IAB TCF 2.0 support in Experience Platform
The Transparency & Consent Framework (TCF), as outlined by the Interactive Advertising Bureau (IAB) is an open-standard technical framework intended to enable organizations to obtain, record, and update consumer consent for the processing of their personal data, in compliance with the European Union’s General Data Protection Regulation (GDPR). The second iteration of the framework, TCF 2.0, grants more flexibility for how consumers can provide or withhold consent, including whether and how vendors may use certain features of data processing, such as precise geolocation.
Adobe Experience Platform is part of the registered IAB TCF 2.0 vendor list, under the ID 565. In compliance with TCF 2.0 requirements, Platform allows you to collect customer consent data and integrate it into your stored customer profiles. This consent data can then be factored into whether profiles are included in exported audience segments, depending on their use case.
This document provides an overview of how to configure your data operations and profile schemas to accept customer consent data generated by your Consent Management Platform (CMP). It also covers how Platform conveys user consent choices when exporting segments.
Prerequisites
To follow along with this guide, you must be using a CMP, either commercial or your own, that is integrated and compliant with the IAB TCF. See the list of compliant CMPs for more information.
This guide also requires a working understanding of the following Platform services:
- Experience Data Model (XDM): The standardized framework by which Experience Platform organizes customer experience data.
- Adobe Experience Platform Identity Service: Solves the fundamental challenge posed by the fragmentation of customer experience data by bridging identities across devices and systems.
- Real-Time Customer Profile: Uses Identity Service to create detailed customer profiles from your datasets in real time. Real-Time Customer Profile pulls data from the Data Lake and persists customer profiles in its own separate data store.
- Adobe Experience Platform Web SDK: A client-side JavaScript library that allows you to integrate various Platform services into your customer-facing website.
- SDK consent commands: A use-case overview of the consent-related SDK commands shown in this guide.
- Adobe Experience Platform Segmentation Service: Allows you to divide Real-Time Customer Profile data into groups of individuals that share similar traits and responds similarly to marketing strategies.
In addition to the Platform services listed above, you should also be familiar with destinations and their role in the Platform ecosystem.
Customer consent flow summary summary
The following sections describe how consent data is collected and enforced after the system has been properly configured.
Consent data collection
Platform allows you to collect customer consent data through the following process:
- A customer provides their consent preferences for data collection through a dialog on your website.
- Your CMP detects the consent preference change, and generates TCF consent data accordingly.
- Using the Platform Web SDK, the generated consent data (returned by the CMP) is sent to Adobe Experience Platform.
- The collected consent data is ingested into a Profile-enabled dataset whose schema contains TCF consent fields.
In addition to SDK commands triggered by CMP consent-change hooks, consent data can also flow into Experience Platform through any customer-generated XDM data that is uploaded directly to a Profile-enabled dataset.
Any segments shared with Platform by Adobe Audience Manager (through the Audience Manager source connector or otherwise) may also contain consent data if the appropriate fields have been applied to those segments through Experience Cloud Identity Service. For more information on collecting consent data in Audience Manager, see the document on the Adobe Audience Manager plug-in for IAB TCF.
Downstream consent enforcement
Once TCF consent data has successfully been ingested, the following processes take place in downstream Platform services:
- Real-Time Customer Profile updates the stored consent data for that customer’s profile.
- Platform processes customer IDs only if the vendor permission for Platform (565) is provided for every ID in a cluster.
- When exporting segments to destinations belonging to members of the TCF 2.0 vendor list, Platform only includes profiles if the vendor permissions for both Platform (565) and the individual destination are provided for every ID in a cluster.
The rest of the sections in this document provide guidance on how to configure Platform and your data operations to fulfill the collection and enforcement requirements described above.
Determine how to generate customer consent data within your CMP consent-data
Since each CMP system is unique, you must determine the best way to allow your customers to provide consent as they interact with your service. A cookie consent dialog is a common way to attain customer consent. An example CMP dialog is seen below.
This dialog must allow the customer to opt in or out of the following:
Purposes define which ad tech purposes a brand can use a customer’s data for. The following purposes must be opted into for Platform to process customer IDs:
- Purpose 1: Store and/or access information on a device
- Purpose 10: Develop and improve products
Consent strings consent-strings
Regardless of the method you use to collect the data, the goal is to generate a string value based on the consent options chosen by the customer, called a consent string.
In the TCF specification, consent strings are used to encode relevant details about a customer’s consent settings, in terms of specific marketing purposes as defined by policies and vendors. Platform uses these strings to store the consent settings for each customer, and therefore a new consent string must be generated each time those settings change.
Consent strings may only be created by a CMP that is registered with the IAB TCF. For more information on how to generate consent strings using your particular CMP, refer to the consent string formatting guide in the IAB TCF GitHub repo.
Create datasets with TCF consent fields datasets
Customer consent data must be sent to datasets whose schemas contain TCF consent fields. Refer to the tutorial on creating datasets for capturing TCF 2.0 consent for how to create the required profile dataset (and an optional Experience Event dataset) before continuing with this guide.
Update Profile merge policies to include consent data merge-policies
Once you have created a Profile-enabled dataset for collecting consent data, you must ensure that your merge policies have been configured to always include TCF consent fields in your customer profiles. This involves setting dataset precedence so that your consent dataset is prioritized over other potentially conflicting datasets.
For more information on how to work with merge policies, refer to the merge policies overview. When setting up your merge policies, you must ensure that your segments include all the required consent attributes provided by the XDM privacy schema field group, as outlined in the guide on dataset preparation.
Integrate the Experience Platform Web SDK to collect customer consent data sdk
Once you have configured your CMP to generate consent strings, you must integrate the Experience Platform Web SDK to collect those strings and send them to Platform. The Platform SDK provides two commands that can be used to send TCF consent data to Platform (explained in the subsections below). These commands should be used when a customer provides consent information for the first time, and anytime that consent changes thereafter.
The SDK does not interface with any CMPs out of the box. It is up to you to determine how to integrate the SDK into your website, listen for consent changes in the CMP, and call the appropriate command.
Create a datastream
In order for the SDK to send data to Experience Platform, you must first create a datastream for Platform. Specific steps for how to create a datastream are provided in the SDK documentation.
After providing a unique name for the datastream, select the toggle button next to Adobe Experience Platform. Next, use the following values to complete the rest of the form:
sendEvent
command, storing that data in this dataset. Keep in mind that the consent values stored in this dataset are not used in automatic enforcement workflows.setConsent
command, collected data is stored in this dataset. Since this dataset is Profile-enabled, the consent values stored in this dataset are honored during automatic enforcement workflows.
When finished, select Save at the bottom of the screen and continue following any additional prompts to complete the configuration.
Making consent-change commands
Once you have created the datastream described in the previous section, you can start using SDK commands to send consent data to Platform. The sections below provide examples of how each SDK command can be used in different scenarios.
Using CMP consent-change hooks setConsent
Many CMPs provide out-of-the-box hooks that listen to consent-change events. When these events occur, you can use the setConsent
command to update that customer’s consent data.
The setConsent
command expects two arguments:
- A string that indicates the command type (in this case, “setConsent”).
- A payload that contains a
consent
array. The array must contain at least one object that provides the required consent fields.
The setConsent
command is displayed below:
alloy("setConsent", {
consent: [{
standard: "IAB TCF",
version: "2.0",
value: "CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA",
gdprApplies: "true"
}]
});
standard
IAB
for TCF 2.0 consent processing.version
standard
. This value must be set to 2.0
for TCF 2.0 consent processing.value
gdprApplies
true
. Defaults to true
if not defined.The setConsent
command should be used as part of a CMP hook that detects changes in consent settings. The following JavaScript provides an example of how the setConsent
command can be used for OneTrust’s OnConsentChanged
hook:
OneTrust.OnConsentChanged(function () {
// Retrieve the TCF 2.0 consent data generated by the CMP, and pass it to Alloy.
__tcfapi("getTCData", 2, function (data, success) {
if (success) {
var tcString = data.tcString;
var gdpr = data.gdprApplies;
alloy("setConsent", {
consent: [{
standard: "IAB TCF",
version: "2.0",
value: tcString,
gdprApplies: gdpr
}]
});
}
});
});
Using events sendEvent
You can also collect TCF 2.0 consent data on every event triggered in Platform by using the sendEvent
command.
The sendEvent
command should be used as a callback in appropriate event listeners on your website. The command expects two arguments: (1) a string that indicates the command type (in this case, sendEvent
), and (2) a payload containing an xdm
object that provides the required consent fields as JSON:
alloy("sendEvent", {
xdm: {
"consentStrings": [{
"consentStandard": "IAB TCF",
"consentStandardVersion": "2.0",
"consentStringValue": "CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA",
"gdprApplies": true
}]
}
});
xdm.consentStrings
consentStandard
IAB
for TCF 2.0 consent processing.consentStandardVersion
standard
. This value must be set to 2.0
for TCF 2.0 consent processing.consentStringValue
gdprApplies
true
. Defaults to true
if not defined.Handling SDK responses
All Platform SDK commands return promises that indicate whether the call succeeded or failed. You can then use these responses for additional logic such as displaying confirmation messages to the customer. See the section on handling success or failure in the guide on executing SDK commands for specific examples.
Export segments export
Once you have collected customer consent data and have created audience segments containing the required consent attributes, you can then enforce TCF 2.0 compliance when exporting those segments to downstream destinations.
If the consent setting gdprApplies
is set to true
for a set of customer profiles, any data from those profiles that is exported to downstream destinations is filtered based on the TCF consent preferences for each profile. Any profile that does not meet the required consent preferences is skipped during the export process.
Customers must consent to the following purposes (as outlined by TCF 2.0 policies) for their profiles to be included in segments that are exported to destinations:
- Purpose 1: Store and/or access information on a device
- Purpose 10: Develop and improve products
TCF 2.0 also requires that the source of data must check the destination’s vendor permission before sending data to that destination. As such, Platform checks if the destination’s vendor permission is opted in to for all IDs in the cluster before including data bound to that destination.
Test your implementation test-implementation
Once you have configured your TCF 2.0 implementation and have exported segments to destinations, any data that does not meet consent requirements will not be exported. To see whether the correct customer profiles were filtered during the export, you must manually check the data stores on your destinations to see if consent was properly enforced.
Next steps
This document covered the process of configuring your Platform data operations to meet your business obligations as outlined by the TCF 2.0. See the overview on governance, privacy, and security for more information Platform’s privacy-related capabilities.