Logo Logo

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner must get consent from your users from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The IAB Framework, compliant cookie consent and the GDPR

Updated April 14, 2020.

IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework (TCF) to support publishers, technology vendors and advertisers in being compliant with EU’s GDPR and ePrivacy Directive.

On May 1, 2020, IAB is launching their Transparency and Consent Framework Version 2.0 (TCF 2.0) and the Cookiebot integration will automatically be migrated.

In this article, we take a look at what IAB’s framework is all about, what’s new in the TCF 2.0 and how Cookiebot works as an integration.

What is new in IAB Transparency and Consent Framework 2.0 (TCF 2.0)?

IAB’s TCF 2.0 will expand the ability for users to give or withhold consent, and to object to their data being processed.

Consent will also become more granular for users, as they will gain more control over whether Vendors are allowed to use their personal data.

Another new feature in IAB’s Transparency and Consent Framework (TCF 2.0) is the ability for publishers to restrict the purposes for which Vendors process personal data on publisher’s websites.

Read more about the new IAB TCF 2.0 here.

In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.

Try Cookiebot free for 30 days... or forever if you have a small website.

Cookiebot and the new IAB Framework (TCF 2.0)

On May 1, 2020, Cookiebot’s IAB integration will automatically migrate from the old to the new IAB framework (TCF 2.0).

As a Cookiebot customer, you don’t need to do anything – the transition to IAB’s new framework (TCF 2.0) is fully automatic.

Your users will automatically be asked for new consent, when visiting your website for the first time after the transition.

Cookiebot’s integration with the IAB Transparency and Consent Framework 2.0 will continue as an optional supplement to the core consent framework in the Cookiebot solution.

Cookiebot integration with IAB TCF 2.0

Cookiebot’s consent banner with the new IAB TCF 2.0 integration.

Cookiebot’s integration consists of an extra panel in the consent banner of websites registered with the IAB, as pictured above.

The panel is called "Ad Settings", and from there, end-users can choose between IAB Purposes and Vendors before submitting their consent.

We recommend using the IAB framework integration as a supplement and not a replacement for the regular Cookiebot solution.

This, because IAB’s consent model works through signaling the user’s consent to advertising vendors, whereas Cookiebot’s consent model works through blocking non-consented vendors.

This is a key difference because, according the GDPR, it is the publisher (i.e. you, the website owner) who is liable for all tracking and personal data collection taking place on their domain – also by third parties.

Cookiebot eliminates the dependency on the good faith of the vendors and gives true control to the website owner. By using Cookiebot as an integration in the IAB framework (TCF 2.0), you ensure true GDPR compliance for yourself.

To ensure that user consents are being honored by advertising vendors, Cookiebot’s scanning technology monitors all cookies and similar trackers used by vendors on the website and marks them as non-consensual in the scan report.

Read our technical support article here, if you want to know more about implementation and technical details about the IAB framework (TCF 2.0) and Cookiebot.

Cookiebot also support the IAB CCPA Compliance Framework. Read more here.

Try Cookiebot free for 30 days... or forever if you have a small website.

Cookiebot's unmatched scanning technology

Cookiebot is one of the few fully compliant consent management platforms on the market.

Cookiebot’s unmatched scanning technology finds all cookies and trackers and then takes automatic control until users have given their consent, enabling true compliance with the EU’s General Data Protection Regulation and ePrivacy Directive.

Cookiebot performs monthly deep-scans of your domain to make sure that you always know what third-party trackers and trojan horses are loading on your website.

Take a look at the alarming facts about website tracking here.

Cookiebot then presents a true choice of consent to your users through our consent banner.

IAB TCF 2.0 and Cookiebot go hand in hand.

Cookiebot’s standard consent banner for GDPR/ePR compliance.

Your scan report can be published as cookie declaration on your website, e.g. as integrated part of your website’s privacy policy or cookie policy.

All given consents are securely stored as proof that the consent was given and renewed once per year. User can always easily change their state of consent.

Using Cookiebot is free if you have under 100 subpages (unique URLs).

Try Cookiebot today.

What is the IAB Framework and how does it meet GDPR requirements?

IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.

In preparation to the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.

The Framework is called the IAB Europe Transparency & Consent Framework.

The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.

The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.

What are the GDPR requirements what do they mean for advertisers?

The General Data Protection Regulation (GDPR) sets out strict requirements for how one may record, store, use and share personal data.

Requirements for compliant consent in the GDPR

In order for your consent management to comply, it has to be...


With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.

The GDPR is extremely wide-ranging both geographically, in scope, and in severity.

Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.

In scope, because of its broad definition of personal data.

Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.

For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.

This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.

In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million - whichever is higher.

What is the purpose of the IAB Framework?

The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.

Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).

What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?

How does the IAB Framework work?

In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.

In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.

This list is called the Global Vendor List or “GVL”.

In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…

Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.

When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.

The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.

Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.

Cookiebot for GDPR & CCPA compliance through IAB

By using Cookiebot as your website's consent management platform, you can ensure compliance with both the EU’s GDPR and California’s CCPA.

With Cookiebot’s IAB Framework (TCF 2.0) integration, advertisers and publishers also ensure compliant data collection and processing across the board.

Try Cookiebot for free today.


IAB updates its Transparency & Consent Framework

Homepage of IAB Framework: Advertisingconsent.eu

AdExchanger: IAB Europe And IAB Tech Lab Go Live With GDPR Consent Framework

ClearCode: How the IAB’s GDPR Transparency and Consent Framework Works From a Technical Perspective

Digiday.com: IAB Europe’s GDPR guidelines, explained

Digitalcontentnext: Why the IAB GDPR Transparency and Consent Framework is a non-starter for publishers

IAB Europe: Transparency & Consent Framework specification launches global as industry participation increases


IAB Tech Lab: Proposal for data transparency framework and automation standards across the data supply-chain

MarTech Today: Google to join IAB Europe’s Transparency and Consent Framework

MarTech Today: IAB Tech Lab releases a Data Transparency Framework

Pagefair: Risks in IAB Europe’s proposed consent mechanism

Pagefair: Research result: what percentage will consent to tracking for advertising?

The General Data Protection Regulation

YouTube: IAB Europe's Transparency and Consent Framework - Deep Dive on the Technical Specification

Make your website’s use of cookies and online tracking compliant today

Try for free