Transparency and Consent Framework


What is TCF?
The IAB's Transparency and Consent Framework is the common language / communication standard for the AdTech industry when it comes to meeting some of the requirements of GDPR & ePrivacy. It is comprised of Policies, User Interface (CMP), a Decentralised list of participants (GVL) and a technical framework.
Find out more on the IAB site for TCF v2.0

What is a TC String?
The TC String is the “technical framework” of TCF v2.0. It contains all the user choices when it comes to accessing or storing information on their device and the use of their personal data as well as the publisher preferences when it comes to vendor (DSP / DMP etc.) use of data.

The TC string can be communicated either via OpenRTB (e.g. in a bid request) or in the following URL parameters (e.g. when calling a sync pixel).

  • gdpr: contains a flag that informs if GDPR & ePrivacy applies. (1 or 0)
  • gdpr_consent: contains the TC string (base64 string)

NOTE: The IAB ended support for TCF v1.1 in August 2020.

Bid Request

To help convey user and publisher choices across the AdTech ecosystem, as well as equip our partners with the right information, TripleLift includes the GDPR flag and TC String as part of the bid request.

The format for sending the data is via the OpenRTB protocol as described in the IAB specs.

Sent via the Regs object's ext.gdpr parameter

"regs": {
    "ext": {
      "gdpr": 1

TC String
Sent via the User object's ext.consent parameter

"user": {
    "ext": {
      "consent": "BOtOyvmO1kpS3AKAiBENDQ-AAAAwdrv7_77e_9f-_f__9uj3Gr_v_f__32ccL5tv3hv7v-_7fi_-1nV4u_1tft9ydk1-5ctDztp507iakiPHmqNeb9n_mz1eZpkRP58E09j53z7Ew_v8_v-b7JCPN_Y3v-8K96lA"

User Sync

As part of TCF requirements the user needs to allow access to information from their device and the use of their personal data before user syncing is possible. This means that all parties involved in user syncing need to receive the TC String before they are allowed to use or share any user IDs.

Sometimes a user sync will be initiated by one of our partners (e.g. DSP/DMP) calling our sync endpoint(s), and sometimes it will be initiated by TripleLift. No matter how a user sync is initiated, it's important that each sync partner receives the gdpr and gdpr_consent parameters in the URL so they know if they're allowed to perform the sync.

As the SSP TripleLift is required to:

  • Receive and process the TC string when a partner initiates a user sync with us. If we determine we are not allowed to user sync, then we must stop the process.
  • Include the TC string when we initiate a user sync with a sync partner, per their instructions for their sync endpoint. The TC string needs to be included in the URL when we redirect the browser to the sync partner.

The TripleLift sync pixels contain logic to automatically handle the gdpr and gdpr_consent URL parameters, and we require the sync partner to provide these parameters when initiating user sync requests with TripleLift.

Here is an example of a partner initiated User Sync call to TripleLift:

Note: The sync partner would replace the placeholders in the URL with real values.

When TripleLift initiates a user sync, we will provide the TC String as part of the user sync call, as instructed by our sync partner. Per the IAB TCF specs, the information will be passed as URL parameters as described in the introduction of this document.

Here is an example of the TripleLift initiated User Sync call to a partner:

Note the "&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT}" macros will be populated by TripleLift before calling the partner sync endpoint.

What’s Next

Further Reading