If you monetize with programmatic ads and have any visitors from Europe, consent is not a legal footnote you can bolt on later — it sits directly in the path of your ad requests. A misconfigured consent setup does not just create legal risk; it silently strangles demand, because most bidders will refuse to bid, or bid far lower, when a valid consent signal never reaches them. This guide explains what the law actually requires of publishers, what a Consent Management Platform (CMP) and the IAB Transparency and Consent Framework really do, how the consent signal travels to your SSPs and Prebid bidders, and how to set it up so you stay compliant without needlessly bleeding revenue.

What GDPR and ePrivacy actually require of publishers

Two separate but interlocking rules govern ad consent in the EU. The first is the GDPR (Regulation (EU) 2016/679), in force since May 2018, which governs the processing of personal data of people in the EU and EEA. The second, older rule is the ePrivacy Directive (2002/58/EC, as amended) — the so-called "cookie law" — which requires informed consent before storing or reading information on a user's device, unless that storage is strictly necessary to provide a service the user asked for. Advertising cookies, local storage, and device fingerprinting are never "strictly necessary," so they need consent.

The critical thing publishers underestimate is how broadly personal data is defined in advertising. Under GDPR, an IP address, a cookie ID, a mobile advertising ID, and precise geolocation are all personal data. That means the ordinary mechanics of programmatic — dropping a cookie, passing an ID to an SSP, letting a bidder build an audience segment — are all "processing of personal data" that need a lawful basis.

For personalized advertising, that lawful basis is, in practice, consent. And GDPR sets a high bar for what counts. Valid consent must be:

This is why a bare "By using this site you accept cookies" banner is not compliance — it collects no affirmative action and offers no granular choice or withdrawal path.

What a CMP is, and how the IAB TCF makes consent portable

A Consent Management Platform (CMP) is the software that shows the consent notice, records the user's choices, stores them, and — crucially — broadcasts those choices to every ad partner in your stack. On its own, a consent record on your server is useless to a dozen third-party SSPs who never see it. The industry solved this portability problem with the IAB Transparency and Consent Framework (TCF), maintained by IAB Europe.

The TCF works through three moving parts. First, a standardized list of purposes (store information on a device, create a personalized ad profile, measure ad performance, and so on). Second, the Global Vendor List (GVL) — a registry of ad-tech vendors, each with a numeric ID and a declaration of which purposes they rely on and on what legal basis. Third, the TC String: a compact encoded string that captures exactly which purposes and which vendors the user consented to. Your CMP generates the TC String and exposes it through a standard JavaScript API (__tcfapi) that any vendor's tag can query. That is how a single click on your banner becomes a signal every SSP can read and honor.

The current version is TCF v2.2, which became mandatory in late 2023 and tightened several things: it standardized the plain-language purpose descriptions, required vendors to disclose data-retention periods and the categories of data they collect, made the number of vendors more transparent, and removed "legitimate interest" as an available basis for the advertising and content-personalization purposes — meaning those now require genuine consent. It also reinforced the need for an easy way to withdraw consent after the fact.

If you serve Google demand, this is not optional. Since January 2024, Google requires publishers to use a Google-certified CMP that integrates the IAB TCF v2.2 in order to serve ads to users in the EEA, UK, and Switzerland. Separately, Google's own tags rely on Consent Mode v2, which reads consent state through parameters such as ad_storage, analytics_storage, ad_user_data, and ad_personalization, and adjusts tag behavior accordingly. Most certified CMPs can wire Consent Mode for you.

Worth knowing for context: the TCF has been legally tested. The Belgian Data Protection Authority ruled in 2022 that the TC String itself constitutes personal data and that IAB Europe acts as a data controller for it; on appeal, the Court of Justice of the EU (case C-604/22, decided March 2024) largely agreed that a TC String can be personal data and IAB Europe can be a joint controller. The framework continues to operate and remains the practical standard — but it is a living target, which is one more reason to keep your CMP current rather than "set and forget."

How the consent signal reaches your demand — and where it breaks

Consent only protects you and only preserves revenue if the signal actually arrives at each bidder. In a header-bidding setup, Prebid.js has dedicated consent management modules for GDPR/TCF, US privacy, and GPP. Configured correctly, Prebid waits for the CMP to resolve, reads the TC String via __tcfapi, and forwards it to every bidder in the auction. Individual adapters can be set to skip the auction entirely for a user who has not consented, or to bid without personalization.

The common failure modes are worth memorizing, because each one quietly costs money:

How consent affects fill and revenue

Here is the honest tradeoff. When a user consents, buyers can use identifiers and audience data, so you get access to personalized, higher-value demand. When a user declines, that demand largely disappears; you are left with contextual and non-personalized ads, which typically clear at lower CPMs, and overall fill can drop. This is a structural reality of the market, not a flaw in your setup.

What you can control is two things. First, your consent rate — the share of users who grant consent — which is driven almost entirely by the clarity and design of your CMP flow. A confusing, guilt-trippy, or slow banner depresses consent; a clear, fast, well-worded one does not. (Note that "dark patterns" that manipulate users into consenting are themselves a compliance risk, so the goal is clarity, not coercion.) Second, your configuration hygiene: making sure that when consent is granted, the signal reaches every bidder so you capture the full value. A publisher losing revenue to consent is far more often losing it to a broken signal path than to users declining.

US privacy laws: CCPA/CPRA and the state patchwork

The US model is fundamentally different from the EU's. Where GDPR is opt-in (no consent, no personalized processing), California's CCPA — as amended and strengthened by the CPRA, effective January 2023 — is opt-out. Publishers can generally process data by default, but must give consumers a clear way to opt out of the "sale" or "sharing" of personal information, typically via a "Do Not Sell or Share My Personal Information" link, and must honor the browser-level Global Privacy Control (GPC) signal as a valid opt-out request.

California is no longer alone. A growing set of states — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana, among others — have their own comprehensive privacy laws. Most follow the opt-out pattern for targeted advertising, and several require opt-in consent for sensitive data (precise geolocation, health, and similar categories). The specifics differ by state, but the practical takeaway for a publisher is: you need a mechanism to capture and honor opt-out signals for US traffic, not just an EU consent banner.

The IAB Global Privacy Platform (GPP), briefly

Managing a different opt-out string for every US state — on top of a TC String for Europe — quickly becomes unmanageable. The IAB Global Privacy Platform (GPP) is the answer: a single transport protocol that can carry multiple jurisdictions' privacy signals in one encoded GPP string, exposed through a standard __gpp API. It has "sections" for the EU TCF, for a US national signal, and for individual state signals, and it supersedes the older standalone US Privacy (USP) string. If you operate across both Europe and the US, adopting a CMP that emits GPP is the cleanest way to keep every partner correctly informed with one integration.

A practical setup checklist

  1. Confirm your scope. If you have EEA, UK, or Swiss visitors, you need GDPR/ePrivacy consent. If you have US traffic, you need opt-out handling. Most publishers with any global audience need both.
  2. Choose a Google-certified CMP that supports IAB TCF v2.2, and — if you serve US traffic — GPP. Certification and GVL registration are non-negotiable if you run Google or major SSP demand.
  3. Populate your vendor list. Every SSP, exchange, and Prebid bidder in your stack must be enabled in the CMP, or it will never receive consent.
  4. Wire Google Consent Mode v2 so Google tags respect the same consent state.
  5. Configure Prebid's consent modules (GDPR/TCF, US privacy, and GPP) so the signal is forwarded into every auction.
  6. Fix load order. Initialize the CMP before ad tags fire, and gate ad requests until consent has resolved.
  7. Make choices granular and reversible. Offer per-purpose control, a genuine "reject" option, and a persistent way to withdraw consent later.
  8. Handle US opt-outs. Add a "Do Not Sell or Share" link and honor the Global Privacy Control signal.
  9. Keep records. Store consent logs so you can demonstrate compliance if asked.
  10. Test the signal end to end. Verify a valid TC String (and GPP string) is generated and that vendors actually receive it — do not assume; inspect it.
  11. Keep it updated. The GVL, TCF versions, and state laws change; schedule a periodic review.

Practical takeaways

Consent is where compliance and revenue meet, so treat it as an ad-ops responsibility, not just a legal one. Remember the essentials: personalized ads in the EU need genuine opt-in consent; a Google-certified TCF v2.2 CMP is required for Google demand in Europe; the US works on an opt-out model with GPC and, increasingly, GPP as the unifying signal. Most consent-related revenue loss traces back to a broken signal path — wrong load order, a missing vendor, or unwired Consent Mode — not to users declining, so audit your configuration before you assume the ceiling is legal.

Get the plumbing right once and it largely runs itself. If you would rather not maintain the CMP, Prebid, and multi-jurisdiction wiring yourself, a publisher-first network like WeForAds can handle the consent-aware ad stack so the correct signal reaches every bidder by default. Either way, the goal is the same: stay compliant, respect your users' choices, and make sure that when consent is granted, you capture every bit of the demand it unlocks.