Skip to main content

IAB USP Consent Framework

Richard van der Velde
  • Updated

 

About IAB’s USP Compliance Framework

IAB’s USP Compliance Framework is enabled by default when Cookiebot (uc.js) is loaded, contrary to IAB Europe's TCF framework. As such there's no need to set any special attributes to enable it.
If you wish to use the IAB USP Framework with Cookiebot, you'll need to sign IAB's Multi-State Privacy Agreement though.

IAB USP Compliance Framework has three main components to it:

  1. An agreement that publishers (websites) must inform Californian consumers about their rights at the point of data collection, as well as offering a means of opting out.
    This means:
  • Inform which categories of personal information is being collected
  • Request permission for disclosure to third parties of collected personal information
  • Allow deletion of collected information
  • Include a "Do Not Sell My Personal Information" link on their digital properties
  • An agreed-upon way for publishers to communicate to ad tech companies, that a Californian consumer has opted out of third-party data sales.
  • An agreed-upon way for tech companies to operate after a Californian resident has opted out of third-party data sales.

    • How does it work?

    You can "ask" the __uspapi stub for consent information. The stub has three parameters:

    __uspapi(Command, Version, Callback)

    Argument Name Type Value
    command string 'getUSPData'
    version number US Privacy spec version
    callback function function(uspData: uspdata, success: boolean)


    Here is an example on how to view the content of the uspData object:

    __uspapi('getUSPData', 1 , (uspData, success) => { 
      if (success)
        console.log('cmp response: ', JSON.stringify(uspData));
    });


    uspData is a JSON with the following format:

    {
      "version": 1,
      "uspString": "1YNY"
    }


    "version" is a number, indicating the US Privacy spec version, currently 1.
    "uspString" is a string, built up as follows:

    Character Value Explanation
    1st 1 US Privacy spec version
    2nd Y / N Explicit notice / Opportunity to opt out
    3rd Y / N User opted out of sale of personal information
    4th Y / N Publisher is a signatory to the IAB Limited Service Provider Agreement

    For users where CCPA doesn't apply, the string's value will always be "1---".

    The visitor's consent state must be established before querying __uspapi for a consent string. If a consent string is fetched before the Cookiebot script has established the visitor's consent state it will be assumed that CCPA applies. This ensures ads are not served without prior consent.
    We recommend fetching the consent string after the CookiebotOnConsentReady event is dispatched by the Cookiebot script.

    Here is an example of how this can be done:

    window.addEventListener('CookiebotOnConsentReady', (e) => {
      __uspapi('getUSPData', 1 , (uspData, success) => { 
        if (success)
          console.log('cmp response: ', JSON.stringify(uspData));
      })
    }, false);

    Comments

    0 comments

    Please sign in to leave a comment.