in a prominent location on your website, such as in a privacy policy".
When I follow the link from the article to the IAB TCF website, I find section 19.2 which says this about the notice in the privacy policy:
"This language must at a minimum include: [...] the IAB Europe assigned ID of the CMP that the publisher uses."
What is CookieBot's ID as assigned by IAB Europe?
After a lot of searching, I finally found what I believe is CookieBot's ID as assigned by IAB Europe: 134 (source). Please correct me if I'm wrong.
Following IAB Europe's rules, we as publishers should include text like this in our privacy policies (replace XYZ with the name of your organization):
XYZ participates in the IAB Europe Transparency & Consent Framework and complies with its specifications and policies. XYZ uses the Consent Management Platform with the identification number 134.
Martin, Cookiebot IAB TCF CMP id is 134. We have updated the article to make this clear, thank you.
I think the IAB Transparency and Consent Framework is a standardized means for online advertisers and marketers of communicating the state of user consent between first parties, third parties and the consent management system in use on the first party's website.
What is the IAB Framework, and how does it meet the requirements of the GDPR? What should you do when it comes to consent management and cookie?
What if we only want to configure a specific vendor whitelist and use default for the rest of the settings? Can we supoly the AllowedVendors key only, or do we have to add all keys/attributes?
Example: Will this work with our whitelist, and defaults for the other settings?
Regards
Ulrich
Ulrich, you only need to define the keys that should differ from the defaults, so your whitelist example is correct.
Please sign in to leave a comment.