Over the last two years, we have seen many changes regarding how cookies and consent messages appeared on websites. If you have followed these changes as I did, then you might have noticed different interpretations of how and when to gather consent. Countless solutions appeared (and disappeared). Publishers like you and I were left alone choosing a solution and hoping that they are compliant with the GDPR, CCPA, or other privacy protection laws.
Meanwhile, the IAB Europe, a European-level association of digital marketing and advertising companies, worked on a Transparency & Consent Framework (TCF) that should unify the different approaches and provide a consent method in compliance with the European privacy regulations.
The launch of TCF version 2.0 currently creates some publicity because it is the first one taken seriously by the advertising industry. Publishers ignoring it might end up with significantly less revenue than before.
I spent days researching the TCF and various consent solutions to find a way Advanced Ads can implement it automatically for ads and am happy to share the information gathered so far here.
Please note that I am giving an overview to the best of my knowledge. This article is not legal advice, and I am happy if you reach out if I missed something important. I am also going to update this post if new information comes up.
No time to read? Here is the most important in a nutshell:
- You need to comply with the privacy regulations if your company is from a region they apply to, or visitors from those regions (e.g., the EU) come to your website
- Google products don’t require you to implement a TCF-compliant method, but if you do, they will honor the users’ choices.
- If you implemented TCF incorrectly then Google gives you time to fix any issues. The full grace period is about 90 days following August 15th. No earnings are reduced even if you see errors in your account now.
- Advanced Ads provides a simple solution to deliver ad codes in compliance with TCF. See the TCF 2.0 Consent Manual.
- Other ad networks, including those using header bidding, might have their consent gathering mechanisms and already implemented them for you
- Follow our bonus tips at the end of this article to decrease the impact of the TCF on your revenue
What is the TCF 2.0 standard?
Let’s start with a short overview of who is involved:
- Publisher: that is probably you, the owner of a website
- CMP: a Consent Management Platform, a service that gathers and stores visitors’ consent. See also the list of all registered CMPs.
- Vendor: any third-party service that reads the consent stored by the CMP to decide what they are allowed to do. This could be Google AdSense, Ad Manager, or Google Analytics. See also the TCF 2.0 vendor list.
- Advanced Ads: is the glue between the CMP and the Vendor on your site. Advanced Ads makes sure that the vendors’ codes are only loaded when it is allowed
The Transparency & Consent Framework (TCF) defines how to ask your visitors for consent, store that information, and how vendors (e.g., ad networks) can use them. If every party involved works correctly, you don’t need to tell the ad networks what to do. They will automatically receive the information about what users agreed on and what they dismissed and act accordingly. Hacking (AdSense) ad codes to add a string with some consent information is no longer needed.
The compliance standard based on TCF does not just concern ad networks. It covers any data stored about users, including the usage of cookies or website analytics. While the TCF is based in the ad industry, you can use the logic behind it also to gather consent for any other data-processing vendor.
Technically, the standard includes that consent is stored by the CMP (see below), e.g., in a cookie on the user’s device (if that is allowed) and in the cloud to prevent publishers from manipulating it. Vendors like ad networks or analytics providers, but also publishers can then read that information and handle the user’s data based on their choices.
Do you need to implement the TCF 2.0?
If you are a company based in the European Union, then you need to ask any user for their consent, regardless of their location. Companies outside the EU need to ask any visitor from the EU for their permission to track their data.
As a publisher outside the EU, you would need to actively block traffic from the European Union if you don’t want to deal with their data privacy laws.
Many premium ad networks and ad technology companies already block traffic without the necessary consent. These networks prepared their publishers and often integrated a CMP automatically through their ad tags. I have heard from many of our partners and larger publishers that this is working well.
Using AdSense and Google Ad Manager
Google itself announced that it would comply with TCF 2.0 if publishers integrated it. They say
As a publisher, you are not required to use the IAB TCF v2.0. You can continue to use other means to comply with our EU User Consent policy.https://support.google.com/admanager/answer/9805023, August 16th, 2020
If you are using a CMP, they will integrate with it and ignore any other privacy measures you might have taken. E.g., Advanced Ads allows you to show non-personalized AdSense ads when a specific cookie is enabled. If you used that method, then it will continue to work.
If Google finds a wrong implementation of the TCF on your site after August 15th, you would see a warning in your AdSense or Google Ad Manager account.
Google also announced a grace period indicating that ads should continue to work with missing or invalid consent for 30 days following August 15th. After that, they are going to deliver non-personalized advertisements for another 60 days.
Using the old TCF 1.1 standards
If you already implemented an older TCF standard (e.g., last year), you would need to get in touch with your CMP to update it. They probably have a tutorial on how to do that.
How to implement TCF 2.0
To comply with the TCF, you need to present your website’s visitors with information about which data is stored and processed by which service on your website. They also need to have a chance to enable or disable these methods individually.
You have probably seen plenty of these large popups by now.
I would recommend clicking on the various options next time you see such a popup to understand that they are quite complicated.
To implement such a consent popup on your website, you would need to sign up with a Consent Management Platform (CMP). CMPs are simply services offered by different companies. You might have heard or seen names like Quantcast, Usercentrics, Cookiebot, or Sourcepoint. Some of them are paid-only; some have a free plan.
Every CMP is registered with the IAB and has to pay a yearly amount to be verified by them. You can find all verified Consent Management Platforms here.
While you can technically build a CMP yourself, you would still need to verify it by the IAB and pay the registration fee, or otherwise, ad networks might not accept it.
The CMPs I’ve tested so far already provide a list of the services probably used on your site. Still, it is your responsibility that you list all of them, including analytics. You should be able to do that through the account which you create with the CMP.
WordPress plugins for TCF 2.0
As far as I understand, a certified TCF validation needs to connect with a remote server to store the user consent. Therefore, it might always be needed to register an account with a CMP.
The WordPress plugins used to gather consent based on the TCF are all more or less “only” helping to integrate a CMP. They are not storing the information and consent locally.
Some WordPress plugins dedicated to cookie consent come with additional features that might be useful to comply with privacy laws. E.g., they might proactively remove cookies when the user didn’t consent, or the vendor does not work with the TCF 2.0.
Google itself launched a CMP called Funding Choices. Funding Choices initially started to help publishers monetize their content despite a growing adaption of ad blockers. It was in a closed beta for years. Now, Google decided to open it for publishers to quickly implement a consent message compliant with the TCF 2.0 standard. Time has to show if this will become popular among publishers. The release definitely puts pressure on the commercial CMPs out there for small publishers with a tight budget.
How Advanced Ads helps with the TCF 2.0
I spent a few days researching the Transparency & Consent Framework and what it means for publishers. I also talked to different publishers, ad networks, and CMPs to get their insights. While knowing that the TCF is complicated, I wanted to find a solution to help Advanced Ads users to save that time, at least when it comes to ads.
The good news is that ad networks will read the consent information automatically and act accordingly. However, according to Google, the ad tags should not be loaded when the user rejected any tracking or didn’t have a chance to choose her preference at all. Secondly, ad tags should be visible when the consent modal is not showing because the GDPR does not apply to a given user.
We updated the Privacy options in Advanced Ads to integrate with any TCF-compliant CMP automatically. Please find more information under TCF 2.0 Consent Manual for WordPress.
If you have further questions regarding the TCF or a specific CMP, then please don’t hesitate to reach out through our official support channels.
Tips for higher conversions
Implement the following two ideas to reduce the impact of the TCF 2.0 on your ad revenue:
- Remove the “Disagree” button from the CMP modal. This seems to be compliant with the TCF 2.0 standard and can improve the acceptance rate. Users who do not want to give consent can find that button under the “Settings” button
- Install Advanced Ads Pro to show the ads right after users give their consent instead of waiting for the next page reload