IAB Europe maintains the Transparency & Consent Framework (TCF) so you can send consent states to ads vendors, such as Google. Google’s integration with TCF allows you to use IAB TCF directly or work with a CMP that uses IAB TCF to pass consent signals to Google.
Developed by the IAB’s Tech Lab, the Global Privacy Platform (GPP) also provides a standardized framework for storing and passing user privacy consent preferences.
This article explains how to integrate with the TCF v2.2 and GPP in Campaign Manager 360, Search Ads 360, and Display & Video 360 for Floodlight as well as placement and tracking tags.
How it works
Campaign Manager 360, Search Ads 360, and Display & Video 360 can read and interpret the TCF Transparency and Consent (TC) string for ad serving, tracking, and conversion tracking tags. CMPs can create TCF strings based on user choices to send consent signals to Campaign Manager 360, Search Ads 360, or Display & Video 360.
Integration with TCF v2.2 means that Campaign Manager 360, Search Ads 360, and Display & Video 360 will have the ability to read the TC string. Your associated tags adjust their behavior based on the contents of the TC string.
Keep in mind the following:
- Google as a vendor accepts TC strings using the TCF v2.2. Google will continue accepting TCF v2.1 strings, but encourage CMPs to follow IAB guidance on implementation milestones as the industry moves over to TCF v2.2.
- Campaign Manager 360 and Search Ads 360 share the same set of Floodlight tags. User permissions received in Campaign Manager 360 are inherited by Search Ads 360. Learn more about how Floodlight tags are shared.
Campaign Manager 360 also supports the Global Privacy Platform (GPP) US National string including US States. IAB TCF will continue to be supported for GDPR compliance. TCF strings sent through the GPP will not be accepted. GPP support for IAB TCF is incoming at a future date.
Set up the Transparency Consent Framework and Global Privacy Platform
The primary mechanism for passing user consent data from either TCF or GPP to Google is through macros.
TCF and GPP macros
The IAB's TCF and GPP standards support the use of macros in creative tags to:
- Indicate where in the URL user consent strings should be inserted and sent onwards.
- Identify which vendors are present.
Advertisers who wish to integrate with either standard should work with their partners to ensure they properly support the following macros. These are supported on all Campaign Manager 360 tags and are inserted by default during trafficking.
TCF macros (specification):
gdpr_consent=${GDPR_CONSENT_xxxxx}: The macro to receive the consent parameter, where xxxxx is the global vendor list ID (GVL ID) of the vendor that is receiving the TC strings.gdpr=${GDPR}: The macro to receive the GDPR status, where1indicates that GDPR applies and0indicates that it does not. This macro enables TCF treatment and must be sent together withgdpr_consent=${GDPR_CONSENT_xxxxx}. Ifgdpr=1butgdpr_consent=${GDPR_CONSENT_xxxxx}is unset or missing, an ad may not be served or measured.addtl_consent=${ADDTL_CONSENT}: The macro to support vendors that are not on the IAB GVL, but on Google's Ad Tech Provider controls, whereADDTL_CONSENTis a dot-separated list of user-consented Google Ad Tech Provider (ATP) IDs. Learn more about Google’s Additional Consent technical specification.
GPP macros (specification):
gpp=${GPP_STRING_xxxxx}: The macro to receive the GPP string, wherexxxxxis the global vendor list ID (GVL ID) of the vendor that is receiving the string.gpp_sid=${GPP_SID}: As the GPP string may encode user preferences for multiple jurisdictions, this field indicates to the callee which section of the string is considered "in force" by the caller.
TCF and GPP JavaScript APIs
For Campaign Manager 360 display ads (INS tags), the tag code can collect TCF or GPP consent data through their respective APIs if the CMP has made them available. This will happen automatically in the case that either API is available, and the TCF/GPP macros on the tag have not been filled.
Pass TCF signals to vendors
The TCF signals may also be passed to other vendors that may be included in your creatives or event tags. These signals may control which creatives are eligible to serve based on permissions the user has provided for vendors who are present in the creative and the application of Google’s policies. The TC string also allows users to opt out of being served personalized ads and from being added to audience lists.
Each vendor receiving the TC string has a unique global vendor list ID. For third-party ad tags and tracking pixels, advertisers will need to manually add their vendors’ GVL ID along with the new macro to their tags if they choose to adopt TCF. Campaign Manager 360, Search Ads 360, and Display & Video 360 will then replace the macro with the TC string so the vendor complies with the user’s preference and continues to pass the TCF user permission details.
Example
http://vendor-a.com/?key1=val1&key2=val2&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT_xxxxx}
Note: Macros implemented within raw creative assets such as HTML5 files and rich media creatives are not supported. If advertisers use these formats and would like to pass the TC string into their third-party calls made from the creative, they should include their own JavaScript code to check for a CMP and access the TCF API themselves.
In Campaign Manager 360, vendor macros are supported for the following:
- Event tags
- Floodlight dynamic tags
- Creative redirects
- Custom creatives
- Online behavioral advertising (OBA) links
- INS tags
In Display & Video 360, vendor macros are supported for all creative types and fields where macros are generally supported.
Tag integration
Campaign Manager 360, Search Ads 360, and Display & Video 360 tags will support the passing of user permissions for advertisers who have implemented an IAB TCF registered CMP on their site.
Floodlight tags
Campaign Manager 360, Search Ads 360, and Display & Video 360 all use Floodlight tags for measuring conversions. Depending on how the advertiser’s Floodlight tags are implemented, they will need to do the following if they choose to adopt TCF:
- Legacy Floodlight tags (not implemented using the Google tag): Advertisers should add the new macro to all existing Floodlight tags on their site. Alternatively, they can re-download the Floodlight tags which will automatically include the new macro.
- Floodlight tags (implemented using the Google tag or Google Tag Manager): Advertisers can expect these tags to integrate with the TCF API and should follow the instructions of their CMP to ensure their tags are integrated correctly. Advertisers using the Google tag or Google Tag Manager can enable TCF support by adding the following line of JavaScript to the global header portion of the tag:
window ['gtag_enable_tcf_support'] = true;Example
<script>window ['gtag_enable_tcf_support'] = true;</script><!-- Google tag (gtag.js) --><script async src="https://googletagmanager.com/gtag/js?id=FL-CONFIG_ID"></script><script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}gtag('js', new Date());gtag('config','FL-CONFIG_ID');</script>
Placement and tracking tags for TCF and GPP
Only Campaign Manager 360 and Display & Video 360 use placement and tracking tags.
For placement and tracking tags, the publisher’s CMP is responsible for sending the user consent data from TCF and GPP.
-
Display & Video 360: When a tag is executed (or, “fired”) on a publisher’s site, the CMP will first send the TCF or GPP user consent details to the ad exchange and then to Display & Video 360. Display & Video 360 then replaces the macro in the tag with the TCF or GPP string while Campaign Manager 360 serves the creative on the publisher’s site..
-
Campaign Manager 360: The CMP will pass the TCF or GPP strings directly to Campaign Manager 360 placement tags if the TCF or GPP macros are present. Alternatively, INS tags can collect these strings automatically through the TCF or GPP APIs.
To ensure TCF or GPP coverage for their tags, advertisers should ensure the appropriate macros are present on their Campaign Manager 360 tags when trafficked. These can be added manually, but will be inserted automatically when the "Include TCF” or “Include GPP macros" option is checked:
<IMG SRC="https://ad.doubleclick.net/ddm/trackimp/N7480.3387844TESTING/B24889003.371904955;dc_trk_aid=562881136;dc_trk_cid=195466355;kw=matata;k2=v2;ord=[timestamp];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};gpp=${GPP_STRING_755};gpp_sid=${GPP_SID};ltd=;dc_tdv=1?" attributionsrc BORDER="0" HEIGHT="1" WIDTH="1" ALT="Advertisement">Example - INS tag:
<ins class='dcmads'
style='display:inline-block;width:300px;height:250px'
data-dcm-placement='N7480.1664088DOUBLECLICK.NETTEST/B8299600.114131924'
data-dcm-rendering-mode='script'
data-dcm-gdpr-applies=’gdpr=${GDPR}’
data-dcm-gdpr-consent='gdpr_consent=${GDPR_CONSENT_755}'
data-dcm-addtl-consent=’addtl_consent=${ADDTL_CONSENT}’
data-dcm-gpp='gpp=${GPP_STRING_755}'
data-dcm-gpp-sid='gpp_sid=${GPP_SID}'
data-dcm-click-tracker='${CLICK_URL}'>
<script src='https://googletagservices.com/dcm/dcmads.js'></script>
</ins>
Product behavior with the TCF
Purposes
The TCF organizes data processing using "Purposes", each of which has a corresponding legal basis of Consent or Legitimate Interest. Campaign Manager 360, Display & Video 360, and Search Ads 360 tags will handle requests that contain the consent string in the following ways (where relevant):
| Purpose | Google's registered legal basis | Description | Impact if missing |
|---|---|---|---|
| 1 | Consent | Store and/or access information on a device |
Cookies will not be created or used for measurement or personalization. Unconsented users will not be added to remarketing lists, and attribution reports may be more limited. Google services won't receive user-level advertising data. Manage data use across Google services in your Google Tag settings. |
| 2 | Flexible - default to Legitimate Interest* | Select basic ads | This purpose is required for all events that serve ads. If this purpose is not present, the ad may not be served. |
| 3 and 4 | Consent | Create and use personalized ads profile | Events are not eligible for ads personalization, and are not used for remarketing lists. Users already added to audience lists are unaffected. |
| 7 | Flexible - default to Legitimate Interest* | Measure ad performance |
This purpose is required for all events. If this purpose is not present, the event may not be recorded. Google services won't receive user-level advertising data. Manage data use across Google services in your Google Tag settings. |
| 9 | Flexible - default to Legitimate Interest* | Apply market research to generate audience insights | This purpose is required for all events. If this purpose is not present, the event may not be recorded. |
| 10 | Flexible - default to Legitimate Interest* | Develop and improve products | This purpose is required for all events. If this purpose is not present, the event may not be recorded. |
| SP1 | Legitimate Interest | Ensure security, prevent fraud, and debug | This purpose is always present and available within the TCF. |
| SP2 | Legitimate Interest | Technically deliver ads or content | This purpose is always present and available within the TCF. |
* Google is flexibly registered for TCF purposes 2, 7, 9, and 10 and defaults to legitimate interest. Unless a publisher configures their CMP to restrict Google to consent for these purposes, Google will rely on legitimate interest where the CMP has established it with the user. Google is not flexibly registered for purposes 1, 3, and 4 and always requires consent for these purposes.
The remaining TCF purposes are not used by Campaign Manager 360, Display and Video 360, and Search Ads 360 tags, but may be used by other Google products.
Considerations
- Google interprets gdpr=1 as signaling that TCF applies to an event. When the
gdpr=parameter is set to 1 and thegdpr_consent=parameter is present in a Campaign Manager 360 placement tag,gdpr_consent=must contain a valid TC string. If it does not, an ad may not be served or measured. - If the TC string indicates that Google does not have purpose 1 consent for the request, replace
ad.doubleclick.netwithpagead2.googlesyndication.comin your tags. This applies to standard tags, iframe/JavaScript tags (excluding INS tags), pre-fetch tags (including video), tracking ad tags, and click tracker tags. - Unlike the above, Invalid
addtl_consentvalues currently do not prevent ad serving. - Google's policies also apply to TCF macros embedded in creatives that link to other vendors. If these macros are invalid, the creative will not be served if Google believes the TCF applies (i.e. the impression is called with
gdpr=1). In this case, other eligible creative or the default creative will be served.
Product Behavior with the GPP
US National
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Sharing of the Consumer's Personal Information.
- User opted out of Processing the Consumer's Personal Data for Targeted Advertising.
Google only reads the above fields of the US National string
California
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Sharing of the Consumer's Personal Information.
Google only reads the above fields of the US States string for California.
Colorado, Connecticut, Virginia
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Processing the Consumer's Personal Data for Targeted Advertising.
Google only reads the above fields of the US States string for Virginia, Connecticut, Colorado.
Florida
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Processing the Consumer's Personal Data for Targeted Advertising.
Google only reads the above fields of the US States string for Florida.
Consent Signals for Minors using the GPP
US National
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.
Requests will trigger restricted data processing (RDP) if any the following criteria are met:
- No consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16.
California
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Sell the Personal Information of Consumers Less Than 16 years of Age.
- Consent or no consent to Share the Personal Information of Consumers Less Than 16 years of Age.
Colorado and Virginia
Requests will be marked for child-directed treatment (TFCD) if the following criteria are met:
- Consent or no consent to Process Sensitive Data from a Known Child.
Connecticut
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Consent to Process Sensitive Data from a Known Child.
Requests will trigger restricted data processing (RDP) if any the following criteria are met:
- No consent to Sell the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age.
- No consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age for Purposes of Targeted Advertising.
Florida
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.
Requests will trigger restricted data processing (RDP) if any the following criteria are met:
- No consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age.
- No consent to Process the Personal Data of Consumers At Least 16 Years of Age but Younger Than 18 Years of Age for Purposes of Targeted Advertising.
Note: Google Tag Manager and the Google tag only accept TCF strings that are correctly implemented according to the TCF policies and technical specifications, and adhere to Google’s EU User Consent Policy. If your CMP doesn’t respond within 500 milliseconds or you see “error”, “stub”, or “loading” status, the tag will proceed in a restricted mode:
- Writing and reading of Ads first party and third party conversion cookies will be restricted
- Google Analytics advertising features are integrated with IAB TCF v2 and will treat those requests as if they came in with all Purposes denied, the effects of which are outlined in the table above.
- Remarketing features will be disabled.
Troubleshooting error messages
If your CMP doesn’t respond within 500 milliseconds or you see “error”, “stub”, or “loading” status, the tag will proceed in a restricted mode. To fix that:
If you are manually invoking the function to fire a conversion tag:
- Make sure the response to
getTCData TCData.eventStatus = 'tcloaded'OR'cmpuishown' + 'useractioncomplete'is sent within 500 milliseconds. These indicate the CMP is ready to provide the user with a choice regarding consent.
If you are not manually invoking the function to submit a conversion tag:
- Work with your CMP to ensure they implement support for
getTCData and return TCData.eventStatus = 'tcloaded'OR'cmpuishown' + 'useractioncomplete'to indicate the user consent is ready for use through the API within 500 milliseconds.
Frequently asked questions
What do I do if a publisher won't accept a tag with the TCF parameters included?
gdpr=;gdpr_consent=${gdpr_consent_755}data-dcm-gdpr-consent='gdpr_consent=${gdpr_consent_755}'
data-dcm-gdpr-applies='gdpr=${gdpr}'