FAQs for Privacy Manager for GDPR
The TCF is a means of standardizing consent signals within the programmatic ecosystem. For more information please visit IAB Europe Transparency & Consent Framework.
With the use of our geo-targeting feature, you are able to create different consent screens for the different EU regions that may require additional changes. In order to facilitate this, we recommend that you create a new configuration script for each region that you need.
Both with templating or with the bulk-editing feature you can create swiftly new, already configured CMP scripts that need minimum tweaking.
After you’ve created a configuration for a specific EU country, you’re able to make sure that the configuration is only shown for users from that EU country through the geo-targeting feature in the admin section of the configuration.
For an overview of our reporting, see "Reporting for GDPR."
In accordance with the new TCF v2.0 guidelines, customisation to the notice has been limited. As LiveRamp is required to ensure that any CMP implementation is IAB compliant, customisation can only be done within those constraints.
We understand the need for using your own notice, and in accordance with the new TCF guidelines we’ve made it possible for our clients to use their own notice in conjunction with a Private CMP ID.
The process of implementing your Private CMP can be done in several steps:
Disable the notice by ensuring that you’re using CMP ID 0, which can be set through the admin → TCF compliance section of the CMP configuration.
Note
Note that using the CMP ID 0 means the CMP is invalid. Therefore, only use it for the CMP configuration implemented on a testing environment.
Develop your own (compliant) notice and integrate it with our back-end throughout the different api’s.
Request your (private) CMP ID through this link.
Note
Note that the IAB will create a sub "consensu.org" domain for you, but is nonessential to your configuration.
After validation you’ll receive your own CMP ID from the IAB, ensure in your CMP configuration that you input your CMP ID in the admin → TCF compliance section.
Migrate your compliant CMP from your testing to production environment.
A registered Private CMP ID will be charged by the IAB Europe on a yearly basis. The cost is approximately €1,200 per year for the CMP license.
‘Google Advertising Products’ is now part of TCF 2.0 Global Vendor List of the IAB. In order to make sure Google is working correctly with Privacy Manager, you need to follow these steps:
Select Google as a TCF 2.0 Vendor (TCF GVL Vendor ID 755).
Make sure purpose 1 is disclosed in order to pass its value as true in the TC string.
Make sure to migrate your ATP vendor list in the ADmanager UI to the vendor configuration in LiveRamp Console, which will allow you to use the Additional Consent Mode.
Note
If you configured the CMP to not disclose purpose 1 “Store and/or access information on a device“ from the parties section, it may result in an error with regards to the Specific Jurisdiction Disclosures and its validity for the country in which your business entity is established.
For more information on Google Errors related to TCF V2.0, please refer to this help article.
For more information, you can also check Google’s help center.
Conditional firing is a method to manually control firing of third-party vendors on page or in your mobile application. In essence it is a script or a logic that takes care of those third-party resources and forces them to obey the CMP signals.
You need to set up conditional firing logic in two cases:
If you are using (advertising) vendors or other resources that do not participate in the IAB Europe Transparency and Consent Framework. The benefit of the TCF is that it puts a contractual obligation on the advertising vendors to wait for the consent signal of the CMP that is present on the page before they can pass the bid request. This means that the vendors that do not participate in the TCF, do not have such restrictions and can just release their assets on page load. In order to prevent this from happening, website owners should use conditional firing: a technical means to make those third parties respect the CMP and listen to its signals.
Sometimes even the Transparency and Consent Framework’s vendors can drop cookies without consent. For example, some of them skip the ePrivacy compliance and focus on GDPR, claiming legitimate interest for their data processing activities. This is why we recommend you to check if this approach works for you and what is the extent of your liability. Conditional firing is a simple way to control the TCF vendors on your sites and enforce ePrivacy compliance.
For more information on how to set up conditional firing see the following articles:
Build Conditional Logic (GDPR for Web)
Build Conditional Logic (GDPR for Mobile)
Note
Information on conditional firing for CCPA is coming soon)
Implementing LiveRamp Privacy Manager in Google Tag Manager (GTM) may add additional latency before the CMP is displayed. The total amount of latency depends on the amount of tags present in GTM and the set time-outs by yourself and/or your used vendors.
Our CMP script includes a stub code which, when loaded, will tell all IAB TFC participants that there is a CMP present. For TCF vendors this means that they have to wait for user input.
To ensure that the vendors are not waiting for something that doesn't exist, the IAB allows vendors to set a time limit. If no signal is sent to the TCF vendors then they'll act as if no consent is given.
Placing the CMP script in GTM will add latency, and more importantly, latency to our stub script that is vital in the communication to the vendors of the IAB TFC.
When scripts have added time-outs in GTM this will also affect the overall loading time in GTM and therefore create additional latency to the loading of the CMP.
Even if the stub sends a signal to all IAB TCF participants after the time limit, the user is still treated as if there is no consent even if they accepted all purposes.
If the user continues to browse the website after giving consent, the IAB TCF will still treat it as a non-consent given user, this is because the IAB TCF will always first look if a CMP is present before checking if the user has a consent string.
To summarize, if you implement the CMP in your (Google) Tag manager, you might be non-compliant because you might load vendors that did require consent and you lose at least your 1st pageview after consent for monetization.
Helpful links
Transparency and Consent Framework's documentation specifying the the "CMP present" and "CMP loaded" commands:
We offer our clients the option to store and synchronize consent across owned and/or operated brands. This can help reduce the amount of consent screens a user has to see within a network of brands.
Note
Using centralised consent storage is a common practice in many EU countries. Pending any specific guidance from the local DPAs or EDPB, synchronizing consent across owned and/or operated brands depends on the business of the Client. For example, CNIL recommends that consent should be established on every publisher property, to ensure users fully understand the scope of their choices.Hence, every company needs to make their own risk analysis weighing in relevant factors like the type/range of publisher property for using this functionality.
Centralised consent domain implies exactly as it sounds, the consent of the user is stored and maintained on a single (centralised) domain, which will track and ensure that the other domains the end-user visits is informed of the end-users consent.
The biggest prerequisite for a robust centralised consent mechanism would be authenticated users. Without the recognition of the user across multiple domains you’ll not be able to implement a long lasting centralised consent.
However, Privacy Manager does offer a solution for those who do not have authenticated users and still wish to work on a cookie-based solution.
In the admin section of the Privacy Manager configuration you’re able to enable the group consent functionality. By enabling this for all your configurations you’re able to share consent between the different configurations, this is as mentioned cookie-based.
Within the configuration of group consent you’re able to either use the sub-domain provided by the Privacy Manager or you can use a custom domain that needs to host the cookie sync script provided by the Privacy Manager. When hosting your own domain you’re able to mimic the centralised domain storage mechanism.
The other solution provided by LiveRamp would be to make use of PreferenceLink Sync. This feature will allow you to push and sync data server-sided between multiple Privacy Manager configurations. This method is not using any cookies to operate and therefore is more sustainable than any cookie-based solution out there.
To know more about PreferenceLink, see this help article.
Prebid uses the consent information collected by IAB compliant CMPs through the standard CMP JS API. The Consent Information is then passed to the Bidders and Vendors that are registered with the IAB.
In order to enable CMP to support Prebid, follow these steps:
Add the consent management module to Prebid.
Make sure that the consentManagement module is being added to your Pre Bid build by downloading a build that includes the GDPR ConsentManagement module from https://docs.prebid.org/download.html.
Caution
Make sure to download v3.14 or higher Prebid.js script for the Web Platform in order to be supported by IAB TCF v2.0.
Alternatively, you can build your own Prebid from source and include the GDPR ConsentManagement module.
Please view TCF v2.0 Examples with reference to the documentation from Prebid which describes how to add a cmpAPI: “IAB”
Example 1: IAB CMP using custom timeout and setting GDPR in-scope by default
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
timeout: 8000,
defaultGdprScope: true
}
}
});
});GDPR Enforcement Module
The GDPR enforcement module will ensure that the Prebid and Third Parties listen to the TC String. This means that this module will enforce the End Users' choices. For details about this module , we recommend you review https://docs.prebid.org/dev-docs/modules/gdprEnforcement.html.
Cookie name: | Context: | Expiration date: |
|---|---|---|
cconstent-v2 | Cookie name for additional vendor consent. | 395 days |
euconsent-v2 | Cookie name for global consent string of the IAB Transparency Consent Framework. | 395 days |
addtl_consent | Cookie name for consent string of Google Additional Consent Mode. | 395 days |
gdpr-auditId | An Audit ID that publishers and consumers can reference to retrieve historical consent. | 395 days |
gdpr-config-version | Configuration version number used by the CMP. | 395 days |
gdpr-last-interaction | Value to report on last active user session. | 395 days |
gdpr-dau | True/false for user to be registered as 'daily active user' for reporting purposes. | 24 hours |
gdpr-dau-log-sent | True/false for logs to be sent to back-end for reporting purposes. | 24 hours |
geo-location | Geo location of the end-user during last active session for reporting purposes. | 24 hours |
In order to prevent the CMP from appearing to users without a consent state on a page where no consent state is required, add __tcfapi('toggleConsentTool', 2, () => {}, false); to the code on your page.
LiveRamp Privacy Manager uses a SaaS model based on the monthly sum of Daily Active Users (DAUs), i.e. the total number of unique users on a given day. For example, if a user visits the same site five times in three days, they would be counted three times within the sum of DAUs that month—once for each day they visited the site.
See "Calculate Daily Active Users in Google Analytics" for instructions.
Google Analytics (from the GTAG.js script) supports the Transparency and Consent Framework v2. For Google Analytics to comply with TCF you will need to implement window['gtag_enable_tcf_support'] = true before any calls to gtag() are made.
More information can be found here.
Place the following string in any topic description text to link to the purpose overview or vendor overview screen:
${openTab(1, 'Link text')}.
The first argument, 1 is for the vendors overview , 0 is for purposes.
Highlight any text in you want and click the "Insert Link" icon. Then, copy paste the following function instead of a URL: ${executeCommand(rejectAll, Link text)}.
For GDPR for Mobile, use the following : executeCommand(rejectAll).
