Consent Management for Site Tracking

Solveiga
Solveiga
  • Updated

Consent as the Default Legal Basis for Site Tracking and Personalized Advertising

Through our Data Processing Agreements and platform requirements, Adform requires clients and partners to ensure that users are provided with appropriate transparency and that valid consent is obtained before Adform cookies are set or information is otherwise stored on or accessed from a user's device.

For cookie placement, device ID access, and similar storage or access activities, consent is the default legal basis. In IAB TCF 2.3 terms, this corresponds to Purpose 1: storing and/or accessing information on a device.

Where Site Tracking data is used for personalized advertising, including the creation or use of advertising profiles, consent is also the default legal basis for the related processing of personal data. In IAB TCF 2.3 terms, this corresponds in particular to Purpose 3, creating a personalized ads profile, and Purpose 4, selecting personalized ads.

Adform therefore relies on the consent signal made available by the client, publisher, CMP, or other relevant partner before placing or accessing cookies and before processing personal data for personalized advertising purposes.

Adform may process personal data on other legal bases only where this is specifically applicable to a separate purpose, is supported by the relevant contractual framework, and is permitted under applicable data protection, including GDPR and ePrivacy laws.

When Active Consent is Required

However, if you ask users for explicit consent for Adform to set cookies and/or process data AND a user rejects it, then setting cookies and/or processing the related data would violate the existing ePrivacy directive.

While Adform doesn't ask each user for consent, you can inform us about the current status of the user consent. For that, there are two key parameters: a "flag" (a parameter that indicates "true" or "false") in case the user is in the GDPR-affected area, and an IAB consent framework string:

  • gdpr: this parameter tells vendors if a user is in the GDPR-affected area. Expected values are 1 (meaning "yes/true") or 0 (meaning "no/false").

  • gdpr_consent: this parameter provides consent cookie value containing all information for all purposes and for vendors to understand if a user has given consent for them to operate.

In all cases, the information is delivered via URL parameters. The method of adding these parameters depends on the type of tag.

Asynchronous Tracking Points

For asynchronous tags, append the gdpr or gdpr_consent parameters to the Adform tracking tag as in the example below:

<!-- Adform Tracking Code BEGIN -->
<script type="text/javascript">
    window._adftrack = Array.isArray(window._adftrack) ? window._adftrack : (window._adftrack ? [window._adftrack] : []);
    window._adftrack.push({
        pm: <trackingID>,
        divider: encodeURIComponent('|'),
        pagename: encodeURIComponent('<Tracking Point Name>'),
        gdpr: <true/false>,
        gdpr_consent: '<IAB_consent_string_value>'
    });
    (function () { var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = 'https://track.adform.net/serving/scripts/trackpoint/async/'; var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x); })();
 
</script>

This code is only needed when a user is in the GDPR-affected area and all other users can be left untouched.

Note

Remember to replace the consent string macro. You can find it in the CMP tool implemented on your website (see below).

Synchronous Tracking Points

Add this code right after the synchronous tracking library and before the tracking function:

<script type="text/javascript" src="https://track.adform.net/serving/scripts/trackpoint/"></script>
<script type="text/javascript">
adf.Gdpr = true;
adf.GdprConsent = 'IAB_consent_string_value';
adf.Params.PageName = encodeURIComponent('<Tracking Point Name>');
adf.Params.Divider = encodeURIComponent('|');
adf.track(<trackingID>); </script>

An alternative solution is to switch to asynchronous tags and follow the instructions in the section above.

Synchronous Non-JavaScript Tracking Points

Add the URL parameters (gdpr and gdpr_consent) manually.

The required URL parameters are &amp;gdpr=1&amp;gdpr_consent=IAB_consent_string_value.

Example:

<iframe src="https://track.adform.net/Serving/TrackPoint/?pm={trackingID}&ADFPageName={TrackingPointName}&ADFdivider=|&ADFtpmode=4&gdpr=1&gdpr_consent={IAB_consent_string_value}" style="display:none;"></iframe>

Note

Remember to replace the consent string macro. You can find it in the CMP tool implemented on your website (see below).

How to Retrieve Consent Information from a Cookie

The simplest way to retrieve the consent information is to use dedicated CMP functions. Refer to your CMP tool documentation for details.

Below is an example of one CMP that outputs consent information into the console as a JSON object.

<script type="text/javascript">
  const callback = (tcData, success) => {
    if(success && tcData.eventStatus === 'tcloaded') {
      // do something with tcData.tcString
    } else {
      // do something else
    }
  }
  __tcfapi('addEventListener', 2, callback);
</script>

Output:

{gdprApplies: true, hasGlobalScope: false, consentData: "BONKsyAONyggoABABAENAS-AAAAKh_______________9uT4Kp-KDVZwiA"}

As the example shows, the CMP provides information about whether the GDPR is applicable and the consentData string that should be passed.

function(result) { console.log(result) } should be replaced to the callback of your native function that would handle consent information before initiating ad tags.

Verify if the GDPR Consent is Sent

  1. Right-click anywhere on the page.

  2. Click on Inspect.

  3. Go to the Network tab.

  4. In the search bar, type in rp=

  5. Refresh the page.

  6. Click on one of the new lines that will show on the Network tab.

  7. In the Header tab, scroll down to the Query String Parameters section.

  8. If you see the lines gdpr: true and gdpr_consent with a long string of encrypted code, that means that the GDPR consent is sent.

Verify if the User ID is Sent

  1. On the publisher website, open the developer tools.

  2. Refresh the page.

  3. In the Network tab, use adx.adform.net as domain filter.

    Note

    The parameter rp=3 is visible for usual display placements, while parameter rp=4 is visible for Header Bidding requests.

  4. Click on the request to see the parameters of the query string.

  5. Scroll down to the Query String Parameters section.

    If the user ID is sent, there will be an additional parameter (eids). That parameter contains the user ID.

Custom Consent Versus IAB Consent Framework

Please note that following the recommendation from IAB, TCF v.1.1 signals or any other custom consent signals will not be supported, they will be treated as if no consent is given and will be processed as cookieless.

Passing Consent Information to Container Tag

Given that Adform tracking point receives consent information from the advertiser's website (with gdpr=1 and gdpr_consent="value"), it is possible to pass the consent information to container pixels with macros __ADFGDPRCONSENT__ and __ADFGDPR__ to inform vendors whether a user is in the GDPR-affected area.

Important

As of August 15, 2020, following the recommendation from IAB, TCF, only version 2.0 consent signals and higher are accepted. If you are using an earlier version, it will be treated as if no consent is given and will be processed without cookies.

Was this article helpful?

/
How we can make it better?

Thank you for your feedback!