Navigating TCF 2.2 and Google’s consent management platform requirements

We sat down with Google’s Global Product Lead, Sam Morse, to discuss their latest consent management platform (CMP) requirements and transparency and consent framework

Param Gopalasamy
OneTrust Editorial Team, CIPP/E, CIPM
August 11, 2023

Man works on his laptop while reclining on a bench inside an office hallway.

Navigating the intricacies of consent management platform (CMP) requirements ? You're not alone, and we're here to help. In a recent OneTrust webinar featuring Sam Morse, Global Product Lead at Google, we delved deep into the nuts and bolts of Google's new CMP requirements. Unveiled on May 16, 2023, these requirements bring fresh challenges and opportunities for businesses operating in the UK and EU. 

Let’s take a look at key takeaways from the webinar, breaking down the most frequently asked questions into digestible, actionable insights. From upgrades to requirements, mobile application integration, and data privacy protocol, we've got you covered. Let's turn that data privacy puzzle into a complete picture.


What do users need to do to upgrade to the latest Transparency and Consent Framework (TCF) version as per TCF 2.2 requirements?

In response to TCF 2.2 requirements, users will need to make a few changes to upgrade to the latest TCF version. Customers using a CMP to follow these requirements will need to update their CMP by the end of November 2023. The upgrade process can vary across organizations due to unique requirements and generally involves some degree of testing and tweaking.

One crucial step will be getting acquainted with the new, updated TCF v2.2 templates.  Along with the templates, there might be some changes in the OneTrust user interface that users will need to familiarize themselves with. 

Another critical aspect of this upgrade is the vendor list. TCF v2.2 highlights the necessity of managing vendor lists effectively. In this regard, OneTrust is set to aggregate the number of vendors. This list will be pulled from the provided vendor list from IAB, which OneTrust will automatically update after users review them.  

Once these steps are complete, users who are already running the OneTrust on their website can simply republish their script. If you're in the process of altering your vendors or purposes, forcing users to re-consent might be a necessary step. In general, TCF v2.2 encourages transparent and ethical consent management, making this an advisable step.


What are Google’s CMP requirements and how does it tie to TCF v2.2?

Google requires all organizations that run Ads on AdSense, AdMob, and Ad Manager in the UK and the EU to have a Google-certified CMP by the end of November 2023.  This will ensure that companies that run ads in these regions comply with the latest TCF 2.2 requirements which are mainly the following:

  • Legitimate interest no longer counts as a valid legal basis of consent for any type of personalization
  • Third-party vendors now have standardized data retention periods
  • When users want to change their consent and preferences, they must have easy access to the CMP

The easiest way to ensure that companies using Google’s ad services are compliant with these TCF requirements is to require them to use a Google-certified CMP that ensures these requirements are baked in. 


For Google’s purposes, is the UK considered part of the EU?

In the context of Google CMP requirements and General Data Protection Regulation (GDPR), the UK is considered part of the EU. Post-Brexit, the UK incorporated GDPR into its own law, effectively making it an integral part of these requirements. Generally, these stipulations apply to the European Economic Area (EEA), the primary jurisdiction for GDPR and ePrivacy Regulation (EPR). However, legal advice is recommended to fully understand the specificities of your situation.


When is Google enforcing its CMP requirements?

Google hasn't specified an exact date for the enforcement of its CMP requirements. However, it's highly recommended for businesses to have a certified CMP solution prepared by the fourth quarter of 2023, given the TCF v2.2’s date of November 30, 2023. Google's commitment to transparency and data protection is evident in its promise to give at least a 30-day notice before beginning enforcement.


Does OneTrust operate on mobile apps in the context of Google CMP requirements?

Yes, OneTrust caters to the Google CMP requirements by operating on mobile apps. We have native Software Development Kits (SDKs) for iOS, Android, and can even deploy into React Native. OneTrust has tools specifically designed for the app ecosystem, making it omnichannel and capable of delivering services across all platforms. This cross-platform operability ensures we meet Google's CMP requirements, providing a robust and versatile consent management solution for our users.


How will Google monitor the CMP that a company uses?

Google employs a systematic approach to monitor the CMP a company uses, ensuring Google CMP requirements are met. It utilizes the Transparency and Consent (TC) string, a series of encoded data that represents user consent choices. When a user makes consent choices, these choices are encoded into the TC string and passed to Google. Google then references the CMP ID on the TC string against its database to validate that the CMP ID originates from a certified CMP. This systematic process allows Google to efficiently monitor and manage CMP usage according to its requirements.


How does OneTrust signal consent or non-consent to Google in accordance with TCF, fulfilling Google's CMP requirements?

OneTrust takes the lead in signaling consent and non-consent to Google as per the TCF. The process is automated and operates using a TC string. This string holds purpose level information, detailing user consent choices, including instances of given legitimate interest. 

OneTrust encodes this string and broadcasts it in the app or on the page, making it accessible to tools like Google. It can be written into a cookie or retrieved via various API methods. Upon receiving the TC string, Google reads the user's consent choices and passes this information to vendors involved in the ad tech supply chain. The serving of ads is then determined in direct accordance with the user's consent choices, ensuring Google's CMP requirements are met and user preferences are respected. 

Understanding and implementing Google's CMP requirements can seem daunting, but with tools like OneTrust and a clear understanding of the stipulations, you can ensure that your organization is ready to face the future of consent management. To learn more about how OneTrust can help your organization comply with these requirements, watch the webinar on-demand.  

You may also like


Consent & Preferences

Compliant omni-channel automation: How to be a responsible marketer?

Join this webinar and learn how to create a compliant privacy-first marketing program that respects customer consent across multiple channels.

October 12, 2023

Learn more

Resource Kit

Consent & Preferences

The Google CMP requirements toolkit

Master Google's CMP Standards: Stay compliant and excel in the evolving ad landscape. Download our Google CMP Requirements Toolkit now!

September 27, 2023

Learn more


Consent & Preferences

Adobe + OneTrust: How to market responsibly with consent-based experiences

Join Adobe and OneTrust as we discuss best practices for deploying consent-based marketing campaigns and privacy-first experiences.

August 29, 2023

Learn more