This document defines a technical specification (called "Additional Consent") intended only for use alongside IAB Europeâs Transparency & Consent Framework (TCF) v2 to send transparency and/or consent signals to vendors who are not yet registered on the IAB Europe Global Vendor List (GVL). This specification allows publishers, Consent Management Platforms (CMPs), and partners to gather and propagate additional consentâalongside their TCF implementationâfor companies that are not yet registered with the IAB Europe Global Vendor List but are on Google's Ad Tech Providers (ATP) list.
Changes for Additional Consent v2
Since December 2023, Google has supported v2 of our Additional Consent specification. The primary changes are:
- Update to Additional Consent (AC) string to support vendors disclosed in the CMP.
- Update to CMP API to allow for interoperability for CMPs that support both TCF and Advertiser Consent Mode.
Components of the Additional Consent
In "Additional Consent," we support both:
- The Transparency & Consent String (TC string) as defined by the IAB TCF v2.2 specification, which contains the transparency and consent established for vendors on IABâs Global Vendor List (GVL). AND,
- A lightweight
addtl_consent
string (AC string), which contains a list of consented and/or disclosed Google ad technology providers (ATPs) that are not registered with IAB.
This specification defines the following:
-
The AC string format.
-
The extension to the TCF v2.2 CMP API to support the AC string and controls for when both TCF and Advertiser Consent Mode are present.
-
How an AC string should be stored.
-
How to pass the AC string through the digital advertising chain.
The "Additional Consent" (AC) string format
What information is stored in an AC string?
An AC string contains the following components:
-
Part 1: A specification version number, such as "
2
" -
Part 2: A separator symbol "
~
" -
Part 3: A dot-separated list of user-consented Google Ad Tech Provider (ATP) IDs. Example: "
1.35.41.101
" -
Part 4: A separator symbol "
~
" -
Part 5: "dv." followed by a dot-separated list of disclosed Google Ad Tech Provider (ATP) IDs. Example: "
dv.9.21.81
"Vendors included in Part 3 should not be included in Part 5 to reduce string length.
AC string example
The AC string 2~1.35.41.101~dv.9.21.81
means that the user has consented to ATPs with IDs 1
, 35
, 41
and 101
, ATPs with IDs 9
, 21
, and 81
have been disclosed to the user and the string is created using the format defined in the v2 specification.
Who should create an AC string?
An AC string may only be created by an IAB Europe TCF-registered CMP using its assigned CMP ID number in accordance with the IAB Policies. Vendors or any other third-party service providers must not create AC strings themselves.
Where will the Google ATPs be published?
Google will publish the list of ad technology providers not registered with the IAB and their IDs at the following location:
https://storage.googleapis.com/tcfac/additional-consent-providers.csv
When should an AC string be created?
In all cases, an AC string may only be created where the publisher is in compliance with Googleâs EU User Consent Policy.
Consented vendors should only be included when the user has given legally valid consent to:
-
the use of cookies or other local storage where legally required; and
-
the collection, sharing, and use of personal data for personalization of ads by an ATP, as well as complying with all other terms of the Googleâs EU User Consent Policy.
Disclosed vendors who do not have consent for:
-
the use of cookies or other local storage where legally required; and
-
the collection, sharing, and use of personal data for personalization of ads, should only be included when appropriate transparency is provided to users on the identity of each ATP, including linking to the ATPâs privacy policy as provided in Googleâs ATP list.
An AC string must only be created as a supplemental string to the TC string, and not in place of the TC string. Google will not process the request and will discard the AC string on a request received by Google if a TC string is not available for the same request.
CMPs implementing this spec must make sure that the AC string they create contains only the IDs from the published Google ATP file (that is, non-GVL vendors). When Google receives a TC string, it will check the version of the GVL that is listed in that TC string. If that version of the GVL has a registration for a vendor, the TC string controls for that vendor and any AC string entries for that vendor will be ignored. In this circumstance, Google reserves the right to remove such "duplicate" entries from the AC string and pass on such modified AC string alongside the TC string. Vendors other than Google may not modify the AC string.
Related resources
-
Transparency and Consent String with Global Vendor List Format v2.2
-
Googleâs EU User Consent Policy
Extension to the CMP API
We propose to extend the existing TCF v2.2 CMP JavaScript API to allow for returning the AC string. More specifically, we propose to extend the TCData and InAppTCData JSON objects to return this data.
TCData = {
tcString: 'base64url-encoded TC string with segments',
...
addtlConsent: âAC string with spec version and consented Ad Tech Provider IDsâ
}
InAppTCData = {
tcString: 'base64url-encoded TC string with segments',
...
addtlConsent: âAC string with spec version and consented Ad Tech Provider IDsâ
}
How should an AC string be stored?
Web
Storage mechanism is up to the CMPâs choice.
In-app
NSUserDefaults (iOS) or SharedPreferences (Android) shall be used to store the AC string by a CMP SDK. It allows:
-
Vendors to easily access the AC string
-
AC string to persist across app sessions
-
AC string to be portable between CMPs to provide flexibility for a publisher to exchange one CMP SDK for another
If a publisher chooses to remove a CMP SDK from their app, they are responsible for clearing AddtlConsent
values for users so that vendors do not continue to use the included AC string.
Storage and Lookup Key in NSUserDefaults and SharedPreferences | Value |
IABTCF_AddtlConsent |
String: AC string with spec version and consented Ad Technology Provider IDs |
How to pass the AC string through the digital advertising chain
Bid request
We will reuse the ConsentedProvidersSettings
to propagate the non-GVL vendors downstream.
- In OpenRTB extensions proto
- Legacy Protobuf version
message ConsentedProvidersSettings {
// Set of IDs corresponding to providers for whom the publisher has told
// Google that its EEA users have given legally valid consent to: 1) the use of cookies or other local
// storage where legally required; and 2) the collection, sharing, and use of personal data for
// personalization of ads by an ATP in accordance with Googleâs EU User Consent Policy.
// A mapping of provider ID to provider name is posted at providers.csv.
repeated int64 consented_providers = 2 [packed = true];
}
// Information about the providers for whom the publisher has told Google
// that its EEA users have consented to the use of their personal data for
// ads personalization in accordance with Google's EU User Consent Policy.
// This field will only be populated when regs_gdpr is true.
optional ConsentedProvidersSettings consented_providers_settings = 42;
URL-based services
When a creative is rendered, it may contain a number of pixels under <img>
tags. For example, <img src="http://vendor-a.com/key1=val1&key2=val2">
, which sends an HTTP GET
request from the browser to the vendor's domain.
Since the pixel is in an <img>
tag without the ability to execute JavaScript, the CMP API cannot be used to obtain the TC string. Similar to the support for TC string, we provide a standard URL parameter and a macro in the pixel URLs where the AC string should be inserted.
URL parameter | Corresponding Macro | Representation in URL |
addtl_consent |
ADDTL_CONSENT |
&addtl_consent=${ADDTL_CONSENT} |
Example 1
For Vendor A to receive an AC string, an image URL must include a key-value pair with the URL parameter and macro &addtl_consent=${ADDTL_CONSENT}
. The resulting URL is:
http://vendor-a.com/key1=val1&key2=val2&addtl_consent=${ADDTL_CONSENT}
Example 2
On a given request, if the AC string is: 1~1.35.41.101
The caller or the renderer of the creative replaces the macro in the URL with the actual AC string so that the originally placed pixel containing the macro is modified as follows when making the call to the specified server:
http://vendor-a.com/key1=val1&key2=val2&addtl_consent=1~1.35.41.101