GDPR IAB support

This guide outlines the steps required to support the GDPR IAB TCF v2 message as part of the UMP SDK. It is intended to be paired with Get started which gives an overview of how to get your app running with the UMP SDK and the basics of setting up your message. The following guidance is specific to the GDPR IAB TCF v2 message.

Prerequisites

Delay app measurement

By default, the Google Mobile Ads SDK initializes app measurement and begins sending user-level event data to Google immediately when the app starts. This initialization behavior ensures that you can enable Ad Manager user metrics without making additional code changes.

However, if your app requires user consent before these events can be sent, you can delay app measurement until you explicitly initialize the Mobile Ads SDK or load an ad.

To delay app measurement, add the GADDelayAppMeasurementInit key with a boolean value of YES to your app's Info.plist. You can make this change programmatically:

<key>GADDelayAppMeasurementInit</key>
<true/>

GDPR requires consent revocation to allow users to withdraw their consent choices at any time. See Privacy options to implement a way for users to withdraw their consent choices.

Set tagForUnderAgeOfConsent (TFUA) to indicate whether a user is under the age of consent. Consent is not requested from the user when TFUA is set to true. Mixed audience apps should set this parameter for child users to ensure consent is not requested.

Swift

// Create a UMPRequestParameters object.
let parameters = UMPRequestParameters()
// Indicate the user is under age of consent.
parameters.tagForUnderAgeOfConsent = true

// Request an update for the consent information.
UMPConsentInformation.sharedInstance.requestConsentInfoUpdate(with: parameters) {
  [weak self] requestConsentError in
  guard let self else { return }

  // ...
}

Objective-C

// Create a UMPRequestParameters object.
UMPRequestParameters *parameters = [[UMPRequestParameters alloc] init];
// Indicate the user is under age of consent.
parameters.tagForUnderAgeOfConsent = YES;

// Request an update for the consent information.
[UMPConsentInformation.sharedInstance
    requestConsentInfoUpdateWithParameters:parameters
        completionHandler:^(NSError *_Nullable requestConsentError) {
          // ...
        }];

Mediation

Follow the steps in Add ad partners to published GDPR messages to add your mediation partners to the ad partners list. Failure to do so can lead to partners failing to serve ads on your app.

Mediation partners might also have additional tools to help with GDPR compliance. See a specific partner's integration guide for more details.

After GDPR consent has been collected, you can read consent choices from local storage following the TCF v2 spec. The IABTCF_PurposeConsents key indicates consent for each of the TCF purposes.

The following code snippet shows how to check consent for Purpose 1:

Swift

// Example value: "1111111111"
let purposeConsents = UserDefaults.standard.string(forKey: "IABTCF_PurposeConsents")
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
let hasConsentForPurposeOne = purposeConsents?.first == "1"

Objective-C

// Example value: "1111111111"
NSString *purposeConsents = [NSUserDefaults.standardUserDefaults
                             stringForKey:@"IABTCF_PurposeConsents"];
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
BOOL hasConsentForPurposeOne = [purposeConsents hasPrefix:@"1"];

Frequently asked questions

What happens if I take no action to meet the Consent Management Platform Requirements for serving ads in the EEA and UK?

Beginning January 16, 2024, if a partner doesn't adopt a Google-certified CMP, only Limited Ads will be eligible to serve on EEA and UK traffic.

Enforcement will begin January 16, 2024 on a small percentage of EEA and UK traffic and will ramp up until Google enforces across all EEA and UK traffic by the end of February 2024. Have a certified CMP in place by January 16, 2024 to ensure your monetization is not impacted.

What happens if I implement a CMP and users don't consent?

Limited Ads serving applies if there is no consent for IAB TCF Purpose 1 in accordance with the EU user consent policy.

See Ad serving modes for more information.

How can I check if the user consented?

Consent is not represented by a single bit, but rather a set of purposes and vendors as defined in the IAB TCF specification. See Consent Policies: Personalized & Non-Personalized Ads for Google Ads personalization criteria.

Additionally, ad techs on Google's Ad technology providers (ATP) list that are not registered in the TCF vendor list use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv.

To debug an individual ad request, use the Advanced ad unit debugging feature in ad inspector to export an ad request string. Then look for the following query parameters:

Query parameter Meaning
gdpr Whether GDPR applies for this ad request.
gdpr_consent The TC String. The IAB provides a web tool where you can manually decode the value.
addtl_consent The AC string from Google's Additional Consent technical specification.

To read consent choices programmatically, see How to read consent choices for more information.

Do I need to use Google's UMP SDK to meet the CMP requirement?

No, you can use any CMP from the List Google-certified CMP to serve ads.

How can I show the consent form again using the UMP SDK even if the user has already consented?

If a user has already made a consent decision, Google's consent management solution won't request to gather new consent until the TC string is expired or otherwise becomes invalid.

GDPR requires consent modification to allow users to withdraw their consent choices at any time. See privacy options to implement a way for users to withdraw their consent choices. To show a consent form again, call presentPrivacyOptionsFormFromViewController:completionHandler:.

Does the consent form populate the user's previous selection?

The consent message visually displays the default consent choices and selections every time the message is displayed. However, the user's consent choices are saved to local storage after the user makes a consent decision.

I integrated a Google-certified CMP, but I'm not seeing any ad requests get made to mediation partners even from users who consented. Why is this happening?

Under TCF, Google checks that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall. Navigate to the mediation section for more information.

Some mediation partners in Google's Ad Tech Providers (ATP) list are not registered in the TCF vendor list. These partners instead use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv

The UMP SDK supports storing the ACString, enabling you to Add ad partners to published GDPR messages without needing to understand whether partners are TCF-registered. When using a third-party CMP, you should do the following:

  1. Confirm that the third-party CMP supports storing the ACString.
  2. Include each mediation partner in the list of ad technology providers that the third-party CMP uses to gather consent.
Can I change how my app functions if users don't consent? Is this allowed by policy?

Publishers can read the IAB TCF string in their apps. See How to read consent choices for information on reading consent choices programmatically. Publishers should review their obligations under relevant regulations with legal counsel.

When I select Manage Options and consent to all purposes, I'm not seeing any ads? Why is this happening?

In addition to collecting purposes consent you also need to collect vendor consent. Both purposes consent and vendor consent are required for any vendor, such as Google, to serve appropriate ads.

What is the best practice for showing both the iOS ATT alert and GDPR consent to the same user?

We recommend showing the GDPR consent message first and the iOS ATT alert second if the user consented to GDPR. This is already handled by the UMP SDK if you configure both messages in the Ad Manager UI. See Which message your users will see for more information.

If you are not showing the ATT alert using the UMP SDK, we recommend you read consent choices once GDPR consent is collected to determine whether to show the iOS ATT alert.

How does AC String version 2 impact waterfall mediation for EEA and UK traffic?

We check that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall.

Changes for Additional Consent v2 include an update to support vendors disclosed in the CMP. Disclosed vendors are eligible to participate in the mediation waterfall.

How do I implement the AC String version 2 for users who already consented to version 1?

Check the IABTCF_AddtlConsent key in local storage per Google's Additional Consent technical specification to determine whether a user has consented to AC String version 2 and if you need to show the consent form again.

Swift

// Example value: "2~1.35.41.101~dv.9.21.81"
let additionalConsent = UserDefaults.standard.string(forKey: "IABTCF_AddtlConsent")
// Index 0 contains information about the specification version number.
let isACVersion2 = additionalConsent?.first == "2"

Objective-C

// Example value: "2~1.35.41.101~dv.9.21.81"
NSString *additionalConsent = [NSUserDefaults.standardUserDefaults
                        stringForKey:@"IABTCF_AddtlConsent"];
// Index 0 contains information about the specification version number.
BOOL isACVersion2 = [additionalConsent hasPrefix:@"2"];
What is the ad serving behavior for a user who sees the consent form in the EEA and UK, and then travels outside the EEA and UK?

The Google Mobile Ads SDK respects the user's consent decision to apply the appropriate ad serving mode even once they leave the EEA and UK.

How do I resolve TCF error 7.8?

TCF error 7.8 indicates that ad requests were made with an invalid TC string version.

When using the UMP SDK, make sure to request consent information on every app launch. The UMP SDK detects invalid consent strings and updates the consent state to "required," prompting your app to gather new consent.

If you use a third-party Google-certified CMP, reach out to that CMP when troubleshooting the invalid consent string.

How do I fix the error "The TC string last updated date was more than 13 months ago"?

Consent must be reobtained from the user. You should call requestConsentInfoUpdateWithParameters:completionHandler: at the start of every app session. If the TC string is expired, the UMP SDK indicates that consent must be reobtained by setting UMPConsentInformation.consentStatus to UMPConsentStatus.required. If you haven't already, implement a request to load and present a new UMP form in your app.

It's possible for the TC string to expire mid-session, resulting in a small amount of 3.3 errors. And if on the next app session you start loading ads at the same time as you check requestConsentInfoUpdateWithParameters:completionHandler:, those requests could also give 3.3 errors until requestConsentInfoUpdateWithParameters:completionHandler: completes; however, this should be a tiny fraction of overall 3.3 errors (less than 0.1%). that are expected.