Instructions for Third Party Partners

When running scripts on sites across the web, you are obligated to check the jurisdiction in which you are operating and, when applicable, seek user consent. The IAB Transparency and Consent Framework (TCF) establishes a standard JS API to easily verify consent on any site that has implemented a CMP. In particular, the getConsentData command returns two key data.

  • consentData - (String) Base64 encoded IAB TCF consent string.
  • gdprApplies - (Boolean) Specifies whether or not the user is in scope for GDPR.

CMP Check

If your code is always in the same frame as CMP JS, check for the presence of a function named __cmp. For code that may be running in an iframe, the CMP can be determined by the presence of a child frame named __cmpLocator within the parent (or above) frame. The CMP tag creates an iframe named __cmpLocator on its frame to indicate presence of the function. Publishers should load the CMP in a parent (or ancestor) of all iframes that may need to request consent. Full code sample provided by the IAB TCF.

If a CMP is not present, or if the CMP fails to respond, you should assume no consent for users under EU jurisdiction.

getConsentData Example

window.__cmp('getConsentData', null, function (result) {
// consentData contains the base64 encoded TCF consent string
var consentData = result.consentData;

// gdprApplies specifies whether the user is under EU jurisdiction
var gdprApplies = result.gdprApplies;
// pass these 2 values to all tag and pixel calls

When consentData and gdprApplies have been obtained, scripts may parse these directly or pass them into calls to your servers to be processed by the backend.

A reasonable timeout should be implemented on the command response. Understand that the response on getConsentData calls may take as long as it takes for the user to complete the consent UI flow.