Audience Manager Plug-in for IAB TCF
Overview
An important aspect in the privacy obligations you may have towards your users is the acquisition and conveyance of user choices over how their personal data may be used (i.e., “purposes”) and by whom (i.e., “companies”).
Adobe provides you with the means to manage and communicate your users’ privacy choices through the Opt-in functionality and through IAB Transparency and Consent Framework (TCF) support.
This article describes the Audience Manager use cases that support the IAB TCF and how to implement IAB TCF support in Audience Manager.
The Audience Manager Plug-in for IAB TCF utilizes the Opt-in functionality, which is, in turn, part of the Adobe Experience Platform Identity Service (ECID) library.
Scope and Limitations
As a Publisher or Advertiser working with Audience Manager, you are able to convey user choices to Audience Manager as per IAB TCF.
Audience Manager helps you respect your users’ privacy choices and also provides you with an easy way to communicate these choices to all the partners you work with.
Currently, Audience Manager does not support:
- Mobile device workflows;
- Appending consent to segment exports.
Upgrading to IAB TCF v2.2
Customers who are upgrading their Audience Manager Plug-in for IAB TCF implementation from IAB TCF v1.1 to IAB TCF v2.2, or enabling IAB TCF v2.2 for the first time, should all follow the same guidelines on prerequisites and implementation as described below.
Prerequisites
You must meet the following prerequisites to use the Audience Manager Plug-in for IAB TCF with Audience Manager:
- You must be using Adobe Experience Platform Identity Service (ECID) version 5 or newer. Download our latest ECID release.
- You must be using Audience Manager Data Integration Library (DIL) version 9.0 or newer, downloadable from here. Read about DIL in the Audience Manager documentation. We recommend using the Adobe Audience Manager tag extension for the easiest DIL implementation of Audience Manager.
- Alternatively, if you use Server-Side Forwarding (SSF) to import data into Audience Manager, you must upgrade to the latest version of AppMeasurement. Download AppMeasurement using the Analytics Code Manager.
- You must be using a Consent Management Platform (CMP), either commercial or your own, that is integrated with IAB TCF v2.2, and is registered with the IAB TCF. See the list of CMPs registered within the IAB framework.
gdpr=0
parameter in ID syncs, even if your visitors are in the European Union. To determine if your GDPR validation is active, we recommend that you confirm with your Consent Management Platform (CMP) that they support IAB TCF v2.2.Recommendations and how to implement
To enable the IAB TCF support in Audience Manager, read our documentation on how to set up IAB with Opt-in.
The easiest way you can do this is by using Adobe Experience Platform Tags to add ECID Opt-in on your properties. Read the documentation for the ECID Opt-in extension to learn how to set up the Tags extension.
User choice workflow when using the IAB framework
When visiting a web property, your users can provide their choices regarding how their data is to be used by the publisher and by the third-party vendors that the publisher works with.
Users provide their choices in the form of consent for the IAB purposes to third-party vendors registered in the global vendor list.
The image below represents an example of a CMP dialogue, displayed to a first-time visitor of a website. Keep in mind that this dialogue can look very different, based on customer implementation.
Details on the various purposes and permissions included in IAB TCF v2.2 are covered in the IAB Europe Transparency & Consent Framework Policies.
Users may grant their consent for a combination of purposes and vendors. For example, users could grant their consent for storing information on a device, developing and improving products, and grant their consent to all third-party vendors displayed by the CMP.
Or, in another example, they could grant their consent for all purposes but only grant consent to a few of the vendors displayed by the CMP.
Once the user selects their privacy choices, the user choice(s) are recorded in the IAB TC string. The IAB TC string stores the combination of approved purposes and vendors, along with other metadata information (see the IAB page for more information).
Every vendor registered in the IAB TCF evaluates the IAB TC string and makes decisions based on the users’ privacy choices. Keep in mind that the users’ privacy choices are valid across all vendors registered with IAB TCF.
Purposes Required by Audience Manager
Audience Manager evaluates the users’ choices stored in the IAB TC string for the following purposes, defined in the IAB Europe Transparency & Consent Framework Policies.
- Purpose 1: Store and/or access information on a device;
- Purpose 10: Develop and improve products;
- Special Purpose 1: Ensure security, prevent fraud, and debug.
Audience Manager behavior depends on whether the user grants consent
Audience Manager works differently depending on whether the IAB TC string includes user consent for the two purposes (store and/or access information on a device, and develop and improve products) or not.
We also check for user consent for all the destinations that you work with in Audience Manager, as long as those destinations are registered with IAB TCF.
- Carries out all the Audience Manager use cases you have requested.
- Conveys consent to third parties in ID syncs (by passing
gdpr = 1
and the consent string asgdpr_consent
on ID sync calls). - Evaluates and honors consent passed from ad server pixels.
- Honors partner-initiated ID syncs.
- Does not store any new user data in your instance. This includes partner IDs, signals, traits, or pixel data.
- Does not initiate 3rd party ID syncs.
- Does not honor partner-initiated ID syncs.
- Opts out the user from further data collection.
Publisher Use Case
By implementing the Audience Manager Plug-in for IAB TCF, you are not required to maintain custom code for consent management on your web properties via a different mechanism with Adobe or other third-party vendors. The use case is described in the image and in the steps below. Start from the left of the image:
- A user visits one of your web properties. As long as you are using the latest versions of the ECID and DIL libraries (see Prerequisites), the opt-in flow is triggered.
- Audience Manager checks whether the IAB flow applies (
isIabContext=true
). See Recommendations and how to implement. - Audience Manager checks whether GDPR applies (
gdpr = 1
) and whether there is a CMP, registered with IAB TCF, on your web property. For example, this would apply to users visiting from the European Union. Note that it is your responsibility as a publisher to set the GDPR flag. - If GDPR applies, Audience Manager checks the IAB TC string, passed in the
gdpr_consent
parameter, for the required consent. Audience Manager needs consent for storing and/or accessing information on a device (IAB TCF purpose 1), developing and improving products (IAB TCF purpose 10), plus Audience Manager vendor consent to store, process, or activate data. - If the IAB TC string is present and it contains the required consent, Audience Manager passes the IAB TC string on to our data collection servers (DCS).
- Audience Manager responds by setting a demdex cookie on the browser, and initiates and honors third party ID syncs.
- Alternatively, if the IAB TC string passed in step 4 does not contain all the needed permissions, Audience Manager does not collect, process, or activate any user data, and does not honor or initiate ID syncs. Additionally, it opts out the user from the destinations that you work with.
gdpr=0
in ID syncs. This means that GDPR does not apply to those users.
Advertiser Use Case
Audience Manager evaluates and honors consent passed in pixel calls, in accordance with the IAB TCF.
Pixels may be placed by Audience Manager customers on their partner pages or they are placed in ad servers to include in the ad response. In the first case, your partner must programmatically retrieve the consent parameter and add it to the pixel before firing. In the second case, which is more common and is described in detail below, ad servers append the consent parameters they receive from the Supply-Side Platform (SSP) or publisher ad servers to all pixels.
Audience Manager uses two parameters to pass user consent in pixel calls:
gdpr
can be 0 (GDPR does not apply) or 1 (GDPR applies);gdpr_consent
is the URL-safe base64-encoded GDPR consent string (see specification). A sample call for an impression pixel, with the two parameters could look like below:
https://yourcompany.demdex.net/event?d_event=imp&gdpr=1&gdpr_consent=consentstring&d_src=datasource_id&d_site=siteID&d_creative=creative_id&d_adgroup=adgroup_id&d_placement=placement_id
The use case is described in the image and in the steps below. Start from the left of the image:
- Your user is served an impression via an ad server. This translates into a pixel call to our Data Collection Servers (DCS).
- Audience Manager checks whether the GDPR flag applies. If it doesn’t, Audience Manager stores the data passed in the
gdpr
andgdpr_consent
variables in pixel calls. - If the IAB TC string is present and it contains the required permissions, Audience Manager stores the data passed in the
gdpr
andgdpr_consent
variables in pixel calls. - If the IAB TC string is missing or lacks the required permissions, Audience Manager drops the data passed in the
gdpr
andgdpr_consent
variables in pixel calls.
Activation partners that support IAB TCF
The Audience Manager Plug-in for IAB TCF enables you to forward the IAB TC string to activation partners while respecting users’ privacy choices. For information on which activation partners support IAB TCF, refer to our list of device-based destinations.
Appending Consent to URLs sent to URL Destinations
The Audience Manager integration with IAB TCF v2.2 supports the appending of consent to information sent to URL destinations that are integrated with IAB TCF v2.2. However, this process is not done automatically by Audience Manager, to avoid breaking specific URL formats.
Customers who wish to append consent to data sent to URL destinations must manually add the ${GDPR}
and ${GDPR_CONSENT_XXXX}
macros to their URL format, replacing XXXX
with the destination partner ID.
Example: https://yourdomain.com?gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT_1234}
.
See Destination Macros Defined for more details about the supported destination macros.
Cross-Device Consent Management
The Audience Manager Plug-in for IAB TCF automatically opts out the IDs present on a request, when your site visitors do not provide the appropriate permissions. If the request contains a cross-device ID (CRM ID), Audience Manager opts out the ID, together with the last device linked to that cross-device ID (CRM ID).
Test your IAB implementation
To test that you have correctly implemented the Audience Manager Plug-in for IAB TCF, read Use Case 4 in Validating Opt-in Service.
IAB and Opt-out in Audience Manager. Order of precedence.
Another privacy option at your users’ disposal is the ability to opt out of all data collection. Adobe provides users with the means to do so within the Your Privacy Choices page.
Audience Manager addresses opt-out requests in a separate article in our documentation.