Buyer integration with the IAB Europe TCF

Google supports the IAB Europe TCF across Ad Manager, AdMob, and AdSense. For real-time bidding (RTB) buyers, including Authorized Buyers, Open Bidding partners, and SDK Bidders, this integration has implications on their eligibility to receive bid requests, win auctions, and receive responses for a cookie match request.

Who is impacted?

All Authorized Buyers, Open Bidding partners, and SDK Bidders independently of whether they have registered with the IAB Europe TCF, will be impacted by this integration.

Background

Google’s interoperability guidance intends to reflect Google's existing policy requirements, in particular the requirements of Google's EU User Consent policy and our policies against fingerprinting for identification (for example, those contained in our Requirements for Third-party Ad Serving). Google’s policies continue to apply and are more restrictive than IAB Europe TCF in some cases.

The implementation of IAB Europe TCF contains a variety of complex scenarios which may present themselves depending on the following:

How the vendor registered with IAB Europe TCF
Publisher settings
User consent

Flexible registration

If a vendor chooses to register flexibly for “Consent or legitimate interest as a legal basis (Default consent)” or “Consent or legitimate interest as a legal basis (default legitimate interest)”, then the publisher will have the following options regarding the treatment of that vendor:

Respect the default
Specify that “consent” is required
Specify that “legitimate interest” is required

Regardless of how a vendor chooses to register or the publisher’s choices on how to treat that registration, Google requires that all vendors obtain consent as the only valid legal basis for specific purposes (described further below). Please keep this in mind when reviewing the section on bid response Eligibility.

Unknown domains

Google scans for policy and consent approvals at the domain level in ad creatives. Without domain information, Google cannot confirm consent is present and we may block creatives containing “unknown” domains or unrecognized vendors who don’t appear on Google’s Ad technology providers list for the EEA or UK.

Ad technology providers can register with Google or request updates and new domains and subdomains be added to their existing registration using the Certification process guide.

Integration details

For publishers who integrate with IAB Europe TCF, we will begin reading and passing the TC string for all ad requests. Google will consume the TC string passed on the ad request and parse it to determine for which use cases and for which partners an appropriate legal basis for processing personal data exists. To be eligible to receive bid requests, win auctions, or use a cookie matching service, vendors who are registering for the IAB Europe TCF will need to make sure they obtain consent or have legitimate interest for the relevant purposes as described in the relevant section for each use case below.

Bidders and exchanges, whether or not they themselves have registered for IAB Europe TCF, must also consume, parse, and correctly apply the user consent preferences communicated in the TC string to determine how to appropriately respond to bid requests and when to use the Cookie Matching Service.

Impact on bid request eligibility

In order for bidders who have registered for IAB Europe TCF to be eligible to receive bid requests, the following conditions must be met:

Your IAB Global Vendor List ID, once you’ve registered for IAB Europe TCF provided via this form.

Personalized requests

Buyer type	Criteria (all criteria must be met in a given scenario)
Authorized Buyers, Open Bidding Networks, SDK Bidders	Registered for all of purposes 1, 3, and 4 with “Consent” as the legal basis User consented for purposes 1, 3, and 4
Open Bidding Exchanges	Registered for purpose 1 with “Consent” as the legal basis Registered for purposes 3 and 4 with “Consent”, or “Not used” User consented for purpose 1 (and purposes 3 and 4 if exchange has registered with “Consent” as the legal basis”)

Non-personalized requests

Buyer type	Criteria (all criteria must be met in a given scenario)
Authorized Buyers, Open Bidding Networks, SDK Bidders	Registered for purpose 1 with “Consent” as the legal basis Registered for purpose 2 with “Consent” or “Legitimate interest” as the legal basis User consented for purpose 1, and granted consent or legitimate interest for purpose 2
Open Bidding Exchanges	Registered for purpose 1 with “Consent” as the legal basis Registered for purpose 2 with “Consent”, “Legitimate interest” or “Not used” as the legal basis User consented for purpose 1, (and granted consent or legitimate interest for purpose 2 if exchange has registered with “Consent” or “Legitimate interest”)

Limited requests

Buyer type	Criteria (all criteria must be met in a given scenario)
Authorized Buyers, Open Bidding Networks, SDK Bidders	Registered for purpose 2 with “Consent” or “Legitimate interest” as the legal basis User granted consent or legitimate interest for purpose 2
Open Bidding Exchanges	Registered for purpose 2 with “Consent”, “Legitimate interest” or “Not used” as the legal basis If exchange has registered with “Consent” or “Legitimate interest”; user granted consent or legitimate interest for purpose 2 If exchange has registered with “Not used” as the legal basis; buyer has at least one valid legal basis

In addition to the above criteria, if the following condition is true, then a buyer will not be eligible to receive bid requests:

Buyer type	Condition
Authorized Buyer or Open Bidding (Exchanges & Networks), SDK Bidders	Registered for Special Feature 2 (“Actively scan device characteristics for identification”) AND the user gives consent for Special Feature 2 (see note below*)

¹ For additional information on Purposes, refer to IAB Europe Transparency & Consent Framework Policies.

^* Note: If the buyer has registered for Special Feature 2 and the user does not give consent for Special Feature 2, this does not prevent the buyer from being eligible to receive a bid request (assuming all other eligibility conditions need to be met). This is true on the basis that use of active fingerprinting, which is prohibited by our policies (except in the context of Special Purpose 1 - Ensure security, prevent fraud, and debug), would not be authorized by the TC string.

Impact on bid response (that is, creatives and vendor pixels returned in the bid response)

Ad Manager will pass the TC string in the bid request only to bidders who meet the criteria above.
When determining which vendors are allowed to process a user's personal data, buyers must respect the user's choices, as expressed in the TC string, and comply with both the applicable Google policies and the TCF policy. This includes when buyers determine which ad creative(s) to return.
Open Bidding Exchanges must pass the TC string to their eligible bidders. They must also make sure that the creatives returned by those bidders do not contain vendors who do not comply with Google’s policy requirements and IAB Europe TCF integration guidance.

To help bidders comply with user consent preferences, the following fields will be used to communicate the IAB’s TC string on the bid request:

User.ext.consent for OpenRTB per the IAB standard (more on this below);
AdSlot.ConsentedProvidersSettings.tcf_consent_string for the Google protocol / AdX protocol

We will continue to use our existing fields to indicate whether GDPR applies.

In order for a creative to be eligible to serve, all vendors must have at least one legal basis in the TC string.

Note: if the vendor is registered for Actively scan device characteristics for identification (Special Feature 2), any creatives with that vendor will only be eligible to serve if the user has not opted-in to Special Feature 2.

Impact on cookie match eligibility

Google will support both &gdpr and &gdpr_consent parameters to pass TCF consent information for both in-bound and out-bound cookie sync requests. (These parameters are optional).

If the &gdpr and &gdpr_consent parameters are present in a cookie match request, Google will sync cookie with third-party vendors request if all of the following criteria are met:

Google has consent to:
- Store and/or access information on a device (Purpose 1);
- Create a personalized ads profile (Purpose 3); and,
- Select personalized ads (Purpose 4)
Legitimate interest is established for Google to:
- Select basic ads (Purpose 2);
- Measure ad performance (Purpose 7); and,
- Develop and improve products (Purpose 10)
The vendor must register for purpose 1 under “consent” and AND the user must have granted consent for that vendor.
For purposes 3 and 4, each vendor must be consented by the user for purposes 3 and 4. If vendors choose to register for purposes 3 and 4 under “Not Used” they are not required to obtain consent for those purposes.

In addition to the above criteria, the user has granted consent for a vendor for Actively scan device characteristics for identification (Special Feature 2) and that vendor is registered for Special Feature 2.

How will the TC string be passed?

On the bid request

For OpenRTB: bid request field called User.ext.consent will contain the TC string; We will continue to populate the Regs.ext.gdpr field to indicate whether GDPR applies to the request.
For the Google Protocol: the field that will contain the TC string will be AdSlot.ConsentedProvidersSettings.tcf_consent_string; We will continue to populate regs_gdpr to indicate whether GDPR applies to the request.

On the Cookie Match URL

Users of the Cookie Match Service can add the “&gdpr” and “&gdpr_consent” parameters to the cookie match request (if they initiate) or response (if Google initiates), and populate “&gdpr_consent” with the TC string.

Google will parse the string to determine whether the user has provided the appropriate consent, and respond accordingly.

Additional Consent mode

Google has defined a technical specification (called Additional Consent Mode) intended only for use alongside IAB Europe’s Transparency & Consent Framework (TCF) to vendors who are not yet registered on the IAB Europe Global Vendor List (GVL). This specification enables publishers, Consent Management Providers (CMPs), and partners to gather and propagate additional consent—alongside their TCF implementation—for companies that are not yet registered with the IAB Europe Global Vendor List but are on Google's Ad Tech Providers (ATP) list.

For publishers that implement TCF, but also ask for user consent for “additional providers” that are not registered in the IAB’s GVL for TCF, Google will do the following:

The TC string will be sent as described above
The additional non-TCF vendor IDs will be sent in an extension to TCF using the existing fields:
- User.ext.ConsentedProvidersSettings.consented_providers for OpenRTB; AdSlot.ConsentedProvidersSettings.consented_providers for the Google Protocol / AdX proto.
The consented providers field will contain only the additional non-TCF providers, with any TCF vendors sent in the TC string

Note: Google will use the “consented_providers” fields to communicate consented vendors in the following two cases:

For publishers that do not implement TCF, we will continue using our current GDPR solution described in this article.
For publishers that do implement TCF but collected consent for non-TCF vendors, as described above (Additional Consent mode).

Please see Google’s Additional Consent Mode technical specification for more information.

Was this helpful?

How can we improve it?