IAB USP Consent Framework – Cookiebot Support

About IAB’s USP Compliance Framework

IAB’s USP Compliance Framework is enabled by default when Cookiebot (uc.js) is loaded, contrary to IAB Europe's TCF framework. As such there's no need to set any special attributes to enable it.

If you wish to use the IAB USP Framework with Cookiebot, you'll need to sign IAB's Multi-State Privacy Agreement though.

IAB USP Compliance Framework has three main components to it:

An agreement that publishers (websites) must inform Californian consumers about their rights at the point of data collection, as well as offering a means of opting out.
This means:

Inform which categories of personal information is being collected
Request permission for disclosure to third parties of collected personal information
Allow deletion of collected information
Include a "Do Not Sell My Personal Information" link on their digital properties

An agreed-upon way for publishers to communicate to ad tech companies, that a Californian consumer has opted out of third-party data sales.

An agreed-upon way for tech companies to operate after a Californian resident has opted out of third-party data sales.

How does it work?

You can "ask" the __uspapi stub for consent information. The stub has three parameters:

__uspapi(Command, Version, Callback)

Argument Name	Type	Value
command	string	`'getUSPData'`
version	number	US Privacy spec version
callback	function	`function(uspData: uspdata, success: boolean)`

Here is an example on how to view the content of the uspData object:

__uspapi('getUSPData', 1 , (uspData, success) => { 
  if (success)
    console.log('cmp response: ', JSON.stringify(uspData));
});

uspData is a JSON with the following format:

{
  "version": 1,
  "uspString": "1YNY"
}

"version" is a number, indicating the US Privacy spec version, currently 1.
"uspString" is a string, built up as follows:

Character	Value	Explanation
1^st	1	US Privacy spec version
2^nd	Y / N	Explicit notice / Opportunity to opt out
3^rd	Y / N	User opted out of sale of personal information
4^th	Y / N	Publisher is a signatory to the IAB Limited Service Provider Agreement

For users where CCPA doesn't apply, the string's value will always be "1---".

The visitor's consent state must be established before querying __uspapi for a consent string. If a consent string is fetched before the Cookiebot script has established the visitor's consent state it will be assumed that CCPA applies. This ensures ads are not served without prior consent.
We recommend fetching the consent string after the CookiebotOnConsentReady event is dispatched by the Cookiebot script.

Here is an example of how this can be done:

window.addEventListener('CookiebotOnConsentReady', (e) => {
  __uspapi('getUSPData', 1 , (uspData, success) => { 
    if (success)
      console.log('cmp response: ', JSON.stringify(uspData));
  })
}, false);