Buyer integration with the IAB TCF v2.0

Google will launch support for the IAB TCF v2.0 across Ad Manager, AdMob, and AdSense. For real-time bidding (RTB) buyers, including Authorized Buyers and Open Bidding networks and exchanges, this integration has implications on their eligibility to receive bid requests, win auctions, and receive responses for a cookie match request.

Who is impacted?

All Authorized Buyers and Open Bidding exchanges and networks, independently of whether they have registered with the TCF v2.0, will be impacted by this integration.

Background

As communicated in August 2019, Google’s interoperability guidance intends to reflect Google's existing policy requirements, in particular the requirements of Google's EU User Consent policy and our policies against fingerprinting for identification (for example, those contained in our Requirements for Third-party Ad Serving). Google’s policies continue to apply and are more restrictive than TCF v2.0 in some cases."

The implementation of IAB TCF v2.0 contains a variety of complex scenarios which may present themselves depending on the following:

  • How the vendor registered with IAB TCF v2.0
  • Publisher settings
  • User consent

The table below shows the options available to vendors when registering for purposes on the Global Vendor List. For details on the purposes, please see IAB Transparency and Consent Framework v2.0.

Purpose Vendor registration options (example below)
Store and/or access information on a device (Purpose 1)
  • Consent as sole legal basis
  • Not used

Purposes 2⇒10
  • Consent as sole legal basis
  • Legitimate interest as sole legal basis
  • Consent or legitimate interest as a legal basis:
    • Default consent
    • Default legitimate interest
  • Not used

Special purpose declaration
  • Legitimate interest

Feature declaration
Special feature declaration 

Flexible registration

If a vendor chooses to register flexibly for “Consent or legitimate interest as a legal basis (Default consent)” OR “Consent or legitimate interest as a legal basis (default legitimate interest)”, then the publisher will have the following options regarding the treatment of that vendor:

  1. Respect the default
  2. Specify that “consent” is required
  3. Specify that “legitimate interest” is required

Regardless of how a vendor chooses to register or the publisher’s choices on how to treat that registration, Google requires that all vendors obtain consent as the only valid legal basis for specific purposes (described  further below). Please keep this in mind when reviewing the section on bid response Eligibility.

Unknown domains

Google scans for policy and consent approvals at the domain level in ad creatives. Without domain information, Google cannot confirm consent is present and we may block creatives containing “unknown” domains or unrecognized vendors who don’t appear on Google’s Ad technology providers list for the EEA or UK.

Ad technology providers can register with Google or request updates and new domains and subdomains be added to their existing registration using the Certification process guide.

What is changing?

For publishers who integrate with TCF v2.0, we will begin reading and passing the TC string for all ad requests starting from when the IAB switches over fully from TCF v1.1 to v2.0.  Prior to the switchover date, some bid requests may contain the TC string as Google and publishers begin beta testing of TCFv2.0.  Google will consume the TC string passed on the ad request and parse it to determine for which use cases and for which partners an appropriate legal basis for processing personal data exists. Following this integration, to continue to be eligible to receive bid requests, win auctions, or use a cookie matching service, vendors who are registering for the IAB TCF v2.0 will need to make sure they obtain consent or have legitimate interest for the relevant purposes  as described in the relevant section for each use case below. 

Bidders and exchanges, whether or not they themselves have registered for TCF v2.0, must also consume, parse, and correctly apply the user consent preferences communicated in the TC string to determine how to appropriately respond to bid requests and when to use the Cookie Matching Service.

Note: For publishers that do not implement TCF v2.0, we will continue using our current GDPR solution described in this article.

Summary

In line with our EU User Consent Policy requirements, Google requires that bidders obtain user consent for Purposes 1, 3, and 4 - if any vendor has registered for these purposes using a flexible legal basis, Consent must be obtained. No other legal basis is allowed for Purposes 1, 3, and 4, regardless of use case (bid request eligibility, bid response eligibility, cookie matching eligibility, and vendor pixels within creatives) or user approval.

Impact on bid request eligibility

Note that if the TC string indicates that the user has not granted consent for purposes 1, 3, and 4, unless an exemption applies, Google will not pass a bid request to your bidder, irrespective of your registration. This is consistent with our treatment of non-personalized ads for RTB today. Learn more

In order for bidders who have registered for TCF v2.0 to be eligible to receive bid requests, the following conditions must be met:

Your IAB Global Vendor List ID, once you’ve registered for TCF v2.0 provided via this form.

Buyer type Criteria (all criteria must be met in a given scenario)
Authorized Buyers, Open Bidding Networks
  1. Registered for all of purposes 1, 3, and 4 with “Consent” or “Flexible - Default consent”as the legal basis
  2. User consented for purposes 1, 3, and 4
Open Bidding Exchanges
  1. Registered for purpose 1 with “Consent” as the legal basis
  2. Registered for purposes 3 and 4 with “Consent”, “Flexible - Default consent” or “Not used” and NOT “Legitimate Interest”as the legal basis
  3. User consented for purpose 1 (and purposes 3 and 4 if exchange has registered with “Consent” or “Flexible - Default consent as the legal basis”)

 In addition to the above criteria, if the following condition is true, then a buyer will not be eligible to receive bid requests:

Buyer type Condition
Authorized Buyer or Open Bidding (Exchanges & Networks)
  1. Registered for Special Feature 2 (“Actively scan device characteristics for identification”) AND the user gives consent for Special Feature 2 (see note below*)

1 For additional information on Purposes, refer to IAB Europe Transparency & Consent Framework Policies.

* Note: If the buyer has registered for Special Feature 2 and the user does not give consent for Special Feature 2, this does not prevent the buyer from being eligible to receive a bid request (assuming all other eligibility conditions need to be met). This is true on the basis that use of active fingerprinting, which is prohibited by our policies (except in the context of Special Purpose 1 - Ensure security, prevent fraud, and debug), would not be authorized by the TC string.

Impact on bid response (i.e. creatives and vendor pixels returned in the bid response)

  • Ad Manager will pass the TC string in the bid request only to bidders who meet the criteria above and have obtained consent from the user. Other than as stated above for the “Not Used” use case for Open Bidding Exchanges, if consent is not obtained we will not send a bid request at all.
  • When determining which vendors are allowed to process a user's personal data, buyers must respect the user's choices, as expressed in the TC string, and comply with both the applicable Google policies and the TCF policy. This includes when buyers determine which ad creative(s) to return. 
  • Open Bidding Exchanges must pass the TC string to their eligible bidders. They must also make sure that the creatives returned by those bidders do not contain vendors who do not comply with Google’s policy requirements and TCF v2.0 integration guidance.

To help bidders comply with user consent preferences, we will be adding a new field(s) that will be used to communicate the IAB’s TC string on the bid request:

  • User.ext.consent for OpenRTB per the IAB standard (more on this below); 
  • AdSlot.ConsentedProvidersSettings.tcf_consent_string for the Google protocol / AdX protocol

We will continue to use our existing fields to indicate whether GDPR applies.

In order for a creative to be eligible to serve, all vendors must meet the following criteria:

  1. Each vendor needs to register with the IAB for at least one purpose
  2. For purposes 3 and 4, each vendor must be consented by the user in 1 of 4 ways:
    Note: If vendors choose to register for purposes 3 and 4 under Not Used they are not required to obtain consent for those purposes.
    1. Vendor has registered for that purpose under “consent” AND the user has granted consent
    2. OR vendor has registered for that purpose under “Flexible - default consent” AND the publisher respects the default AND the user has granted consent
    3. OR vendor has registered for that purpose under “Flexible - default consent” AND the publisher specifies consent is required AND the user has granted consent
    4. OR vendor has registered for the purpose under “Flexible - default legitimate interest” AND the publisher has specified that consent is required AND the user has granted consent
       
Note: if the vendor is registered for Actively scan device characteristics for identification (Special Feature 2), any creatives with that vendor will ONLY be eligible to serve if the user has NOT opted-in to Special Feature 2.

Impact on cookie match eligibility

Google will support both &gdpr and &gdpr_consent parameters to pass TCF v2.0 consent information for both in-bound and out-bound cookie sync requests. (These parameters are optional).

If the &gdpr and &gdpr_consent parameters are present in a cookie match request, Google will sync cookie with third-party vendors request if all of the following criteria are met

  • Google has consent to:
    • Store and/or access information on a device (Purpose 1);
    • Create a personalized ads profile (Purpose 3); and, 
    • Select personalized ads (Purpose 4)
  • Legitimate interest is established for Google to:
    • Select basic ads (Purpose 2);
    • Measure ad performance (Purpose 7); and,
    • Develop and improve products (Purpose 10)​
  • The vendor must register for purpose 1 under “consent” and AND the user must have granted consent for that vendor.
  • For purposes 3 and 4, each vendor must be consented by the user in 1 of 4 ways:
    • Vendor has registered for that purpose under “consent” AND the user has granted consent
    • OR vendor has registered for that purpose under “default consent” AND the publisher respects the default AND the user has granted consent
    • OR vendor has registered for that purpose under “default consent” AND the publisher specifies consent is required AND the user has granted consent
    • OR vendor has registered for the purpose under “default legitimate interest” AND the publisher has specified that consent is required AND the user has granted consent
      Note: If vendors choose to register for purposes 3 and 4 under “Not Used” they are not required to obtain consent for those purposes.

In addition to the above criteria, If any of the following conditions are true then a vendor will not be eligible for cookie matching sync:

  1. The vendor has registered for Purpose 3 solely under “legitimate interest”
  2. The vendor has registered for Purpose 4 solely under “legitimate interest”
  3. The user has granted consent for a vendor for Actively scan device characteristics for identification (Special Feature 2) AND that vendor is registered for Special Feature 2 (see note below*)
* Note: if the vendor IS registered for Actively scan device characteristics for identification (Special Feature 2), any creatives with that vendor will ONLY be eligible for cookie matching if the user has NOT given consent for Special Feature 2.

How will the TC string be passed?

On the bid request

  • For OpenRTB: we will add a new field to the bid request called User.ext.consent (as proposed and standardized by the IAB) which will contain the TC string; We will continue to populate the Regs.ext.gdpr field to indicate whether GDPR applies to the request.
  • For the Google Protocol: the field that will contain the TC string will be AdSlot.ConsentedProvidersSettings.tcf_consent_string; We will continue to populate regs_gdpr to indicate whether GDPR applies to the request.

On the Cookie Match URL

Users of the Cookie Match Service can add the “&gdpr” and “&gdpr_consent” parameters to the cookie match request (if they initiate) or response (if Google initiates), and populate “&gdpr_consent” with the TC string.   

Google will parse the string to determine whether the user has provided the appropriate consent, and respond accordingly.

Additional Consent mode

Google has defined a temporary technical specification (called “Additional Consent Mode") intended only for use alongside IAB Europe’s Transparency & Consent Framework (TCF) v2.0 to serve as a bridge for vendors who are not yet registered on the IAB Europe Global Vendor List (GVL). This specification enables publishers, Consent Management Providers (CMPs), and partners to gather and propagate additional consent—alongside their TCF v2.0 implementation—for companies that are not yet registered with the IAB Europe Global Vendor List but are on Google's Ad Tech Providers (ATP) list.

For publishers that implement TCF v2.0, but also ask for user consent for “additional providers” that are not registered in the IAB’s GVL for TCF v2.0, Google will do the following:

  • The TC string will be sent as described above
  • The additional non-TCF vendor IDs will be sent in an extension to TCF v2.0 using the existing fields: 
    • User.ext.ConsentedProvidersSettings.consented_providers for OpenRTB;  AdSlot.ConsentedProvidersSettings.consented_providers for the Google Protocol / AdX proto. 
  • The consented providers field will contain only the additional non-TCF providers, with any TCF vendors sent in the TC string

Note: Google will use the “consented_providers” fields to communicate consented vendors in the following two cases:

  1. For publishers that do not implement TCF v2.0, we will continue using our current GDPR solution described in this article.
  2. For publishers that do implement TCF v2.0 but collected consent for non-TCF vendors, as described above (Additional Consent mode).

Please see Google’s Additional Consent Mode technical specification for more information. 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue