Google's new requirements for serving ads in the EEA and UK

[SG214]

Google has recently annnounced that,

...we will require partners using our publisher products — Google AdSense, Ad Manager, or AdMob — to use a Google-certified CMP that integrates with IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK.

This is a concerning development for any publishers using Google's ad platforms, since it appears (on the face of it) that you will be required to use one of their pre-approved Consent Management Platforms in order to show ads in GDPR countries.

I'm just not clear what their definition of a CMP is, would it include self-hosted scripts like CookieConsent?

And if not, why not? Surely this is a very worrying concern if they will now absolutely require you to use a 3rd party service, and I just can't imagine many sites using in-house solutions such as CookieConsent will be very happy about this.

(more details)

To ensure a smooth transition, publishers currently working with a CMP should proactively talk with their provider about the certification process.

I am hoping Google will get some significant pushback on this, or it will at least become clearer what our options are.

I really don't like the direction they're going here in terms of absolutely mandating an IAB solution to the GDPR requirements (and moreso potentially forcing the use of a 3rd party platform), there are significant problems here - not least the fact that IAB have tended to give the impression of bad faith actors in terms of compliance up until recently (although having said that, this whole area appears to be significantly complex).

Would appreciate any thoughts on this.

[orestbida]

AFAIK, a true CMP (consent management platform) is made of 2 main components:

1. cookie banner (client side)
2. platform to store/manage consent records (user's preferences)

Therefore, this plugin is not a CMP.

To be a valid, registered CMP, you also have to pay about €1.500 every year. The IAB-tcf framework can only be implemented if the solution is a valid CMP.

A CMP + IAB-TCF compliant solution is expensive to build and maintain, and this plugin will very likely never become one. I would also assume that google's compliant/certified solutions will not be free.

All users who rely on one of the listed ad-related products will have to switch, whether they like it or not.

[SG214]

Thanks for the clarification.
That's... rather frustrating.

Anyway, let's see where it goes.

[orestbida]

Based on this discussion, it's unlikely that a solution with a permissive license — e.g. MIT, GPL or Apache — could ever implement the TCF framework as it has specific rules regarding the appearance/behavior/options of a CMP. These strict rules simply cannot be ensured if anyone is allowed to modify the plugin freely.

[kzimny]

Is self-hosted solution like CookieConsent also a CMP? It's basically self-hosted and per definition not a provider. Or is the main problem that anyone can modify the plugin freely? Does it means that CookieConsent cannot be used for Google AdSense, Ad Manager, or AdMob?

[orestbida]

You can consider this plugin as a simple cookie banner, a client only consent management tool. It's not a CMP, just one part of it.

Even if you were to build your own custom CMP on top of this plugin, you still wouldn't be able to use Google ads related products as they require a "certified" CMP which must also implement the IAB TCF Framework.

[celius]

I'm not quite sure I understand this.

I belive it's so that if I would run Google AdSense on my site to SHOW Ads to my users, I would be in need of a verified CMP like you say.

But what about when I'm using Google Ads to market to users, and the users on my site will only load the conversion tag from Google Ads. This will not be affected, or am I missing something here? For these cases I belive this script would still work.

So for all businesses wanting to load Google Analytics tracking with GTM consent mode, along with custom conversion pixels from various places there is no issue. Do I understand it correctly?

I've read this:
_"The current Consent Mode parameter tags analytics_storage and ad_storage were related to data collection only, while these new Consent Mode v2 tags relate to how data is used and shared.

Google presented two types of consent mode implementation- basic and advanced, which you have to choose based on legal requirements and your desired output. Google focuses on modeling within Google Ads conversions. Google Ads Conversions modeling is enabled across both basic and advanced types of consent mode modeling."_

Source: https://cookie-script.com/blog/google-consent-mode-v2

[orestbida]

@celius, i think this explains it very clearly:

Beginning January 16, 2024: Publishers and developers using Google AdSense, Ad Manager, or AdMob will be required to use a Google-certified TCF CMP when serving ads to EEA and UK users. We will follow up with more details regarding timings.

If you don't use any of the above 3 products, you're fine, at least for now.

[mateusz-zadorozny]

So for all businesses wanting to load Google Analytics tracking with GTM consent mode, along with custom conversion pixels from various places there is no issue. Do I understand it correctly?

I've read this: _"The current Consent Mode parameter tags analytics_storage and ad_storage were related to data collection only, while these new Consent Mode v2 tags relate to how data is used and shared.

From my research if you use Google Ads or Analytics as customer (you pay Google for traffic) - there is no need to use certified CMP (as this applies to publishers) - but you should properly set consent to use all functions like remarketing, audiences etc.:

https://developers.google.com/tag-platform/security/guides/consent

gtag('consent', 'default', { 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied' });

Then update like:

function consentGrantedAdStorage() { gtag('consent', 'update', { 'ad_storage': 'granted' }); }

But I am not 100% sure about that - so if anyone could confirm it - that would be great 😄

[ricardodolnl]

Link itself (not the text) isn't working/wrong destination, but thnx for the tip. Thought i'd mention it.

[mateusz-zadorozny]

Should be working now! :)

[celius]

That's my take on it as well @orestbida and @mateusz-zadorozny.

So on https://playground.cookieconsent.orestbida.com/ where it says "New Google requirements. Google Ads products will no longer work with CookieConsent!", this is not true. It will work as long as you use Consent Mode in GTM?

Further, as I understand it when you set ad_storage (marketing) this applies to ad_user_data and ad_personalization as well. Is that true?

[antonijo01]

Implementing the Google Consent Mode v2 is a must if you want to continue using Google Ads seamlessly.

https://universem.com/blog/google-ads-2024-compulsory-google-consent-mode/

https://www.simoahava.com/analytics/consent-mode-v2-google-tags/

[tommi-siik]

I'm not GTM professional by any means but I'm going to give it a try if it's possible to grant these permissions through GTM. From what I read there might be a way to trigger these new types from there.

Otherwise if that doesn't work I'll have to migrate from this to registered CMP.

[mateusz-zadorozny]

@tommi-siik Just FYI:

Registered CMP is not required. This is from my site that uses plugin which is not on the list, but enforces right consent at start and updates it. You can do it with GTM for sure as well.

[tommi-siik]

@mateusz-zadorozny What kind of data you are collecting? Only anonymous data? Or were you able to collect anonymous and registered user data through that?

[therohitdas]

I managed to find a free CMP but it is from an AD company. It has TCF 2.0 too.
I am not sure if it is good enough tho.
https://www.ezoic.com/gatekeeper/

[ricardodolnl]

So looking at https://developers.google.com/tag-platform/security/guides/consent?consentmode=advanced#implementation_example I worked out the following code for react (nextjs). Would this work the way it should or am I missing something?

'use client';

import {useEffect, useState} from "react";

import "vanilla-cookieconsent/dist/cookieconsent.css";
import * as CookieConsent from "vanilla-cookieconsent";
import Script from "next/script";

declare const window: Window & { dataLayer: Record<string, unknown>[]; };

const updateCookieConsent = () => {
  CookieConsent.showPreferences();
};

const resetCookieConsent = () => {
  CookieConsent.reset(true);
};

const listenForConsent = (state: any) => {
  if (window._ccRun) return;

  window.dataLayer = window.dataLayer || [];
  function gtag(){window.dataLayer.push(arguments);}

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'denied',
    'functionality_storage': 'denied',
    'personalization_storage': 'denied',
    'security_storage': 'granted',
  });

  state.setLoadScript(true);

  gtag('js', new Date());
  gtag('config', process.env.NEXT_PUBLIC_GOOGLE_ANALYTICS);

  const updateGtagConsent = () => {
    gtag('consent', 'update', {
      'ad_storage': CookieConsent.acceptedCategory('advertisement') ? 'granted' : 'denied',
      'ad_user_data': CookieConsent.acceptedCategory('advertisement') ? 'granted' : 'denied',
      'ad_personalization': CookieConsent.acceptedCategory('advertisement') ? 'granted' : 'denied',
      'analytics_storage': CookieConsent.acceptedCategory('analytics') ? 'granted' : 'denied',
      'functionality_storage': CookieConsent.acceptedCategory('functional') ? 'granted' : 'denied',
      'personalization_storage': CookieConsent.acceptedCategory('functional') ? 'granted' : 'denied',
      'security_storage': 'granted', //necessary
    });
  };

  window.addEventListener('cc:onConsent', () => {
    updateGtagConsent();
  });

  window.addEventListener('cc:onChange', () => {
    updateGtagConsent();
  });
};

const CookieConsentComponent = () => {
  const [loadScript, setLoadScript] = useState(false);

  useEffect(() => {
    /**
     * All config. options available here:
     * https://cookieconsent.orestbida.com/reference/configuration-reference.html
     */
    listenForConsent({setLoadScript});
    CookieConsent.run({
      guiOptions: {
        consentModal: {
          layout: 'cloud inline',
          position: 'bottom center',
          equalWeightButtons: true,
          flipButtons: false
        },
      },
      categories: {
        necessary: {
          enabled: true,
          readOnly: true
        },
        functional: {},
        analytics: {},
        // performance: {},
        advertisement: {}
      },
      language: {
        default: 'en',
        translations: {
          en: {
            consentModal: {
              title: 'We use cookies',
              description: 'Hello, this website uses essential cookies to ensure its proper functioning and tracking cookies to understand how you interact with it. The latter is only set after permission.',
              acceptAllBtn: 'Accept all',
              acceptNecessaryBtn: 'Reject all',
              showPreferencesBtn: 'Manage Individual preferences',
            },
            preferencesModal: {
              title: 'Manage cookie preferences',
              acceptAllBtn: 'Accept all',
              acceptNecessaryBtn: 'Reject all',
              savePreferencesBtn: 'Accept current selection',
              closeIconLabel: 'Close modal',
              serviceCounterLabel: 'Service|Services',
              sections: [
                {
                  title: 'Your Privacy Choices',
                  description: `We use cookies to ensure basic website functionality and to improve your online experience. You can choose to opt in or out of each category whenever you want.`,
                },
                {
                  title: 'Necessary',
                  description: 'Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.',
                  linkedCategory: 'necessary'
                },
                {
                  title: 'Functional',
                  description: 'Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.',
                  linkedCategory: 'functional',
                },
                {
                  title: 'Analytics',
                  description: 'Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.',
                  linkedCategory: 'analytics',
                },
                // {
                //   title: 'Performance',
                //   description: 'Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.',
                //   linkedCategory: 'performance',
                // },
                {
                  title: 'Advertisement',
                  description: 'Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.',
                  linkedCategory: 'advertisement',
                },
                {
                  title: 'More information',
                  // description: 'For any queries in relation to our policy on cookies and your choices, please <a href="/contact">contact us</a>.',
                  description: 'For any queries in relation to our policy on cookies and your choices, please contact us.'
                }
              ]
            }
          }
        }
      }
    });
  }, []);

  return (
      <>
        {loadScript && (<Script async strategy="lazyOnload" src={`https://www.googletagmanager.com/gtag/js?id=${process.env.NEXT_PUBLIC_GOOGLE_ANALYTICS}`} />)}
      </>
  )
}

export { updateCookieConsent, resetCookieConsent, CookieConsentComponent }

[ricardodolnl]

Since I've added this I see two green checkmarks at my google analytics stream details. And if I understand correctly you can also activate google signals now when you've implemented google consent v2 correctly.

[polly3d]

Hi bud, How long does it take to become green checkmarks? Does I need to do any other settings on GTM platform?

[vonsch76]

It is 2 days, though you see the result in about an hour as the red error mark turns orange.

[polly3d]

@vonsch76 Thank you so much. It takes 4 days to become green checkmarks.

[ricardodolnl]

Ow by the way if you're going to use the code I posted. Make sure to also use window.removeEventlistener(), because of the tow window.addEventListener(). Otherwise you'll get memory leaks.

[vonsch76]

has anybody managed to find the triggers for the next google requirement?

In theory it is ad_personalization and ad_user_data, but that is also handled by Consent Mode.

[ricardodolnl]

I think that one just stays as an info icon. It's as far as I know just settings on what kinds of google services can receive the consented data.

[hual7]

I had the problem that the consent settings were not triggered in GTM. It is important to push an event when updating the consent.

function sendPreferences() {
	const analyticsStatus = CookieConsent.acceptedCategory('analytics') ? 'granted' : 'denied';
	const functionalStatus = CookieConsent.acceptedCategory('functional') ? 'granted' : 'denied';
	const personalizationStatus = CookieConsent.acceptedCategory('personalization') ? 'granted' : 'denied';
	const necessaryStatus = CookieConsent.acceptedCategory('necessary') ? 'granted' : 'denied';
	const advertisementStatus = CookieConsent.acceptedCategory('advertisement') ? 'granted' : 'denied';
	const analyticsGoogleAnalytics = CookieConsent.acceptedService('googleanalytics', 'analytics') ? 'granted' : 'denied';
	const advertisementFacebookPixel = CookieConsent.acceptedService('facebookpixel', 'advertisement') ? 'granted' : 'denied';
	const consentUpdate = {
		'analytics_storage': analyticsStatus,
		'functionality_storage': functionalStatus,
		'personalization_storage': personalizationStatus,
		'security_storage': necessaryStatus,
		'ad_storage': advertisementStatus,
		'ad_user_data': advertisementStatus,
		'ad_personalization': advertisementStatus,
		'analytics_googleanalytics': analyticsGoogleAnalytics,
		'advertisement_facebookpixel': advertisementFacebookPixel,
	};

	gtag('consent', 'update', consentUpdate);

	dataLayer.push({
		'event': 'cookie_consent_update',
	});
}

Now add a trigger configuration to fire Google Tag in reference with the consent settings.

[panfanky]

[edit, found the answer]
If I setup the Google Consent correctly and want to use Cookieconsent, still without having a "certified CMP", the new rules say I can't use Googles'
AdSense = ads on my website
Ad Manager = ads on my website from "my demand sources"
AdMob = ads in my mobile app

This article is useful: https://www.adbutler.com/blog/article/Google-Ad-Manager-vs-Google-Ads-Google-AdSense-Ecosystem-FAQ
it says e.g.:

"Google Ad Manager and Google AdSense are both platforms that publishers can use to monetize their web content online for free. Meanwhile, Google Ads is a platform that allows advertisers to purchase ad inventory from Google’s search and display networks."

"Google AdSense is a platform that allows publishers to monetize web content through advertising demand that comes directly from Google, while Google Ad Manager is an SSP and ad serving solution that publishers can use to connect to their own demand sources."

[jkapron]

Google is one of the main reasons why those privacy regulations are necessary today and are being implemented by more and more governments around the world, and now they (Google) are shamelessly mandating what CMP solutions you are allowed to use and monetizing on it as well. This is very very wrong. Google should not be allowed to do that. Companies, websites, developers should be able to use their own homegrown CMP systems, as well as be free to choose who they want to use. Let's do something about it!