How the IAB Europe Transparency and Consent Framework can help your business with GDPR

Posted on: Wednesday 27 June 2018

Share this

What is it? 

The IAB Europe Transparency and Consent Framework is the global cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements under GDPR.

It was developed by IAB Europe in collaboration with the digital advertising industry. It is designed to offer flexibility to comply with the law, and provide a way of collecting and transmitting signals of consent from an individual to third party vendors working with site and app operators. Here’s how it works:

  • Site/app operators disclose information to people about data processing and seek consent

  • They capture this information through a ‘consent management provider’ (CMP) and pass it through the supply chain in a piece of code

  • Registered third party ‘vendors’ (SSPs, DSPs, ad servers, etc. ) can see whether someone has received information and/or given consent, and serve ads (e.g. personalised or non-personalised ads) and use or access cookies, etc. on that basis

Why was the framework created?

It was a result of the EU General Data Protection Regulation (GDPR) which is the new legal framework governing the use of personal data across all EU markets. GDPR replaced existing national data protection laws and came into force from 25 May 2018.

As well as affecting your core business, GDPR matters for your advertising too. In a nutshell, you need a lawful basis to process personal data on your sites and apps (and anywhere else) for advertising purposes. There are six to choose from and the ones most likely to be relevant to digital advertising are ‘consent’ and ‘legitimate interest’.

Importantly, under existing legislation (the Privacy and Electronic Communications Regulations (PECR), sometimes known as the ‘cookie law’) you must have the individual’s consent to use cookies[1] or other similar technologies (including pixels, tags and device identifiers). The difference that the GDPR makes to the cookie law is that it re-defines what counts as ‘consent’. Consent needs to meet very high standards, for example:

  • it cannot be bundled with T&Cs

  • companies that are relying on consent have to be disclosed to the user

  • the user must give consent ‘unambiguously’ with an affirmative action

  • evidence that consent has been obtained needs to be recorded

If you’re using legitimate interest as your basis for processing personal data, you still need to tell people and give them the opportunity to opt out.

Who does it affect?

Where the GDPR or PECR applies, downstream partners such as DSPs, SSPs or DMPs will rely on ‘publishers’ (which includes advertisers if you have your own sites, apps, etc.) to provide transparency and gain individuals’ consent.

  • If you process personal data from one of your sites or mobile apps (or other entities) you need a way of making sure you disclose this to people and where necessary get their consent.

  • You also need to give people the opportunity to opt out of data processing.

  • If you want to store or access any information on a person’s device you need to get their consent first.

Where can I find out more about the IAB Europe Transparency and Consent Framework? 

We recommend that:

  • Site/app operators – including advertisers, where appropriate to you – implement a registered CMP to disclose information and capture/communicate consent. Some CMPs are free to use, and some charge, or you can build your own and register it with the Framework.

  • Third parties (SSPs, DSPs, ad servers, etc.) register as ‘vendors’ to be able to access the information communicated via the Framework.

Full details of the Framework including FAQs, training materials and technical specifications are available at (if you’re an advertiser, select ‘publisher’ as your profile at the top of the page – an advertiser-specific section is coming soon).

[1] With a few exceptions, such as cookies that are necessary for provision of the service requested by a user, e.g. shopping cart cookies

Related content

Matthias Matthiesen

Plan for a smooth transition: TCF v2.0 is coming

With the deadline for transition to TCF v2.0 approaching, Quantcast’s Senior Privacy Counsel Matthias Matthiesen shares how companies can prepare

Learn more
Stock image

IAB Europe extends technical support for TCF v1.1

The Transparency & Consent Framework (TCF) Steering Group has voted in favour of a 45 day extension due to the impact of COVID-19 on publisher operations...

Learn more

IAB UK's response to ISBA's 'Supply Chain' study

Jon Mew, IAB UK's CEO, comments on ISBA and PwC's Supply Chain Transparency study

Learn more
Stock image of people working

IAB Europe update timeline for TCF v2.0 transition period

IAB Europe have revised the timeline to take into account the impact of COVID-19 on stakeholders’ operations

Learn more

Looking to boost your skills?

Lasting two hours each, our virtual training modules have been designed to fit into your day while you work from home and provide you with the opportunity to learn new skills and keep your team up-to-date with latest best practice.