IAB Frameworks

Transcend Consent Management is a registered and certified CMP with the International Advertising Bureau (IAB) and provides support for a number of their consent signaling mechanisms. There are several regional frameworks, including the US Privacy API (USP API), and Transparency and Consent Framework (TCF). These disparate regional frameworks are being consolidated under IAB's latest framework, the Global Privacy Platform (GPP).

Each IAB framework offers a method for ad vendors to check for user preferences such as opt-outs or consent preferences. It is important to understand that the IAB signaling frameworks do not explicitly block or otherwise enforce what ad vendors are able to collect from your webpage. Making a consent string available for advertisers to read does not necessarily mean your ad vendors will read it, or honor it.

If you plan to rely on IAB signals for enforcing user consent instead of directly regulating data collection by blocking tracking data flows or cookies, then it's important that you verify vendors are members of the relevant framework and that they honor user preferences in a way that satisfies your requirements.

The US Privacy signal is officially deprecated. It will be replaced by the US State specific sections of the Global Privacy Platform (GPP). Learn more about configuring GPP with Transcend Consent Management here.

The US Privacy API (USP API) helps signal Do Not Sell or Share opt-out choices from users in California to vendors who support this framework.

Enabling the USP API within Transcend will expose an API at window.__uspapi() for on-page vendors to check user opt-outs, in accordance with IAB's USP API specification. To learn more about the function interface, see IAB's USP API specification.

The USP API can be used in conjunction with airgap.js. It is simply an additional signaling layer on top of the consent enforcement functionality of airgap.js.

You can enable the USP API by toggling it on in your Consent Developer Settings.

The toggle which enables the US Privacy API

As part of the USP API setup, you will need to communicate whether you have signed the IAB Multi-State Privacy Agreement (MSPA); this is an updated amendment of the Limited Service Provider Agreement (LSPA). Your response will affect the resulting privacy string that is generated. If you are unsure of your MSPA signatory status, visit the IAB Tech Lab Tools Portal to register or sign the agreement as necessary.

Alternatively, you can configure the USP API directly on your <script> tag by setting the data attributes data-uspapi="on" and data-signed-iab-agreement="yes" (or "no").

You may use the following command to check the privacy string:

window.__uspapi('getUSPData', 1, (uspData, success) => {
  if (success) {
    console.log(uspData);
  } else {
    console.log(uspData, success);
  }
});

Note: The USP API string includes a parameter for whether "Notice/Opportunity to Opt Out" was provided. Transcend Consent Management considers both consent confirmation and UI prompted status as "Notice/Opportunity to Opt Out". If a user chooses to express the Global Privacy Control signal and that signal results in a confirmed opt-out of the sale/sharing of personal information, then the user is considered notified of their opportunity to opt out in your signal to on-page ad vendors.

IAB's TCF Framework helps parties involved in digital advertising, like publishers and their supporting vendors, comply with GDPR and the ePrivacy Directive when processing personal data and/or accessing or storing information on a user's device. When enabled, Transcend can display the framework-specific UI to users in the EU and generate a Transparency and Consent string to encode a user's consent choices. We then expose this string for TCF Registered vendors on the website to ingest and honor.

Reccomended Reading:

Using TCF for compliance in Europe comes with more tradeoffs than the US Privacy framework, since it requires collecting consent for a different set of purposes in a rigid UI, and gives end-users the ability to specify consent choices at a vendor-level. It is most commonly used by publishers who are providing advertisements on their websites and wish to support passing consent to downstream vendors vendors via the framework. Ultimately the decision to use a framework like TCF depends on your business needs and should be made by evaluating your vendors and desired regulation and UI approach - let us know if you have questions or want to further discuss the pros and cons of various approaches.

Below we'll cover the steps to implementing a TCF Consent Experience with Transcend, including:

  1. Enabling the IAB Frameworks Inside Transcend
  2. Adding the TCF Stub to your website
  3. Selecting IAB Vendors
  4. Mapping IAB Purposes to default Purposes
  5. Configuring your GDPR Regional Experience
  6. Add a link on your site for relaunching the consent UI
  7. Testing

To begin configuring TCF, you must first enable the "IAB Configuration" toggle in your Consent Developer Settings under Other Consent Frameworks. Toggling this option will enable further configuration of IAB frameworks within Consent Management.

When TCF has been enabled, our airgap.js script will dynamically load the required additional resources for the TCF UI and API when required. We do this asynchronously to ensure minimal impact to your site performance. You must also add the provided TCF stub found on the Other Consent Frameworks page to the head of your site.

IAB Configuration Toggle and Slug

This signals to vendors that there is a CMP API for regulating their behavior, as well as to buffer calls vendors made to the window.__tcfapi() function before the full API has finished loading asynchronously. The TCF API stub should be placed first on the page, before Transcend's airgap.js script and before any other scripts that may rely on the TCF API.

The TCF Framework works by encoding consent information in a string for a set of vendors that you select from the IAB's official vendor list. To configure your list of vendors, simply navigate to the Vendors tab under the TCF Settings submenu.

TCF Vendors Tab

From here, you can click Add TCF Vendors to add TCF-registered vendors.

Add TCF Vendors

To disclose additional vendors who are not registered with TCF, click Add Other Services.

Add Non-TCF Vendors

Your Transcend solution engineer can partner with you to generate your vendor list. You should also work with your advertising partners to understand the technology vendors they rely on and incorporate them into your vendor list. (For example: Google provides an Ad Technology Providers list.)

Your final displayed vendor list will contain the TCF vendors you select, as well as non-TCF vendors from your detected Data Flows and Cookies. Non-TCF Vendors will continue to have their Data Flows and Cookies regulated directly by airgap.js as they are not able to process or honor the TC String.

Consider the number of TCF vendors you work with and put in place a selection process to establish your vendor list instead of defaulting to including all TCF vendors. Providing transparency and helping to establish Legal Bases within the TCF Framework for an unjustifiably large number of vendors may impact users' ability to make informed choices, increase legal risk, and slow down performance.

You will be requesting consent from your users for a set of the TCF Purposes and Features associated with your selected vendors from the prior step. You can read more about the full list of IAB TCF purposes in Appendix A of the TCF Policies. To review this list of purposes/features, and disable any that are not applicable to your organization, simply navigate to the TCF Purposes and TCF Features tabs under TCF Settings.

These purposes also need to be mapped to your existing Purposes in Transcend Consent Management so that consent collected in the TCF UI can be translated and applied to non-TCF vendors.

Configuring TCF Purposes
Configuring TCF Features

Stacks are TCF-defined groups of Purposes and Special Features that can optionally be enabled to simplify what is disclosed to end-users on the first layer of the TCF UI. A configured stack will replace the Purposes/Special Features it contains on the first layer of the TCF modal. Some Stacks may be unavailable based on the IAB's rules depending on the Purposes and Special Features you've configured as applicable, as well as Stacks you've already enabled.

To configure stacks, navigate to the Stacks tab under TCF Settings.

Configuring TCF Stacks

To enable TCF for a given Regional Experience, select TCF (EU) from the UI View State list on the Regional Experiences tab.

Adding TCF to a Regional Experience

Enabling TCF for a regional experience will cause airgap.js to load our TCF module and display the TCF UI to collect consent for new site visitors. The modal itself has been designed and developed to be accessible, with factors such as proper ARIA attributes and keyboard navigation support.

The TCFv2 modal showing on a test website

It will also expose an API at window.__tcfapi() for on-page vendors to check user consent, in accordance with IAB's specification. To learn more about the function interface, see IAB's TCF specification.

It's important to ensure that users always have the ability to reopen the Consent UI to modify or review their prior consent choices. You can use transcend.showConsentManager() to display the modal based on a user interaction such as a button click. Alternatively, you can configure the modal to automatically prompt for any user who has not given consent by navigating to Display Settings and setting the Prompt input field to a non-zero value. This number is the number of page views at which to prompt the default banner for the user's detected regional experience.

As always, we recommend testing all changes made to your consent manager configuration before going live on your production site. The best way to do this for your TCF implementation is using our test bundle.

To help confirm that the TC String is being generated as expected you can also leverage IAB's resources including their TCF CMP Validator Extension found on their resources page.

Remember that you may have technologies on your sites that do not respect the TC String and can not be regulated by it.

As noted above in Configuration Step 4, we are able to enforce user consent as usual with our automatic blocking approach for scripts and cookies on the site that belong to vendors not registered with the IAB TCF. We do this by translating the TCF purposes into default purposes and then applying them as normal across your data flows and cookies. The only difference is that for a user in a Regional Experience with TCF configured we will allowlist the data flows and cookies belonging to TCF Vendors since they will instead rely on the TC String for consent information.

Ensure you follow our general Consent Management Documentation in addition to this TCF implementation guide to ensure full regulation of all relevant technologies across your site.

The goal of GPP is to harmonize IAB's separate regional consent frameworks, offering a single API at window.__gpp(). Transcend Consent Management supports GPP - this documentation will be updated soon with specific implementation steps. To learn more about the function interface, see IAB's USP GPP specification.