Written by 
Beginning January 16, 2024, Google will require all publishers serving ads to EEA and UK users to use a Google-certified Consent Management Platform (CMP). It rolls out the new standards for managing user consent and data on Google partner websites.
It’s important that all users everywhere stay up to date regarding these changes. Thus, we’ve made an article chronicling all the new changes you’ll need to keep in mind.
Highlights
- By the latter half of 2023, advertisers utilizing publisher products will be required to adopt a CMP that is certified by Google.
- This alteration is in response to the finalized TCF V2.2 by IAB Europe, which aims to establish a standardized and cohesive user experience in terms of obtaining consent for online advertising.
List Of EEA Countries
| Austria | Czech Republic | Germany | Italy | Malta | Romania |
| Belgium | Denmark | Greece | Latvia | Netherlands | Slovakia |
| Bulgaria | Estonia | Hungary | Liechtenstein | Norway | Slovenia |
| Croatia | Finland | Iceland | Lithuania | Poland | Spain |
| Cyprus | France | Ireland | Luxembourg | Portugal | Sweden |
The United Kingdom ceased its participation in the European Economic Area (EEA) when it formally exited the European Union on January 31st, 2020.
Although Iceland, Liechtenstein, and Norway remain EEA members, they are not affiliated with the EU.
Switzerland, on the other hand, maintains a distinct status as it is neither an EU nor an EEA member. Nevertheless, Swiss citizens enjoy certain rights akin to those of individuals from EEA countries.
A Guide to the Terms in This Article
We’ll be using a lot of technical terms and shortened names in this article. If you’re unfamiliar with these terms, worry not, we’ve got you.
Below, you’ll find a table that explains most, if not all the important terms you’ll find in this article. For those of you not on the tech-savvy end of website management, this should help you navigate things a little better.
| Term | Meaning |
| CMP | A Consent Management Platform is a software tool or service that helps website owners and publishers manage user consent for data collection and processing activities, particularly in relation to online advertising and tracking technologies. |
| TCF | The Transparency and Consent Framework is an industry-standard framework developed by the Interactive Advertising Bureau (IAB) Europe. It provides guidelines and tools to facilitate compliance with data protection regulations, specifically the General Data Protection Regulation (GDPR) in the European Union. |
| IAB | The Interactive Advertising Bureau is an industry trade group that represents various stakeholders in the digital advertising and marketing industry. The IAB’s mission is to support the growth and development of the digital advertising ecosystem by providing standards, research, guidelines, and educational resources. |
| GDPR | The General Data Protection Regulation is a comprehensive data protection and privacy regulation implemented by the European Union and the European Economic Area. It’s meant to strengthen the protection of individuals’ personal data and to harmonize data protection laws across the EU member states. |
| ePrivacy Directive or Cookie Directive | The ePrivacy or Cookie Directive is a piece of legislation implemented by the European Union to address privacy concerns related to electronic communications, including the use of cookies and similar technologies. It focuses on ensuring the protection of individual privacy and confidentiality in electronic communications. |
| EEA | European Economic Area |
With this, we should have most of the necessary terms you’ll need to understand this article. Now, we can begin getting into the changes Google is making in regard to privacy and consent, as well as the implementation of CMPs and why they’re important.
When you’re done with this article, you should be familiar with these changes, as well as the steps you’ll need to take for your website.
Google Consent Management Requirements Quick Rundown
Google will begin requiring partner sites that use their services (AdSense, Ad Manager, AdMob) to use Google-certified CMPs starting later this year. The goal of this shift is to create a transparent platform for users and sites and standardize the user experience for collecting user consent.
Google also wants to ensure that Google’s ad technology properly integrates with the CMP’s framework through Google Certification.
The importance of these new changes is twofold. The aforementioned reasons above are part of it, trying to bring a degree of standardization to the process. These changes also fall in line with the GDPR and ePrivacy, both European laws that make user consent mandatory. We’ll be taking a deeper dive into why this is, and what the deeper implications are for users further into this article.
The GDPR and ePrivacy Directive
The GDPR is a data protection law put into force in 2018 post-Brexit. In a bid to increase transparency and safety online, the GDPR essentially states that processing a user’s personal data without their express consent is illegal in Europe. On top of this, it also claims users have the right to know who is processing their data and how their data is being used.
Meanwhile, the ePrivacy Directive (also known as the Cookie Directive) has been in effect since 2002. Like the GDPR, the ePrivacy Directive aims to put power and control in the hands of the users by regulating the processing of user data. This extends to the storage and access of data on users’ devices like with browser cookies, hence the name the Cookie Directive.
The enforcement of these laws is an excellent step in protecting users’ rights and increasing transparency. With the implementation of CMPs, users now get to see exactly what they’re sharing and the function of this data on the site. This is why it’s essential that all CMPs used are IAB TCF compliant and certified by Google.
How the IAB TCF Facilitates Compliance with GDPR and ePrivacy
The IAB TCF is an industry-standard framework developed by IAB Europe to facilitate compliance with data protection regulations, particularly the General Data Protection Regulation (GDPR), in the European Union. How the IAB TCF works is through a several-step process, the framework of which allows your site to interface with users, records their choices and suggests ads accordingly.
This framework is made up of 3 major components, each of which streamlines the process of registering and processing user data. First, it uses a Global Vendor List to ad tech vendors to register how they process data. It then interfaces with the CMP, allowing users to physically choose whether they will consent or not. From there, strings of code are used to relay the information through a supply chain.
How this comes across to the user and complies with the GDPR and ePrivacy Directive is through purposes. Purposes are options given to users, who can read what the intended use of the information is, and then choose whether to consent or not to hand over their data. Because of how purposes are broken down into many different options, users can be impressively specific with their consent.
It’s important to note that if a user doesn’t select specific purposes, they will not be given targeted ads. Giving users granular control over their information and better transparency in the purpose of this data is exactly what the GDRP and ePrivacy Directive aim for. Thus, the IAB TCF was built from the ground up to fit both of these laws, while CMPs make interfacing with these options simple and easy.
What Exactly Does a CMP Do for Users?
A CMP, or Consent Management Platform, is a software solution, that allows website owners to organize user consent and information. It records users’ consent preferences, auditing and timestamping any changes. For site owners, CMPs provide a centralized platform for managing and communicating any privacy policy changes for users.
CMPs also integrate with other systems, in this case, advertising platforms. Going back to standardization, using a CMP helps enforce users’ consent preferences across various sites between different data processing activities. Implementing a CMP can enhance user trust, show compliance with data protection regulations, and ensure transparent data handling practices.
What Happens If I Do Not Have a CMP?
Once Google rolls out and enforces these changes, all partners in Europe and the UK with no Google-certified CMP implementation will, unfortunately, be locked to serving limited ads. Limited ads are, as the name implies, not particularly flexible or useful. They’re limited to Ad Manager and AdMob and they miss out on tools like preferred deals, auctions and Programmatic Demand.
While limited ads still give you the ability to serve ads in some capacity, it’s not an optimal solution. Thus, you’ll want to make the switch over to a proper CMP anyway, especially with all the benefits that come with it. Now that Google is rolling out a list of Google-certified CMPs, this makes choosing a CMP even easier for users.
If you’re not a particularly tech-savvy user, then don’t worry, Google has you covered. Google’s own CMP is available for free, and AdSense, AdMob and Ad Manager all automatically prompt you to set up the CMP when you launch them. When it comes to how the consent granting process works on your site, the TCF and Google handle everything, suggesting ads depending on user choices.
To enable the free Google CMP, log into your Adsense account, click on the Privacy Messages tab followed by GDPR.
What Makes a CMP Google-Certified?
Google has a couple of requirements in order for a CMP to be Google-certified. The first is for the CMP to be IAB-certified, which means they need to meet the TCF’s specifications. Once that’s been achieved, the CMP then needs to apply for certification from Google. If Google is satisfied with the CMP, it will be certified by Google. This applies to any CMP, even in-house CMPs built from the ground up.
If you don’t have a CMP or your CMP isn’t Google-certified, then you’re left with a couple of options. The first, if you’re attached to a certain CMP, is to request for the creators to get it Google-certified. If that doesn’t work or you just don’t have one, then you can pick a CMP from Google’s list of certified CMPs. If it complies with Google’s requirements, then it’ll be added during a refresh every six months.
Google’s own CMP is part of the mix, being an excellent choice for users. Not only is it completely free for any AdSense, Ad Manager or AdMob user, but it’s also easy to install. It was built with Google’s standards in mind, avoiding the need to check if your CMP is Google-certified or not.
Can I Use Third-Party CMP?
Yes, you can as long the CMP is certified by Google. We have seen many websites using Quantcast and it works great with Adsense.
Why Should This Matter If I Don’t Have Viewership in Europe?
ven if you do not have many viewers in Europe, it’s still worth it to get a CMP for your website. For starters, with Google’s own CMP being available for completely free, there’s no reason not to get it. It’s incredibly simple to implement, and there’s no downside even if your European viewership is tiny. Investing in a CMP is also a bit of future-proofing in case more places begin reinforcing similar laws.
As internet users slowly become more and more conscious of their internet security, it’s quite likely we’ll see these types of laws applied in other places. When that time comes, it’s good to have a CMP already installed to simplify matters. You’ll also be taking an early step to ensure the safety and security of your visitors, giving them control over their information.
What are the fines for not complying with GDPR?
Failure to comply with GDPR may result in a fine of up to 4% of the annual turnover. It is defined in Article 12 of the Regulation. To get more, please read the GDPR on the EU website.
Internet Security and Consent Moving Forward
With the internet moving towards a security-oriented future, it’s important to take early steps in preparation. While for now using a CMP isn’t all too important outside of Europe, there may come a time when they become a requirement. Google in this case is taking the initiative, introducing changes that may become the standard further down the road.
Thankfully, it’s easier than ever to implement these kinds of sweeping changes nowadays. Between Google developing their very own CMP, to the ease of getting your own CMP Google certified, there’s no reason not to use one. Even users who aren’t tech savvy can make use of the technology, building an internet that’s safer and more secure for users and advertisers alike.