Logo Logo


The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner must get consent from your users from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The IAB Framework, compliant cookie consent and the GDPR

Updated March 30, 2020.

What is the IAB Framework? How does IAB meet the requirements of the GDPR? What should you do when it comes to consent management and cookie consent if you use the IAB Framework? Is the IAB framework GDPR compliant?

This article answers all those questions, so stay with us.

What is the IAB Framework and how does it deal with the GDPR requirements?

IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.

In preparation to the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.

The Framework is called the IAB Europe Transparency & Consent Framework.

The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.

The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.

IAB is updating their Transparency & Consent Framework to 2.0

According to IAB, their new and updated Transparency & Consent Framework 2.0 will enable consumers to grant or withhold consent but they can also exercise their right to object to data being processed.

Consumers also gain more control over whether and how vendors may use certain features of data processing (for example, the use of precise geolocation).

Cookiebot will support the new IAB Transparency & Consent Framework 2.0.

What are the requirements of the General Data Protection Regulation and what does it mean for advertisers?

The General Data Protection Regulation sets out strict requirements for how one may record, store, use and share personal data.

With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.

The GDPR is extremely wide-ranging both geographically, in scope, and in severity.

Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.

In scope, because of its broad definition of personal data:

Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.

For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.

This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.

In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million - whichever is higher.

What is the purpose of the IAB Framework?

The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.

Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).

What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?

How the IAB Framework works

In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.

In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.

This list is called the Global Vendor List or “GVL”.

In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…

Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.

When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.

The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.

Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.

It is worth to be aware of the fact that the IAB Framework is built on a principle of voluntariness. The consent status of the user is signaled to the vendors, but there is no guarantee that the vendors will actually respect these choices.

This is worth noting, because in the case of a breach, the GDPR will hold the first party whose website the user has accessed responsible.

Therefore, even though one has committed to the Framework, it is a good idea to be extra thorough when implementing a consent management software on one’s website.

Cookiebot blocks non-consented vendors and gives control back to the publisher who at the end of the day is the one held liable by the GDPR for all tracking performed by third parties on their website.

How do I get GDPR compliant cookie consent in the IAB Framework?

As a publisher participating in the Framework, first you choose what vendors you want to cooperate with from the Global Vendor List in the IAB.

Then, you can partner up with a consent management provider (CMP). This is not compulsory: you may also operate without a CMP and take care of the consents yourself.

Either way, it is very important to ensure that the setup for obtaining consents is compliant with the GDPR.

The Framework is a step towards standardized compliance, but it does not in and by itself guarantee compliance.

As mentioned above, within the IAB Framework, the consent status is only signaled to the vendors, but in reality, it is up to vendors and advertisers whether they choose to respect it.

Be careful when choosing your consent management provider (CMP) in the Framework (or when taking care of the consents, if you choose to do so yourself), and make sure that the requirements listed below are met.

Requirements for compliant consent in the GDPR

In order for your consent management to comply, it has to be:


How does Cookiebot integrate with the IAB Framework?

Cookiebot is one of the few fully compliant consent management software solutions on the market.

In response to requests made by Cookiebot users and resellers, an integration between Cookiebot and the IAB framework has been developed as an optional supplement to the core consent framework in the Cookiebot solution.

IAB framework cookie consent banner

The integration consists of an extra panel in the consent banner of websites registered with the IAB, see picture above. 

The panel is called "Ad Settings", and from it, end-users can choose between IAB purposes and vendors before submitting their consent. 

It can easily be implemented by means of a simple change in the Cookiebot script on the website. 

We recommend to regard the integration as a supplement, and not a replacement for the regular Cookiebot solution.

This is due to the principle of voluntariness of the IAB Framework, where the state of consent is signaled to the vendors, but where there is no guarantee that the vendors will actually respect these choices.

In the case of a breach, the GDPR will generally hold the first party, whose website the user has accessed, i.e. the publisher, responsible.

Therefore, even though one has committed to the Framework, it is a good idea to be thorough when implementing a consent management software on one's website.

Also, in the standard setting of the Framework, the user is presented with a potentially long list of vendors, that they might not even have heard of before, and decide whether they want to share their data with them.

When implementing Cookiebot as a consent management provider (CMP), non-consented cookies are blocked, thereby restoring the control to the website owner, who is the responsible party for the cookies that are set on their users’ browser.

With Cookiebot, all cookies and tracking in use on a website is paused until consent has been given.

This functionality corresponds to the requirement for prior consent.

All cookies and tracking in use on the website is detected by the Cookiebot scanner, and grouped into four intelligible categories. In the case of the multilevel template illustrated below, the user may check or uncheck categories directly from the consent banner that appears upon their first visit to the website.

Read more about the Cookiebot Scanner here.

This way, the user gets full insight and control without being overwhelmed by information or unnecessarily interrupted in their browsing experience.

Valid consent according to the EU privacy laws

Should a user want a detailed overview of the cookies, he or she can simply click ‘Show details’, whereby all cookies are displayed in a folded-out version of the banner, showing every cookie, where it comes from, its purpose and other relevant information.

Valid consent that is GDPR and ePR compliant

When a user has made their choice, let’s say they have opted out of marketing cookies, these types of cookies will stay paused and will never be activated, for as long as the user does not change their setting.

This way, the website owner has full control over the compliance of the cookies set from their website, whether they are of own or of third party provenance.

Once a month, Cookiebot performs a scan of the entire website and subpages for cookies and other tracking in use, and sends a report to the website owner.

The report can be published as cookie declaration on the website, e.g. as integrated part of the website’s privacy policy or cookie policy.

The user has access to easily change their setting of cookies from within the cookie declaration on the website.

Once a year, the consent will automatically be renewed.

All given consents are securely stored as proof that the consent was given.

See all of Cookiebot’s functionality on our functions page, and try our free scan to check what cookies are in use on your website.

The free scan audits up to five subpages of your website and sends a report of all of the cookies and tracking in use and their compliance with the GDPR and the ePrivacy Directive, thereby giving a pretty good indication on whether your website is compliant or not.

Sign up to Cookiebot to get the full picture and peace of mind. The first month is free.


IAB updates its Transparency & Consent Framework

Homepage of IAB Framework: Advertisingconsent.eu

AdExchanger: IAB Europe And IAB Tech Lab Go Live With GDPR Consent Framework

ClearCode: How the IAB’s GDPR Transparency and Consent Framework Works From a Technical Perspective

Digiday.com: IAB Europe’s GDPR guidelines, explained

Digitalcontentnext: Why the IAB GDPR Transparency and Consent Framework is a non-starter for publishers

IAB Europe: Transparency & Consent Framework specification launches global as industry participation increases


IAB Tech Lab: Proposal for data transparency framework and automation standards across the data supply-chain

MarTech Today: Google to join IAB Europe’s Transparency and Consent Framework

MarTech Today: IAB Tech Lab releases a Data Transparency Framework

Pagefair: Risks in IAB Europe’s proposed consent mechanism

Pagefair: Research result: what percentage will consent to tracking for advertising?

The General Data Protection Regulation

YouTube: IAB Europe's Transparency and Consent Framework - Deep Dive on the Technical Specification

New CCPA configuration 

Cookiebot offers CCPA compliance!



Make your website’s use of cookies and online tracking compliant today

Try for free