Manage Vendor Purposes and Restrictions (GDPR TCF v2)
GDPR TCF v2 introduced the ability for publishers to allow or set restrictions on how vendors may process end-user data. Your organization can manage restrictions on vendors by selecting the legal basis for a given purpose. This allows your organization to indicate your preferences that take precedence over a vendor’s preference, where applicable.
Your organization should review the purpose and legal basis settings for the vendors they work with in the vendor list. This article will describe how a publisher can grant consent or set restrictions on a vendor and how to check both in the TC string.
Your organization can establish their own legal basis for IAB purposes when processing user data, more information can be found here.

Set purpose consent or restrictions for IAB vendors

The vendor list displays all vendors your organization works with and their legal basis for each IAB and custom purpose. The legal basis can be:
  • User Consent
  • Legitimate Interest (for some vendors)
  • Not Allowed
Legal Basis
User Consent
Confirming that the vendor can process end-user data for a specific purpose only if the end-user has provided explicit consent.
Legitimate Interest (for some vendors)
Allowing the vendor to process end-user data without collecting explicit consent for a specific purpose Note: the end-user can still reject the processing of their data.
Now Allowed
Your organization is restricting a vendor from processing end-user data for a specific purpose.
When a new IAB vendor is added to the list, the vendor's preferred legal basis is set for each purpose.
In order to override or set the preferred legal basis for an individual vendor, click the legal basis field inline with the vendor underneath the purpose column.
Click Save in the upper right-hand corner to confirm your changes.
The TC string will be updated and the vendor will be informed whether they are permitted to process user data for this purpose.

Check consent or restrictions in the TC string

There are two methods to check the legal basis and restrictions on a vendor encoded in the TC string. One method is using the TCFv2 API in the browser's console window and examining the response. The second method described here is to decode the TC string using a service provided by the IAB.
Click here for more information on how to obtain the TC string for your CMP implemention.
The TC string from the TCFv2 API is an encoded text that contains all the information in the TCFv2 API response.
//Example TC string
Copy the tcString value and remove the quotation marks ("). Open the IAB webpage and enter the tcString into the query box to decode.
The page will show the complete results and a section on Publisher Restrictions will appear. The section will display the purpose id, the vendor id and if the vendor is allowed to process user data for that purpose (Type 1) or not allowed (Type 0).
In the example below, a vendor with id 174 is not permitted to process data for IAB purpose 2 ("Select Basic ads") and purpose 7 ("Measure ad performance").
Last modified 23d ago