What is the IAB Consent Framework and How To Enable it with Secure Privacy (registered IAB CMP)

What is the IAB?

The Interactive Advertising Bureau (IAB) was founded in 1996 in New York and is an organization that develops industry standards and provide legal support for the online advertising industry. The organization represents a large number of media outlets, primarily in the US and Europe.

IAB Europe is a subsidiary of IAB and is a coalition of 27 national IABs across Europe with more than 500 participating companies.

What is the IAB Europe Transparency and consent framework (TCF)

In March 2018, IAB Europe published an open-standard called the IAB Europe Transparency and Consent Framework (TCF) which enables websites, advertisers and their ad technology partners to obtain, record and update consumer consent for their personal data to be processed in line with the GDPR.

IAB Europe launched a version 2.0 in August 2019 of the IAB Europe Transparency and Consent Framework. IAB TCF 2.0 provides users, publishers and advertisers additional transparency and controls. Under TCF 2.0 a user can give and withhold consent as well as exercise their ‘right to object’ to data being processed on the basis of legitimate interests. It also enables greater transparency for the user, through more detailed and more easily understandable descriptions of the purposes of data processing.

Technical specifications around IAB TCF 2.0 can be accessed here.

What is the purpose of the IAB Transparency & Consent Framework?

The purpose of the IAB Framework is to create standardized cooperation between online publishersadvertisers, and tech companies supplying consent management when it comes to meeting GDPR requirements for transparency and user consent.

Stakeholders in the online advertising industry have participated to create the IAB framework. The framework enables the sharing of consent between first parties (e.g. publishers), third parties (e.g. advertisers), and the consent management solutions (e..g. Secure Privacy) in use on the first party’s website.

Within the framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).

How does the IAB Transparency & Consent Framework work?

IAB’s consent model is fundamentally different from the plugin/cookie blocking consent model used in Secure Privacy and other consent management solutions. In general, IAB’s model puts the control in the hands of advertisers and vendors by signaling the user’s consent to advertising vendors, whereas Secure Privacy can block non-consented vendors and thereby gives control to the publisher, who is liable for all tracking performed by third parties on the publisher’s website.

With this fundamental difference in the design, Secure Privacy introduces a new setting to enable IAB which updates your existing cookie banner and privacy center. The users have a choice to select IAB banners over Secure Privacy banners.

The cookie banners and privacy banners are fully in line with the recommendations of IAB. As a registered CMP, Secure Privacy has passed all the UI/UX and technical requirements of the IAB framework.

What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?

Publishers in the IAB Framework are digital media that publish content on the internet. In general, the publishers represent the first party: i.e. the website that the user has sought access to. In the digital advertising industry, publishers often are dependent on displaying third-party advertisements on their websites in order to monetize views. This usually is resolved by using an ad network that directs relevant ads to the users that are accessing the publishers’ content. In the context of the IAB Framework, ad networks and advertisers are called “vendors”.

Vendors in the IAB Framework are the third-party advertisers that the publisher has chosen to partner with. The vendors display third party content on the publishers’ website. They are the ones setting marketing cookies on the end user’s browser, in order to display relevant ads to potential customers.

Consent management providers (CMP) supply the technology that enables user consent for processing data on the publishers’ website. In the IAB Framework, they signal the end-users’ consent settings to the vendors operating on the current website.

As the framework is widely supported by the online advertising industry, Secure Privacy is registered with IAB as a consent management provider (CMP) and has adopted the framework as an alternative to the core cookie blocking framework of Secure Privacy.

How to enable the IAB Framework with Secure Privacy?

To enable the IAB Framework you need to navigate to Banners and then Settings. Go to the IAB Tab and click on the checkbox to enable the IAB. The IAB tab should look like this.

Enabling IAB from the Secure Privacy admin panel
Enabling IAB from the Secure Privacy admin panel

Once you enable IAB, the default cookie banners will be replaced and the IAB cookie consent banner will appear for users. The new cookie consent banner will look similar to the image displayed below when expanded.

 IAB Cookie Consent Banner when expanded
IAB Cookie Consent Banner when expanded

Similarly, your privacy center is also updated and will look similar to the image displayed below.

IAB Privacy Center
IAB Privacy Center

Things to note while enabling IAB.

a) Please note that Secure Privacy as an IAB registered CMP is under the obligation to work only with publishers that are in full compliance with the IAB Framework Policies. By enabling the IAB framework in Secure Privacy, you confirm to comply with these policies.

b) Enabling IAB will replace your cookie consent banner text, and remove the plugins and trackers found, Instead it will start showing Vendors, Purposes and Features.

c) Similar to the cookie consent banner, the privacy center will also be replaced with Vendors, Purposes, and Features.

d) Currently, the IAB banners are supported in the English language only.

e) Consent management is also modified to track the vendors and purposes.

How to become compliant with the IAB consent framework?

As a publisher participating in the Framework, you first select what vendors you want to cooperate with from the Global Vendor List in the IAB.

Then, you can partner up with a consent management provider (CMP), e.g. Secure Privacy. You may also operate without a CMP and take care of the consents yourself.

The framework is a step towards standardized compliance, but it does not guarantee compliance. The IAB framework merely signals the consent status to the vendors, but in reality, it is up to vendors and advertisers whether they choose to respect it.

For this, we recommend that you are careful when selecting your consent management provider (CMP) or handling it yourself.

Secure Privacy is one of the few CMP’s which fully meet the requirement of the IAB Transparency and Consent Framework.

If you decide to build your own solution, make sure to meet the following requirements in GDPR:

Informed information: What data is processed and for what purpose? It must be clear for the user, what the consent is being given to.

Based on a true choice: the user must not be coerced into accepting the cookies.

Affirmative: Given by means of affirmative and unambiguous action.

Notice: Notice is given before the initial data processing takes place.

Withdrawable. It must be as easy for the user to withdraw the consent again, as it was to give it in the first place.

To read the individual user’s current consent state on a website, ping the following command every 500ms until result.cmpLoaded equals true (when consent has been loaded or submitted) in the callback:

window.__cmp('ping', null, function(result) { console.log(result) });

To retrieve the BASE64-encoded consent string after that, execute the following command and read the value of result.consentData in the callback:
window.__cmp('getConsentData', null, function(result) { console.log(result) });