IAB TCF 2.0 support in Experience Platform
The Transparency & Consent Framework (TCF), as outlined by the Interactive Advertising Bureau (IAB) is an open-standard technical framework intended to enable organizations to obtain, record, and update consumer consent for the processing of their personal data, in compliance with the European Union’s General Data Protection Regulation (GDPR). The second iteration of the framework, TCF 2.0, grants more flexibility for how consumers can provide or withhold consent, including whether and how vendors may use certain features of data processing, such as precise geolocation.
۶Ƶ Experience Platform is part of the registered , under the ID 565. In compliance with TCF 2.0 requirements, Experience Platform allows you to collect customer consent data and integrate it into your stored customer profiles. This consent data can then be factored into whether profiles are included in exported audience segments, depending on their use case.
This document provides an overview of how to configure your data operations and profile schemas to accept customer consent data generated by your Consent Management Platform (CMP). It also covers how Experience Platform conveys user consent choices when exporting segments.
Prerequisites
To follow along with this guide, you must be using a CMP, either commercial or your own, that is integrated and compliant with the IAB TCF. See the for more information.
This guide also requires a working understanding of the following Experience Platform services:
- Experience Data Model (XDM): The standardized framework by which Experience Platform organizes customer experience data.
- ۶Ƶ Experience Platform Identity Service: Solves the fundamental challenge posed by the fragmentation of customer experience data by bridging identities across devices and systems.
- Real-Time Customer Profile: Uses Identity Service to create detailed customer profiles from your datasets in real time. Real-Time Customer Profile pulls data from the Data Lake and persists customer profiles in its own separate data store.
- ۶Ƶ Experience Platform Web SDK: A client-side JavaScript library that allows you to integrate various Experience Platform services into your customer-facing website.
- SDK consent commands: A use-case overview of the consent-related SDK commands shown in this guide.
- ۶Ƶ Experience Platform Segmentation Service: Allows you to divide Real-Time Customer Profile data into groups of individuals that share similar traits and responds similarly to marketing strategies.
In addition to the Experience Platform services listed above, you should also be familiar with destinations and their role in the Experience Platform ecosystem.
Customer consent flow summary summary
The following sections describe how consent data is collected and enforced after the system has been properly configured.
Consent data collection
Experience Platform allows you to collect customer consent data through the following process:
- A customer provides their consent preferences for data collection through a dialog on your website.
- Your CMP detects the consent preference change, and generates TCF consent data accordingly.
- Using the Experience Platform Web SDK, the generated consent data (returned by the CMP) is sent to ۶Ƶ Experience Platform.
- The collected consent data is ingested into a Profile-enabled dataset whose schema contains TCF consent fields.
In addition to SDK commands triggered by CMP consent-change hooks, consent data can also flow into Experience Platform through any customer-generated XDM data that is uploaded directly to a Profile-enabled dataset.
Any segments shared with Experience Platform by ۶Ƶ Audience Manager (through the Audience Manager source connector or otherwise) may also contain consent data if the appropriate fields have been applied to those segments through Experience Cloud Identity Service. For more information on collecting consent data in Audience Manager, see the document on the ۶Ƶ Audience Manager plug-in for IAB TCF.
Downstream consent enforcement
Once TCF consent data has successfully been ingested, the following processes take place in downstream Experience Platform services:
- Real-Time Customer Profile updates the stored consent data for that customer’s profile.
- Experience Platform processes customer IDs only if the vendor permission for Experience Platform (565) is provided for every ID in a cluster.
- When exporting segments to destinations belonging to members of the TCF 2.0 vendor list, Experience Platform only includes profiles if the vendor permissions for both Experience Platform (565) and the individual destination are provided for every ID in a cluster.
The rest of the sections in this document provide guidance on how to configure Experience Platform and your data operations to fulfill the collection and enforcement requirements described above.
Determine how to generate customer consent data within your CMP consent-data
Since each CMP system is unique, you must determine the best way to allow your customers to provide consent as they interact with your service. A cookie consent dialog is a common way to attain customer consent. An example CMP dialog is seen below.
This dialog must allow the customer to opt in or out of the following:
Purposes define which ad tech purposes a brand can use a customer’s data for. The following purposes must be opted into for Experience Platform to process customer IDs:
- Purpose 1: Store and/or access information on a device
- Purpose 10: Develop and improve products
Consent strings consent-strings
Regardless of the method you use to collect the data, the goal is to generate a string value based on the consent options chosen by the customer, called a consent string.
In the TCF specification, consent strings are used to encode relevant details about a customer’s consent settings, in terms of specific marketing purposes as defined by policies and vendors. Experience Platform uses these strings to store the consent settings for each customer, and therefore a new consent string must be generated each time those settings change.
Consent strings may only be created by a CMP that is registered with the IAB TCF. For more information on how to generate consent strings using your particular CMP, refer to the in the IAB TCF GitHub repo.
Create datasets with TCF consent fields datasets
Customer consent data must be sent to datasets whose schemas contain TCF consent fields. Refer to the tutorial on creating datasets for capturing TCF 2.0 consent for how to create the required profile dataset (and an optional Experience Event dataset) before continuing with this guide.
Update Profile merge policies to include consent data merge-policies
Once you have created a Profile-enabled dataset for collecting consent data, you must ensure that your merge policies have been configured to always include TCF consent fields in your customer profiles. This involves setting dataset precedence so that your consent dataset is prioritized over other potentially conflicting datasets.
For more information on how to work with merge policies, refer to the merge policies overview. When setting up your merge policies, you must ensure that your segments include all the required consent attributes provided by the XDM privacy schema field group, as outlined in the guide on dataset preparation.
Integrate the Experience Platform Web SDK to collect customer consent data sdk
Once you have configured your CMP to generate consent strings, you must integrate the Experience Platform Web SDK to collect those strings and send them to Experience Platform. The Experience Platform SDK provides two commands that can be used to send TCF consent data to Experience Platform (explained in the subsections below). These commands should be used when a customer provides consent information for the first time, and anytime that consent changes thereafter.
The SDK does not interface with any CMPs out of the box. It is up to you to determine how to integrate the SDK into your website, listen for consent changes in the CMP, and call the appropriate command.
Create a datastream
In order for the SDK to send data to Experience Platform, you must first create a datastream for Experience Platform. Specific steps for how to create a datastream are provided in the SDK documentation.
After providing a unique name for the datastream, select the toggle button next to ۶Ƶ Experience Platform. Next, use the following values to complete the rest of the form:
sendEvent command, storing that data in this dataset. Keep in mind that the consent values stored in this dataset are not used in automatic enforcement workflows.setConsent command, collected data is stored in this dataset. Since this dataset is Profile-enabled, the consent values stored in this dataset are honored during automatic enforcement workflows.
When finished, select Save at the bottom of the screen and continue following any additional prompts to complete the configuration.
Making consent-change commands
Once you have created the datastream described in the previous section, you can start using SDK commands to send consent data to Experience Platform. The sections below provide examples of how each SDK command can be used in different scenarios.
Using CMP consent-change hooks setConsent
Many CMPs provide out-of-the-box hooks that listen to consent-change events. When these events occur, you can use the setConsent command to update that customer’s consent data.
The setConsent command expects two arguments:
- A string that indicates the command type (in this case, “setConsent”).
- A payload that contains a
consentarray. The array must contain at least one object that provides the required consent fields.
The setConsent command is displayed below:
alloy("setConsent", {
consent: [{
standard: "IAB TCF",
version: "2.0",
value: "CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA",
gdprApplies: "true"
}]
});
standardIAB for TCF 2.0 consent processing.versionstandard. This value must be set to 2.0 for TCF 2.0 consent processing.valuegdprAppliestrue. Defaults to true if not defined.The setConsent command should be used as part of a CMP hook that detects changes in consent settings. The following JavaScript provides an example of how the setConsent command can be used for OneTrust’s OnConsentChanged hook:
OneTrust.OnConsentChanged(function () {
// Retrieve the TCF 2.0 consent data generated by the CMP, and pass it to Alloy.
__tcfapi("getTCData", 2, function (data, success) {
if (success) {
var tcString = data.tcString;
var gdpr = data.gdprApplies;
alloy("setConsent", {
consent: [{
standard: "IAB TCF",
version: "2.0",
value: tcString,
gdprApplies: gdpr
}]
});
}
});
});
Using events sendEvent
You can also collect TCF 2.0 consent data on every event triggered in Experience Platform by using the sendEvent command.
The sendEvent command should be used as a callback in appropriate event listeners on your website. The command expects two arguments: (1) a string that indicates the command type (in this case, sendEvent), and (2) a payload containing an xdm object that provides the required consent fields as JSON:
alloy("sendEvent", {
xdm: {
"consentStrings": [{
"consentStandard": "IAB TCF",
"consentStandardVersion": "2.0",
"consentStringValue": "CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA",
"gdprApplies": true
}]
}
});
xdm.consentStringsconsentStandardIAB for TCF 2.0 consent processing.consentStandardVersionstandard. This value must be set to 2.0 for TCF 2.0 consent processing.consentStringValuegdprAppliestrue. Defaults to true if not defined.Handling SDK responses
Many Web SDK commands return promises that indicate whether the call succeeded or failed. You can then use these responses for additional logic such as displaying confirmation messages to the customer. See Command responses for more information.
Export segments export
Once you have collected customer consent data and have created audience segments containing the required consent attributes, you can then enforce TCF 2.0 compliance when exporting those segments to downstream destinations.
If the consent setting gdprApplies is set to true for a set of customer profiles, any data from those profiles that is exported to downstream destinations is filtered based on the TCF consent preferences for each profile. Any profile that does not meet the required consent preferences is skipped during the export process.
Customers must consent to the following purposes (as outlined by ) for their profiles to be included in segments that are exported to destinations:
- Purpose 1: Store and/or access information on a device
- Purpose 10: Develop and improve products
TCF 2.0 also requires that the source of data must check the destination’s vendor permission before sending data to that destination. As such, Experience Platform checks if the destination’s vendor permission is opted in to for all IDs in the cluster before including data bound to that destination.
Test your implementation test-implementation
Once you have configured your TCF 2.0 implementation and have exported segments to destinations, any data that does not meet consent requirements will not be exported. To see whether the correct customer profiles were filtered during the export, you must manually check the data stores on your destinations to see if consent was properly enforced.
Next steps
This document covered the process of configuring your Experience Platform data operations to meet your business obligations as outlined by the TCF 2.0. See the overview on governance, privacy, and security for more information Experience Platform’s privacy-related capabilities.