Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feat]: Become a Google Certified CMP #562

Open
karptonite opened this issue Aug 25, 2023 · 25 comments
Open

[Feat]: Become a Google Certified CMP #562

karptonite opened this issue Aug 25, 2023 · 25 comments
Labels
💬 discussion enhancement New feature or request good first issue Good for newcomers

Comments

@karptonite
Copy link

Description

Google will require users of adsense/ad manager to user a Google Certified Consent Management Platform as of January 2024. It would be great if Cookie Consent could be certified!

It is explained in detail here.
https://support.google.com/adsense/answer/13554020?hl=en&ref_topic=10924967&sjid=11075614997312658217-NA
https://support.google.com/adsense/answer/13554116?hl=en#zippy=%2Cgoogle-certified-cmps

Proposed solution

The solution would be to go through the certification process--there is a url on the first page linked to the form to initiate that. Of course, first Cookie Consent would have to make sure it is complaint with the requirements, which I'm not sure it is yet.

Additional details

No response

@karptonite karptonite added the enhancement New feature or request label Aug 25, 2023
@github-actions github-actions bot added the triage yet to be reviewed label Aug 25, 2023
@orestbida orestbida added 💬 discussion and removed enhancement New feature or request triage yet to be reviewed labels Aug 25, 2023
@orestbida
Copy link
Owner

#289 #523

AFAIK, for this plugin to be a Google Certified CMP it must first be a IAB certified CMP. To register as IAB certified CMP and implement the TCF framework you need to pay ~$1500 yearly.

A TCF compliant CMP also has strict rules on how the CMP should behave and look like which is just not possible to guarantee with a FOSS/MIT project, where anyone can tweak it based on their needs.

@karptonite
Copy link
Author

Hmm... The yearly fee seems like something that could be overcome--I imagine that there are enough companies using this that we could raise this. I can't promise anything, but I might be able to get my company to foot the bill, if that were the only impediment. As for the strict rules, I wonder if it would be sufficient to the defaults be compliant. I mean, anyone can tweak just about and CMP using css, open source or not.

I'm afraid that once Google's new system goes through, there will be no open source way for anyone to verify cookie consent while using ad manager. That would be a real shame, because this is a good package you have created.

@orestbida orestbida added the good first issue Good for newcomers label Aug 25, 2023
@orestbida
Copy link
Owner

Sadly that looks to be the case.

I know a few people who incorporate ads into their websites but yield minimal returns, and the subscribtion to a certified CMP on a monthly basis would significantly impact their already modest earnings. Hopefully there are (or will be) free CMP-TCF verified solutions.

@karptonite
Copy link
Author

It looks like Google may have a version that is free for users of Ad Manager? https://support.google.com/adsense/answer/10924669?sjid=972469827319613161-NA#settings It isn't totally clear to me, what it is, or how flexible it is.

It is true that AdSense doesn't have the best returns, but we use Ad Manager to serve our own ads, and for that, it is useful.

@MyWay
Copy link

MyWay commented Sep 7, 2023

+1 for this, it would be useful

@cyberbeat
Copy link

Google should not be allowed to force people using only solutions they choose, legally other solutions like this one would be also ok.

@orestbida orestbida pinned this issue Sep 15, 2023
@stale
Copy link

stale bot commented Oct 10, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 10, 2023
@orestbida orestbida added enhancement New feature or request and removed stale labels Oct 11, 2023
@torgeirbeyer
Copy link

Is there any news on this? Will this package be certified by Google any time soon? Unfortunaltely our client demands that we use a certified CMP, so if not we have to change to another solution.

@jpkeisala
Copy link

jpkeisala commented Jan 31, 2024

As I am not so familiar with Google product names like adsense/ad manager/admob. I was first lead to understand first that CMP is required if I use Google Ad's but it seems this is not the case. It is only required if I run Google Ad's on the website/app. So, if I just have Google Analytics and Google Ads this cookieconsent is sufficient.

@tehartos
Copy link

tehartos commented Mar 4, 2024

As I am not so familiar with Google product names like adsense/ad manager/admob. I was first lead to understand first that CMP is required if I use Google Ad's but it seems this is not the case. It is only required if I run Google Ad's on the website/app. So, if I just have Google Analytics and Google Ads this cookieconsent is sufficient.

Are you sure?

image

@jpkeisala
Copy link

Of course not. I am just a developer who has strong opinions in complex legal matters without any kind of legal degree. But with my non-native English skill I read your screenshot above "when serving ads to users in the European...." I still understand it applies about running ads in my website not if they come to my site from an ad.

@tehartos
Copy link

tehartos commented Mar 5, 2024

Im also non native, my understanding is different tho. "Publisher" as stated in the screenshot are e.g websites that display ads on their website. Serving ads doesnt equal running ads in my opinion, I think its more of a "displaying" ads. I wish I would be wrong tho. Does someone has tried it out? @orestbida Do you maybe have some insight?

@amitsarkerr
Copy link

If I own a website and want to run Google ads for the website, should I bind CMP-authorized cookie consent, or can I use this awesome open source solution?

Screenshot 2024-05-23 at 10 51 44

From my understanding, CMP is needed for websites that use AdSense.
@orestbida, do you have any clarifications?

@jpkeisala
Copy link

The new Google consent management requirements for serving ads are indeed targeted towards publishers using Google's ad serving products, not advertisers simply running Google Ads campaigns.

@gvigroux
Copy link

Why not using the same technique as: https://github.com/brainsum/cookieconsent ?
It seems it's enough to pass some GTAG values to be compatible with Consent Mode V2

@StayFrosty54
Copy link

I'm sorry but I really really need someone to ELI5 this whole thing. We're doing conversion tracking from ads that point to our website and are using this cookie consent plugin. We're now gettings emails from google that we'll be required to use Consent Mode v2 starting from july. Can we extend this functionality into the plugin like for example described here: #669

Or do we absolutely have to use a CPM certified solution?

@jpkeisala
Copy link

jpkeisala commented Jun 24, 2024

See article here https://uninterrupted.tech/blog/manage-user-cookie-consent-with-google-tag-manager-adapting-to-cookie-consent-v3/

CMP is not required unless you decide to show ads in your own website.

@karptonite
Copy link
Author

karptonite commented Jul 16, 2024

I opened this, and I'm not going to close it because people still seem interested, but I don't think that becoming a certified CMP is in the cards. This is because, as I now think I understand, this package is a consent plugin, but not a consent management platform. A consent management platform also deals with consent data on the backend--google cares about how that data is handled. That is outside the scope of this project. Again, if I understand this correctly.

@johnwbaxter
Copy link

I'm just going to add a little extra insight here. We have been talking to a google account ads account manager about our implementation using this great plugin recently. At no point did they demand we use an off the shelf CMP, just that we handle consent mode properly.

You need to deny consent initially and then when the user accepts the cookies in question, you then grant consent in the GTM datalayer. On top of that, you need to configure your GTM tags to work with consent that is given by your site.

You can do all of this with this plugin, you don't need a paid CMP.

Also, this has events that you can tap into that lets you pump off any data you need to log consent into a database, so ok, natively, it doesn't do the backend functionality, obviously, but it gives you the tools you need to implement it.

@ecjep24
Copy link

ecjep24 commented Aug 15, 2024

@johnwbaxter let's accept the this challenge

@alxndr-w
Copy link

alxndr-w commented Aug 29, 2024

Also, this has events that you can tap into that lets you pump off any data you need to log consent into a database, so ok, natively, it doesn't do the backend functionality, obviously, but it gives you the tools you need to implement it.

And it's not that difficult. I've implemented this into my favorite CMS (REDAXO).

onFirstConsent: () => {
    logConsent();
},

onChange: () => {
    logConsent();
}

[...]

function logConsent() {

	const cookie = cc.getCookie();
	const preferences = cc.getUserPreferences();

	let formData = new FormData();
	formData.append('consentId', cookie.consentId);
	formData.append('acceptType', preferences.acceptType);
	formData.append('acceptedCategories', preferences.acceptedCategories);
	formData.append('rejectedCategories', preferences.rejectedCategories);
	formData.append('acceptedServices', preferences.acceptedServices);
	formData.append('rejectedServices', preferences.rejectedServices);

	fetch('/?api-call=cc&action=log', {
		method: 'POST',
		body: formData
	});
}

And the basic backend stuff for that is just as easy, put all form data into a database table with - you guessed it - consentId, acceptType, etc. and a datestamp.

edit: Advanced stuff, but maybe useful, would be tracking revisions (content as well as logging the revision number. Didn't implement that yet)

edit2: original source

@johnwbaxter
Copy link

Nice comment @alxndr-w !! That will be useful for people doing this :)

@mwendell
Copy link

mwendell commented Nov 8, 2024

@alxndr-w wouldn't it be preferable to record the user's cookie consent in a cookie? If you need to cookie the user anyway, to attach their preferences to your database entry, can't you simply include that preference data in the identification cookie itself?

I could be completely wrong, so I'm curious what you think or what I'm missing in my understanding here.

@alxndr-w
Copy link

alxndr-w commented Nov 8, 2024

@mwendell it's not about saving the user preference for the user – it's to have the user consent in a log for the website's operator.

Use case, as far as I know: the user can't remember that he gave consent, calls his lawyer and sues the operator.

As an operator, you can ask for his consent id and can prove that he gave consent.

--

Another usecase could be websites with login to save the preferences and attach them to the user.

@rkaw92
Copy link

rkaw92 commented Dec 19, 2024

Hi, a developer working in AdTech here. The organization I develop software for is an IAB Europe member, and also a member of Prebid.org, the self-hosted, open-source header bidding solution. Hoping I can offer a bit of insight about CMPs, TCF and the IAB.

Over the past few years, more and more ad vendors have been demanding IAB TCF-compliant consent strings. It's not just Google, it's an industry-wide consensus. This means: if you want ads on your publication (website, app, etc.), you have to convey the user's privacy preferences in one particular format. Today, this format is the TCFv2.2 consent string, and no other format will do. This is an official policy, and e.g. Microsoft (yes, they deal in ads, too) had been sending e-mail newsletters about it being mandatory well in advance.

What happens is this string is passed verbatim through a Byzantine network of intermediaries and ad providers (SSPs and DSPs we call them). Each recipient must verify whether consent was given explicitly for them by making a lookup based on their ID from the Global Vendor List and for the purposes they use. No consent => cease processing of all personal data.

A compliant CMP must: include all vendors from the GVL (hundreds of vendors), provide a means to automatically stay in sync with the latest version of the GVL, and produce a TCFv2.2 string. This is the tech side of things - I don't manage a CMP myself, and are not familiar with the organizational requirements (other than registering with the IAB and paying the annual fee).

One thing to note is that commercial CMP vendors like UserCentrics often offer 2 modes of operation: GDPR or TCF. The resulting pop-up will differ greatly. The first option is quite like what this repo does: there's processing purposes, specific purposes, etc. But, it does not include the GVL, and in fact is not TCF-compliant and has nothing to do with the IAB, though it can cover GDPR compliance for own processing and for when you have data processing contracts (e.g. when you host on AWS so you need to tell the user their data would be stored on AWS).

The second mode is the one that typically comes with a price tag 😛

I think this distinction is a useful one, and should help the project leaders decide: do you want to help users achieve GDPR compliance for their own and delegated data processing, or do you want to become a CMP to enable users to monetize their publications?

One final note is that compliant CMPs are supposed to expose a client-side JS API - probably a minor thing to implement once all the other hurdles are cleared, but this is how the ad scripts interact with the CMP to retrieve the consent string and forward it to the mothership along with the ad request: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
💬 discussion enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests