GDPR compliance, cookies and consent
The GDPR (General Data Protection Regulation) is a regulation in European Union (EU) on data protection and privacy for all individuals within the EU and the European Economic Area (EEA) that was designed to harmonize data privacy laws across Europe. If you collect personal information from any EU citizen (within or outside the EU), you must first obtain explicit and unambiguous consent.
Ad Inserter Cookies
Ad Inserter itself does not use cookies except for debugging to store enabled debugging functions and for ad blocking detection when you use delayed action to store pageviews and action settings.
Debugging cookie is only created for administrator using debugging functions or for the user using remote debugging functions via url.
When ad blocking detection is enabled and delayed actions used, 3 cookies may be created for every visitor: aiADB
, aiADB_PV
and aiADB_PR
. However, no personal data is stored in the cookies, only pageviews and action settings.
PRO Ad Inserter Pro also creates and uses cookie aiBLOCKS
which stores client-side information about impression and click limitations (if configured).
The ads you may insert with the plugin may use own cookies – please check with ad networks for details.
How to display a GDPR compliant cookie message?
You can use any WordPress plugin for GDPR compliance / cookie consent, for example:
Cookie Notice for GDPR
Cookie Consent
CookieYes | GDPR Cookie Consent & Compliance Notice
Complianz | GDPR/CCPA Cookie Consent
Pressidium Cookie Consent
Borlabs Cookie (paid)
Real Cookie Banner PRO (paid, supports IAB TCF v2)
Quantcast Choice (supports IAB TCF v2)
Any plugin or consent solution using IAB TCF v2 framework
Installing GDPR plugin alone does not make your site GDPR compliant. Since ads you insert may use various cookies, you may need to make sure you have necessary configurations in place.
How to show ads based on visitors’ consent?
The settings described here apply to normal (non AMP) pages. For settings for AMP pages please go to section How to show AMP ads based on visitors’ consent on AMP pages.
Ad Inserter supports inserting (showing) ads based on cookies or cookie values. If you have used a plugin for cookie consent you can define cookie condition to insert or show ads by black/white-listing Cookies.
If you are using one of the following plugins for cookie consent you need to white-list (✔) the following cookie value in the Cookies list (button Lists):
Cookie consent plugin | List value |
CookieYes | GDPR Cookie Consent & Compliance Notice | cookielawinfo-checkbox-advertisement=yes – for ads |
CookieYes | GDPR Cookie Consent & Compliance Notice | cookielawinfo-checkbox-analytics=yes – for analytics |
Cookie Notice for GDPR | cookie_notice_accepted=true |
Cookie Consent | catAccCookies=1 |
CookieYes | cookieyes-advertisement=yes |
Complianz GDPR/CCPA Cookie Consent | cmplz_marketing=allow |
GDPR Cookie Compliance (CCPA ready) | moove_gdpr_popup[thirdparty]=1 |
Pressidium Cookie Consent | pressidium_cookie_consent[categories][*]=targeting |
Settings listed above are for plugins where the only check is the presence of the right value (string) in the cookie which is created after the consent is given. Some plugins offer more settings where you can configure consents for different purposes. Below we list settings for plugins that have separate consent for Google AdSense ads. Please note that the actual values in the cookie depend also on the consent plugin settings.
Cookie consent plugin | List value |
|
|
TCF v2 compatible (for example Quantcast Choice) | tcf-google, tcf-no-gdpr |
tcf-google
is a shortcut for tcf-v2[vendor][consents][755]=true && tcf-v2[purpose][consents][1]=true
which is the actual check performed. Please check section IAB TCF v2 below for details.
The plugin previously used euconsent-v2
cookie name for TCF v2 checks. This was now changed to tcf-v2
but the old name will continue to work.
Vendor ID 755 means Google Advertising Products – use vendor ID according to your needs i.e. block ads. See below for detailed description of TCF v2 framework which is used by Quantcast Choice. Google requires also consent for “Purpose 1 – Store and/or access information on a device”. The same settings can be used also for any other consent solution using IAB TCF v2 framework.
The actual cookie name may differ form tcf-v2
– this is only a general name for TCF v2 checks. You need to use this name when checking the IAB TCF v2 compatible consent as the plugin does not check the cookie directly, it uses TCF v2 API to get the tcData
object which is then checked.
For visitors where GDPR does not apply the consent is not needed – those cases are enabled by the second item tcf-no-gdpr
which is a shortcut for the actual check tcf-v2[gdprApplies]=false
.
Make sure you have Dynamic blocks set to client-side insert – TCF v2 based cookie needs to be checked client-side (in the browser).
If you are using caching (very likely) you also need to set Dynamic blocks to Client-side insert (tab ⚙ / tab General) in order to check cookies in visitor’s browser and not when the page is generated.
Example for GDPR Cookie Consent plugin:
In case you don’t see the block inserted or it is inserted when it should not be, you can use debugging functions to diagnose insertions. Debugging function Label Blocks will mark all the blocks with lables showing block status, for example:
GDPR and ad blocking detection
When you enable ad blocking detection the plugin will use some external scripts for additional checks. However, those scripts may create cookies and/or track visitors which is not allowed when you need to comply with the GDPR rules. To be compliant with GDPR you need to uncheck Use external scripts (tab ⚙ / tab Ad Blocking) and insert the scripts only after the consent is given – use the shortcode [ADINSERTER adb="external-scripts"]
in a block configured for consent cookie check as described here for blocks with ad codes. Set block Insertion to Footer and Alignment to No wrapping.
Use external scripts is by default enabled:
How insert arbitrary code based on visitors’ consent?
The same approach can be used to insert any (javascript) code anywhere on the page (including into header or footer) only after the consent is given, for example Google Analytics code, code for AdSense Auto ads, etc.
- Configure one block with the code you need to insert only after the consent is given
- Set insertion position (for example Footer)
- Set Alignment to No wrapping (we don’t need any wrapping div for the block alignment or margins)
- Set Cookies list with cookie conditions as described above – whitelist the block for consent conditions according to the consent plugin used
How to insert into header
Header code window will insert the code into page header (code in the <head></head>
section) on all pages unconditionally. However, you can configure any block to insert header code according to your needs. Normally, position for automatic insertion into Header does not exist and needs to be created.
To create position for automatic insertion into the page header (code in the <head></head>
section) go to tab ⚙ / tab Hooks and create and enable a hook with name Header and action wp_head
. After you save settings you’ll get Header position for automatic insertion for each code block.
Please note that this Header position for automatic insertion has nothing to do with the header of your theme. This is HTML page header – code in the invisible <head></head>
section.
IAB Transparency and Consent Framework 2
The IAB Europe Transparency and Consent Framework (TCF) is a GDPR consent solution built by the industry for the industry, creating a true industry-standard approach. The TCF creates an environment where website publishers can tell visitors what data is being collected and how their website and the companies they partner with intend to use it. The TCF gives the publishing and advertising industries a common language (API) with which to communicate consumer consent for the delivery of relevant online advertising and content. One example of consent manager solution using TCF 2 is Quantcast Choice – Consent & Compliance Management.
Ad Inserter supports IAB TCF 2. Since the consent information in the cookie is stored as encoded object with multiple values it is not possible to simply check the cookie value. The plugin uses TCF v2 API to get the consent data and then checks the tcData
javascript object where individual properties can be checked with the array syntax.
An example of the tcData
object decoded from the IAB TCF 2 cookie:
{
"cmpId": 10,
"cmpVersion": 7,
"gdprApplies": true,
"tcfPolicyVersion": 2,
"eventStatus": "tcloaded",
"cmpStatus": "loaded",
"listenerId": 0,
"tcString": "CO333bBO333bBAKAHAENAyCsAP_AAH_AACRAGStV_T9fb2vj-_5999t0eY1f9_63t-wjhgeMs-8NyZ-X_J4Wr2MyvB34JqQKGRgEunLBAQdlHGHcTQgAwIkViTLMYk2MizNKJrJEilMbM2dYGG1Pn8XTuZCY70-sP__zv3-_-33_4GSEEmCpfAQJCWMBJNmlUKIEIVxIVAOASghGEg0sNCRwU7I4CPUACABAYAIQIAQAgohJBAAIAAElEQAgAwIBEARAIAAQAjQEIACJAEFgBIGAQACoGhYARRBKBIQYHBUcogQFSLRQTwAA.f_gAH_gAAAAA",
"isServiceSpecific": true,
"useNonStandardStacks": false,
"purposeOneTreatment": false,
"publisherCC": "SI",
"outOfBand": {
"allowedVendors": {},
"disclosedVendors": {}
},
"purpose": {
"consents": {
"1": true,
"2": true,
...
"9": true,
"10": true
},
"legitimateInterests": {
"1": false,
"2": true,
...
"9": true,
"10": true
}
},
"vendor": {
"consents": {
"1": true,
"2": true,
"3": false,
...
"803": true,
"804": true,
"805": true
},
"legitimateInterests": {
"1": false,
"2": true,
"3": false,
...
"802": true,
"803": true,
"804": true
}
},
"specialFeatureOptins": {
"1": true,
"2": true
},
"publisher": {
"consents": {
"1": true,
"2": true,
...
"9": true,
"10": true
},
"legitimateInterests": {
"1": true,
"2": true,
...
"9": true,
"10": true
},
"customPurpose": {
"consents": {},
"legitimateInterests": {}
},
"restrictions": {}
}
}
The plugin previously used euconsent-v2
cookie name for TCF v2 checks. This was now changed to tcf-v2
but the old name will continue to work.
You can check individual object properties in the TCF v2 cookie like in other cookie objects, for example, you can whitelist ads with the following cookie property (set in the cookies list):
tcf-v2[vendor][consents][755]=true
This would check IAB TCF 2 cookie whether vendor -> consents [755]
value is true. Vendor ID 755 means Google Advertising Products – use vendor ID according to your needs i.e. block ads.
The actual cookie name may differ form tcf-v2
– you still need to use this name when checking the IAB TCF v2 compatible consent as the plugin does not check the cookie directly, it uses TCF v2 API to get the tcData
object which is then checked.
Google requires also consent for “Purpose 1 – Store and/or access information on a device” – tcf-v2[purpose][consents][1]=true
For visitors where GDPR does not apply the consent is not needed – those cases can be enabled enabled with tcf-v2[gdprApplies]=false
.
So the final check for Google ads is:
tcf-v2[vendor][consents][755]=true && tcf-v2[purpose][consents][1]=true, tcf-v2[gdprApplies]=false
However, for common advertisers and checks you can use the following shortcuts:
TCF v2 cookie check shortcut | The actual check |
tcf-google |
tcf-v2[vendor][consents][755]=true && tcf-v2[purpose][consents][1]=true |
tcf-no-google |
!!tcf-v2[vendor][consents][755] |
tcf-media.net |
tcf-v2[vendor][consents][142]=true && tcf-v2[purpose][consents][1]=true |
tcf-no-media.net |
!!tcf-v2[vendor][consents][142] |
tcf-amazon |
tcf-v2[vendor][consents][793]=true && tcf-v2[purpose][consents][1]=true |
tcf-no-amazon |
!!tcf-v2[vendor][consents][793] |
tcf-ezoic |
tcf-v2[vendor][consents][347]=true && tcf-v2[purpose][consents][1]=true |
tcf-no-ezoic |
!!tcf-v2[vendor][consents][347] |
tcf-gdpr |
tcf-v2[gdprApplies]=true |
tcf-no-gdpr |
tcf-v2[gdprApplies]=false |
Now the final check for Google ads using the shortcuts is tcf-google, tcf-no-gdpr
:
Make sure you have Dynamic blocks set to client-side insert.
To check only the presence of some property (regardless of its value) simply specify it without the value. For example, to check for the presence of publisher -> consents [1]
property use in the list only
tcf-v2[publisher][consents][1]
Inverse consent check
In some cases you may need to check for cases where the user rejected some TCF consent (and the consent is needed – GDPR applies). Use the following approach for cookie check – example for Google:
Consent for Google: tcf-google, tcf-no-gdpr
(user gave consent for Google or GDPR does not apply)
No consent for Google: tcf-no-google && tcf-gdpr
(user did not give consent for Google and GDRP does apply)
IAB TCF Troubleshooting
Diagnosing IAB TCF issues is not simple and requires some experience with Javascript code and the console in the browser. Ad Inserter already supports many debugging functions that can be used to label blocks and diagnose insertions. Additionally, to see the status of the IAB TCF consent API (used also by Quantcast Choice), Ad Inserter shows an additional IAB TCF debugging bar on the top of the page. This bar is present only when at least one block is configured for TCF v2 cookie check:
Initially, when the TCF API (Javascript function __tcfapi
) is detected, the bar is gray. When the consent pop-up window is shown or when the cookie is already present and consent data loaded, the bar becomes green showing that the API function works. If there is an issue the bar becomes red showing the error message.
PRO How to display ads as soon as the consent is given?
Normally, when you configure the plugin as described above, the ads will be loaded with the next page load after the consent is given. However, with Ad Inserter Pro it is possible to immediately display the ads as Ad Inserter Pro supports manual loading. Manual loading means that the code block (ad) is not loaded (inserted) until you call a Javascript function for loading.
If your consent plugin supports custom action when the consent is given (or changed), you need to set Manual loading to Auto and Dynamic blocks to Client-side insert. The block will be processed according to the settings. If Cookies list fails, the block will be marked for manual loading. To check again for cookies and load the block if the conditions (cookies present) are met, the Javascript function ai_load_blocks ([block])
needs to be called. The block number parameter is optional, if it is not provided all blocks enabled for manual loading (and not loaded yet) will be loaded. Of course, the code for the ads needs to support asynchronous loading (loading after the page is created).
For some plugins like Quantcast Choice and Complianz Cookie Consent Ad Inserter Pro will automatically perform necessary actions and insert ad codes as soon as the consent is given (assuming you configured the plugin for cookie consent checks as described above you only need to set Manual loading to Auto for every block that needs to be inserted).
Please note that the settings described here will only insert ad codes immediately after the consent will be given. In most cases the code will display ads, however, this may not happen in all the cases as the ads are displayed by the ad code and the ad code decides what to display and when.
Please not that the code for the ads needs to support asynchronous loading (loading after the page is created).
How to show AMP ads based on visitors’ consent on AMP pages?
You need to first implement the consent solution for AMP pages, for example using Quantcast Choice for AMP. Then you need to add an attribute to the AMP ad codes.
The AMP Project has provided an attribute to block components unless the user has consented. To take advantage of this feature, add the data-block-on-consent
attribute to the AMP ad code or AMP component. In effect, this means that all behaviors of the element (e.g. sending analytics pings for <amp-analytics>
or the loading of an <amp-ad>
) are delayed until the relevant consent instance is accepted.
Individual components may override this behavior to provide more specialized handling. Please refer to each component’s documentation for details. An example of an AMP ad code using this attribute:
<amp-ad
<span data-slate-fragment="JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlJTIyJTJDJTIyaXNWb2lkJTIyJTNBZmFsc2UlMkMlMjJkYXRhJTIyJTNBJTdCJTIyc3ludGF4JTIyJTNBJTIydGV4dCUyMiU3RCUyQyUyMm5vZGVzJTIyJTNBJTVCJTdCJTIyb2JqZWN0JTIyJTNBJTIyYmxvY2slMjIlMkMlMjJ0eXBlJTIyJTNBJTIyY29kZS1saW5lJTIyJTJDJTIyaXNWb2lkJTIyJTNBZmFsc2UlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJ0ZXh0JTIyJTJDJTIybGVhdmVzJTIyJTNBJTVCJTdCJTIyb2JqZWN0JTIyJTNBJTIybGVhZiUyMiUyQyUyMnRleHQlMjIlM0ElMjJkYXRhLWJsb2NrLW9uLWNvbnNlbnQlMjIlMkMlMjJtYXJrcyUyMiUzQSU1QiU1RCU3RCU1RCU3RCU1RCU3RCU1RCU3RCU1RCU3RA=="> data-block-on-consent</span>
width="300"
height="250"
type="medianet"
data-tagtype="cm"
data-cid="8CU5NCA3L"
data-crid="754216422"
>
</amp-ad>