March 16, 2020

IAB TCF 2.0: How to become Compliant with Secure Privacy

Consent Management Providers (CMPs) are expected to offer a user interface to guarantee transparency, obtain consent, and register objections from users in IAB Europe’s TCF 2.0.

Consent Management Providers (CMPs) are expected to offer a user interface to guarantee transparency, obtain consent, and register objections from users in IAB Europe’s TCF 2.0.

Therefore, the CMP API of the Interactive Advertising Bureau’s TCF 2.0 offers a standardized way for participants, such as the hosting publisher or an advertising vendor to access these preferences that are overseen by the CMP.

What is the Interactive Advertising Bureau’s TCF?

Primarily, the IAB Europe’s Transparency Consent Framework is a GDPR-compliant set of technical specifications and policies that establish a setting where website publishers can inform users of the type of data being collected from them and how they plan to use this information together with their third-party partners. 

For this reason, the IAB TCF provides the publishing and advertising industry with a harmonized platform on which to demonstrate user consent in the delivery of appropriate digital promotions and content. 

Who is the IAB TCF Designed For?

The primary objective of IAB Europe’s Transparency and Consent Framework is to help actors in the digital advertising chain guarantee that they can be ePrivacy Directive and GDPR compliant. 

The need to comply with these EU data protection regulations is connected to how advertisers handle personal data or accessing and/or keeping information on a consumer’s gadget such as cookies, advertising and device identifiers among other tracking technologies.

Who are the Main Participants in the IAB Europe Transparency and Consent Framework?

As already highlighted, the collaboration between IAB Europe and IAB Tech Lab to establish the transparency and consent framework is to facilitate harmonized engagements among 

  • Advertisers (Vendors)
  • Digital publishers 
  • Consent Management Platforms (CMPs)


In the ad tech sector, vendors are described as third-party promoters that operate in partnership with publishers. Primarily, advertisers showcase third-party content on the publisher’s webpage. 

Consequently, vendors are responsible for the placement of tracking technologies such as cookies on users’ browsers to facilitate the showcase of appropriate ads to target consumers. 

Digital Publishers

Within the Interactive Advertising Bureau’s transparency and consent framework, publishers are identified as media channels that host digital content. Primarily, these are the platforms to which consumers seek access. 

For this reason, publishers rely on showcasing third party content, which may be in the form of either a video ad or a blog, for example, to monetize the volume of traffic seeking access to their platform.

In most cases, the monetization of views from content such as video advertising is handled through ad networks that employ real-time bidding to position ads strategically, to ensure that the relevant audience is reached.

Consent Management Providers

The ad tech industry is not exempt from GDPR and ePrivacy Directive data protection requirements in relation to transparency and user consent. This is where the role of CMPs is vital in the IAB Europe Transparency and Consent Framework. 

Essentially, Consent Management Providers provide the technical solutions that oversee user consent for the processing of consumer data on the publishers website.  

In the process, they ensure you are ePrivacy Directive and GDPR compliant by signaling the consumers’ consent preferences to advertisers on the website being accessed.

IAB 2.0

In August 2019, IAB Europe together with IAB Tech Lab revealed that it was testing the second version of the Transparency Consent Framework. 

While the IAB Tech lab handled the technical specifications of the new version, the TCF  Steering Group was responsible for the development of the new policy. Some of the members of the Steering Group comprised 10 National IAB’s, media owners, technology providers, among other stakeholders in the publishing and advertising industries.

IAB 2.0 aims to empower consumers to exercise the right to object the processing of their data, as well as their freedom to provide or deny the consent for this purpose. 

Furthermore, it also allows consumers to enjoy more authority regarding whether and how vendors may utilize specific aspects of data processing such as the application of accurate geolocation.

On the other hand, IAB Europe 2.0 will benefit publishers through increased control and adaptability in relation to how they integrate and partner with technology partners.

 Essentially, this iteration of the Interactive Advertising Bureau’s Transparency and Consent Framework comes with new publisher functionality that makes it possible to limit the purposes for which personal data is processed by vendors on a publisher’s webpage.

IAB 2.0 Implementation Guidelines

Publisher Guidelines

Publisher Controls and the Status of PubVendor

Initially, IAB Europe together with IAB Tech lab created Pubvendors.json to allow publishers exercise control over their engagements with advertisers and data purposes. However, this solution was deemed to be both inadequate and error-prone.

However, in the IAB Transparency and Consent Framework 2.0 ,  Pubvendors.json is substituted whereby a part of the data held on the TC string allows publishers to create limits concerning their vendor relationships. Another segment determines the vendor engagements in a list of permitted advertisers. 

The Global Vendor List

The updated version of the Interactive Advertising Bureau’s Transparency and Consent Framework requires publishers to alert their partners regarding the need to register on the Global Vendor List (GVL) if they are not members already. 

Withdrawal of Consent

Due to data protection requirements, advertisers must support consent withdrawal through the provision of a mechanism for users to exercise this option since consent is usually transferred from a publisher or CMP to partners and vendors. 

The method used for withdrawing consent may be as straightforward as obtaining GDPR consent for every consumer interaction with an ad unit. Alternatively, it may involve the provision of an option by GDPR publishers that allows users to withdraw consent later. 

All in all, IAB compliance requirements for obtaining valid GDPR consent stipulate that the UI for collection or withdrawal of a user’s approval to the use of different types of cookies should be the same. 

Vendor Guidelines (DSPs, Agencies, DMPs)

When it comes to advertisers and other participants in the digital advertising ecosystem that are listed on the Global Vendor List, IAB Europe and IAB Tech Lab outlined three core guidelines for evaluating IAB TCF compliant consent. 


  • Vendors must be registered to access and process consumer data in compliance with the Transparency and Compliance Framework. Similarly, to ensure IAB compliance when storing information on a user’s device requires listing as a vendor.
  • Vendors, irrespective of their ad formats must check consent when handling sensitive data from consumers living in countries within the European Economic Area
  • Participants in the adtech industry must identify traffic that requires compliance with GDPR and the privacy preferences of the data owners.

Agency Guidelines

Apart from the vendor guidelines, IAB 2.0 outlines the following guidelines for agencies operating in the ad industry;

If you are an agency that handles sensitive data from consumers, you need to register as a vendor in the Global Vendor List. 

Know the competence of your DSP partners such that you only handle user information when you have a legal basis to process it.

DSP Guidelines

Similar to agencies, DSPs also need to consider extra implementation guidelines to meet the IAB standard apart from the ones covering all participants in the digital advertising ecosystem. Essentially, for DSPs;

  • If you process personal data, registration as a vendor in the Global Vendor List is a necessity
  • Institution of a mechanism to support the ingestion of transparency and consent signals on Open Real Time Bidding (RTB) requests is required. 
  • A decision concerning how to address bidding based on the signals is obligatory to ensure that the handling of sensitive data from consumers only takes place under a legal basis.

DMP Guidelines

In this context, a DMP is any enterprise software that can be utilized by publishers, advertisers, marketers, and third-party vendors to centralize advertising data linked to pseudonymous identities. 

To capitalize on the IAB TCF, DMPs need to get listed on the Global Vendor List. 

What is a CMP under the IAB 1.0 and IAB 2.0 Frameworks?

Primarily, Consent Management Providers (CMPs) offer the technical solutions that manage user consent for processing information on the publishers’ websites.

Under the IAB Transparency Consent Framework, CMPs signal the end user’s consent settings to the vendors operating in the current website. The signals in question are bundled in a predetermined, and easily transferable payload referred to as a TC string. 

Therefore, The CMP API is responsible for the presence of a standardized way for either publishers or advertisers to access the preferences overseen by the Consent Management Provider. 

With the help of the API, scripts may access the TC String payload and the data it holds, which is in a ready to use format. This aspect eliminates the need to decipher the payload format and speeds up the ad servers’ decisions based on the returned information.

Additionally, CMPs may offer proprietary platforms for specialized features or functions. In this context, it is important to note that IAB Europe Transparency and Consent Framework policies outline the design and management of a proprietary interface.

Why Did IAB Europe update TCF 1.0 to 2.0

Essentially, effective management of technical systems over time needs continuous consultation with both users and the wider pool of stakeholders operating in the industry in question.

In IAB Europe’s context, the primary stakeholders comprise publishers, advertisers, media agencies, technology providers such as Google, and Data Protection Authorities (DPAs).

Therefore, the incoming transition from IAB’s TCF 1.0 to 2.0 is based on feedback from regulators and publishers in this industry focused on improving the ad serving ecosystem to better serve the community.

Primarily, IAB’s Transparency and Consent Framework 2.0 is geared towards guaranteeing consumers improved transparency and choice while offering more control to publishers and advertisers at the same time.

What does the TCF Provide for CMPs?

Typically, IAB’s TCF 1.0:

  • Offers the technical guidelines that enable CMPs to capture, store and signal consent in an industry-standardized way
  •  Allows CMPs to get global consents gained by other publishers and CMPs
  •  Captures which vendors are operating in the TCF and the purposes that they wish to process personal data for so that the user interface can be updated and users informed as is appropriate
  •  Alerts CMPs when vendors use legitimate interest or consent as a legal basis for processing personal data for a given purpose so that users can be informed as necessary

What does IAB TCF 2.0 Mean for CMPs?

IAB 2.0 offers improved degrees of transparency and control across the entire advertising supply chain to augment a more streamlined and open user experience.

Essentially, it supports the wider interests of this industry through clear signaling of whether transparency has been extended to consumers regarding the processing of their information under the legitimate interest legal basis, and whether the user has rejected such processing.

Similarly, it supports the industry by accommodating the consent legal basis for processing personal information.

For this reason, under IAB 2.0 users can either give or withhold their consent, in addition to exercising their right to object the processing of their information under a legitimate interest basis.

Additionally, IAB TCF 2.0;

  • Facilitates better transparency for the consumer via more comprehensive explanations of the purposes of data processing
  • Allows publishers to impose more limitations on both the purpose and legal bases upon which a vendor can process data collected on their digital property. This aspect allows for enhanced customization of vendor operations.
  • Enables vendors to process under legitimate interest if they are not limited by the publisher, or objected to by the user

How Do I Get GDPR Compliant Cookie Consent in IAB 2.0?

Secure Privacy is one of the few registered CMP’s that has updated its solution to meet the GDPR and ePrivacy Directive requirements of IAB Europe’s TCF 2.0.

As the framework is widely supported by the digital ad tech industry, we have adopted the framework as an alternative to the core cookie blocking framework of Secure Privacy to ensure a smooth transition from IAB’s TCF 1.0 to TCF 2.0.

Our solution meets the following ePrivacy Directive and GDPR compliance requirements that are consistent with IAB 2.0’s obligations;

  • User Notification

As your CMP, Secure Privacy ensures that consumers are aware of what data is processed and for what purpose, such that they know what they are giving their consent to.

  • Express Action

Our solution ensures that consumers give consent to the use of cookies based on true choice as opposed to being coerced into accepting their deployment.

  • Affirmative Consent

Using Secure Privacy as your CMP for IAB Europe Transparency Consent Framework 2.0 also ensures that cookie consent is provided through affirmative and unambiguous action in accordance with GDPR ePrivacy Directive compliance requirements.

  • Notice

Our solution also ensures that an alert is communicated to users before the initial data processing occurs.

  • Ability to Withdraw Consent

According to the GDPR, consumers should be allowed to withdraw consent easily. Secure Privacy ensures that users can withdraw consent as easily as they gave it.

How does the IAB Transparency and Consent Framework Work?

IAB’s consent model is fundamentally different from the plugin/cookie blocking consent model used in Secure Privacy and other consent management solutions. 

In general, IAB’s model puts control in the hands of advertisers and vendors by signaling the user’s consent to advertising vendors. 

However, Secure Privacy can block non-consented vendors and thereby gives control to the publisher, who is liable to ensure data protection for all tracking performed by third parties on the publisher’s website.

With this fundamental difference in the design, Secure Privacy introduces a new setting to enable Interactive Advertising Bureau (IAB) Europe which updates your existing cookie banner and privacy center. The users have a choice to select IAB banners over Secure Privacy banners.

The cookie banners and privacy banners are fully IAB compliant meaning as a registered CMP, Secure Privacy has passed all the UI/UX and technical requirements of the IAB framework.

How to Enable the IAB 2.0 Transparency and Consent Framework with Secure Privacy

To enable the IAB Consent Framework you need to navigate to Banners and then Settings. Go to the IAB Tab and click on the checkbox to enable the IAB. The IAB tab should look like this.


Once you enable IAB, the default cookie banners will be replaced and the IAB cookie consent banner will appear for users. The new cookie consent banner will look similar to the image displayed below when expanded.


Similarly, your privacy center is also updated and will look similar to the image displayed below.


Some of the key points you need to take into account in this context include;

a) Please note that Secure Privacy as a registered IAB CMP is under the obligation to work only with publishers that are fully IAB compliant. 

By enabling the IAB framework in Secure Privacy, you confirm to comply with these policies.

b) Enabling IAB TCF will replace your cookie consent banner text, and remove the plugins and trackers found, Instead it will start showing Vendors, Purposes and Features.

c) Similar to the cookie consent banner, the privacy center will also be replaced with Vendors, Purposes, and Features.

d) Currently, the Interactive Advertising Bureau’s (IAB Europe) banners are supported in the English language only.

e) Consent management is also modified to track the advertisers and purposes.

How to read the consent details as a vendor (for developers)

To read the individual user’s current consent state on a website, ping the following command every 500ms until result.cmpLoaded equals true (when consent has been loaded or submitted) in the callback:

window.__cmp('ping', null, function(result) { console.log(result) });

To retrieve the BASE64-encoded consent string after that, execute the following command and read the value of result.consentData in the callback:

window.__cmp('getConsentData', null, function(result) { console.log(result) });

In case you have additional concerns or queries regarding IAB TCF 2.0, and how to integrate Secure Privacy as your preferred CMP, book a call with us today and get personalized support from a data privacy expert.

Read more blog posts about cookie consent.