Overview

The Transparency & Consent Framework (TCF) is a standardized protocol developed by the IAB Europe to help publishers, advertisers, and vendors comply with the GDPR and ePrivacy Directive when processing personal data and using cookies or other tracking technologies. TCF enables organizations to communicate user consent signals in a structured and interoperable way, using a string-based encoding system that captures a user’s choices about how their data can be used and which vendors are allowed to operate.

This document provides a high-level explanation of how TCF v2.2 works in conjunction with the MetaRouter platform, particularly in environments where customer websites use a Consent Management Platform (CMP) that supports the IAB TCF specification (such as OneTrust).

The goal of this guide is to help customers, especially those operating within Europe under the General Data Protection Regulation (GDPR), understand how TCF-based consent signals are respected and interpreted within MetaRouter’s infrastructure. This guide also provides implementation guidance for MetaRouter’s Customer Success (CS) team when assisting with TCF-related integrations.

❗️

TCF is not designed to replace traditional category-based consent systems, which typically group vendors into high-level categories like analytics, advertising, and functional. Instead, MetaRouter supports a layered approach that allows TCF to work alongside standard consent categories. This ensures maximum compatibility with existing configurations while enabling advanced consent parsing for vendors that participate in the IAB’s Global Vendor List (GVL).

Prerequisites

MetaRouter Features

You must have access to the following MetaRouter features:

• Advanced Consent Enforcement
  • Categories must be implemented 1:1 with integrations/syncs.
    • E.g. Microsoft Ads should be included as a category within your consent configuration. You cannot use a generic category like Advertising which applies to many integrations.
    • Note: This is a temporary limitation and will be corrected in future iterations of TCF support.

TCF + Sync Injector Requirements

Additionally, in order to integrate MetaRouter with IAB TCF v2.2 where the Sync Injector is in use, the following requirements must be met.

• The __tcfapi() interface is correctly implemented on your website
  • Your Consent Management Platform (CMP), whether commercial or homegrown, must expose the standard __tcfapi() function to allow other scripts (like MetaRouter’s Sync Injector) to retrieve consent data.
• Generate and encode a valid TC string
  • A valid TCF v2.2 consent string must be created in compliance with IAB specifications. This string encodes vendor permissions, purpose consents, legitimate interest, and special features.
• Ensure the TC string is available on every page
  • The TC string must be accessible client-side at the time MetaRouter loads. This is typically managed via a cookie or localStorage and exposed through the __tcfapi() interface.
• Your CMP handles updates to user consent
  • Your CMP must include logic to support changing or revoking consent, typically through a “Manage Preferences” UI element that triggers updates to the TC string and re-renders the banner as needed.
• The CMP script is included before (and loaded) before any MetaRouter scripts
  • This will ensure __tcfapi() is accessible to MetaRouter.

Note: If you’re using a CMP like OneTrust or CookieBot, these requirements are usually handled out-of-the-box. If you’re building your own CMP, you are responsible for ensuring compliance with the IAB’s TCF v2.2 technical specification.

How TCF Works With the Sync Injector

The Transparency & Consent Framework (TCF) is designed to provide a standardized way to signal a user’s consent preferences to vendors and platforms operating on a website. MetaRouter uses these signals to determine whether data should be processed, synchronized, or forwarded to specific integrations based on the user’s consent status.

Here’s how the TCF process works in the context of MetaRouter’s platform with Analytics.js:

1. User Arrives on the Website

• When a user lands on your site, your Consent Management Platform (CMP) (e.g. OneTrust, Cookiebot, or your homegrown CMP) displays a banner requesting consent for various purposes and vendors.
• Once the user makes a choice, the CMP generates a TCF v2.2-compliant consent string (TC string) and stores it in the browser.

2. MetaRouter Accesses the TC String

• The MetaRouter Sync Injector looks for the __tcfapi() function exposed by your CMP.
• It uses this interface to retrieve the current TC string via the addEventListener method.
  • This event listener will handle the first time a user makes their consent selection, as well as updated consent selections.

Example call:

__tcfapi('addEventListener', 2, function(tcData, success) {
  // MetaRouter reads the purposes and vendor consent here
});

3. Consent Evaluation Logic

• Once the TC string is retrieved, MetaRouter evaluates:
  • Which vendors have been granted consent or legitimate interest
  • Which purposes are consented to (e.g., Purpose 1: “Store and/or access information”)
  • Which declared purposes, legIntPurposes and specialPurposes are declared by the vendor and if consent has been given for all of them.

‼️ Please note that the following options are currently not supported at this time:

• purposeOneTreatment: true - which auto-opts into consent purpose one.
• specialFeatureOptins - only vendor and purposes are currently referenced for determining a vendor’s consent

Consent Logic Flow

✅ If an Identity Sync is TCF enabled , and:

• __tcfapi is setup property and returns vendors and purposes, and
• Vendor match is found for the Identity Sync, and
• All vendor declared purposes are opted in, then

Consent will be given for the vendor.

❌ If an Identity Sync is TCF enabled, and:

• Vendor consent is not given, or
• A vendor declared purpose consent is not given, or
• No IAB TCF vendor match is found, or
• The __tcfapi is not propertly initialized or responding correctly, then

Consent will NOT be given for that vendor.

If an Identity Sync is not TCF enabled, the consent category will be used to determine consent status.

4. Event Stream Consent Enrichment

MetaRouter will examine the TCF consented vendors and compare to Identity Syncs that are flagged as TCF enabled. Identity Syncs that match a TCF consented vendor will be activated and enrich events.

For events produced by MetaRouter Analytics.js files, MetaRouter will handle TCF consent signal enrichment. For events sent to MetaRouter by other means, such as the HTTP API, refer to the Configuring TCF for Events Sent Via HTTP API section below to understand how to correctly enrich TCF signals into your event stream.

How TCF Works Without the Sync Injector

When Analytics.js or the Sync Injector are not loaded in the browser (e.g., when events originate directly from your backend or mobile apps without a MetaRouter SDK), TCF enforcement in MetaRouter works differently. In this scenario, you must:

• Include a valid TC string in each event payload sent to MetaRouter.
• Set the consent signal to false in the event payload for any integrations you want governed by TCF.

When these conditions are met, events will bypass the platform’s normal compliance filter. MetaRouter will then apply the Pipeline Transformation and Playbook Filters (enabled on our side for your pipelines) to:

• Decode the TC string and populate the consent object correctly within events.
• Enforce TCF rules for integrations that rely on TCF.
• Continue handling non‑TCF integrations with your existing consent mechanisms.

This setup ensures that TCF enforcement works correctly even without the Sync Injector while preserving the correct behavior for other consent frameworks.

Configuring TCF with MetaRouter

When generating your tracking file, please review each identity sync and:

• Select the Consent Type (category)
• For “TCF Enabled” - select “Yes”
  • Note that selecting “No” will continue to use the “Consent Type” only to determine consent.

Configuring TCF for Events Sent via Analytics.js

Events sent through AJS will automatically handle any TCF-enabled Identity Syncs. Ensure your Consent Category is set correctly for both the integration playbook and your consent cookie. If they are incorrectly configured, events will be dropped regardless of TCF enabled Identity Syncs.

Retrieving TCF Consent Signals from an AJS File:

// load and initialize your AJS file first

// get updated consent.optOut and consent.tcf and send to your backend
// consent.tcf will only be set if at least one identity sync is tcf enabled
const updatedContextConsent = await analytics.getTcfContextConsent();

/* Example output

{
    "optOut": {
        "somecategory": false,
        "googleads": true,
        "micosoftads": true,
        // additional categories defined by the customer
    },
    "tcf": undefined || {
        "tcString": "CQYWmsAQYWmsADcABBENB6FAAP_gAEPgACiQIzQAQIzAAAAA.IIzwEwAIAAVAAuABkAEAAPAAjgBbAEEAOcAhACNQF5gL3AX-AyQBxYD_YIzAjOAA",
        "gdprApplies": true,
        "tcfApiStatus": 1
    }
}
*/

Configuring TCF for Events Sent Via HTTP API

When sending events from your own backend using the HTTP API, you will need to take an additional step to make sure your backend has up-to-date context.consent.optOut object and a new context.consent.tcf object.

1. Retrieving TCF Consent Signals from an AJS File

// load and initialize your AJS file first

// get updated consent.optOut and consent.tcf and send to your backend
// consent.tcf will only be set if at least one identity sync is tcf enabled
const updatedContextConsent = await analytics.getTcfContextConsent();

/* Example output

{
    "optOut": {
        "somecategory": false,
        "googleads": true,
        "micosoftads": true,
        // additional categories defined by the customer
    },
    "tcf": undefined || {
        "tcString": "CQYWmsAQYWmsADcABBENB6FAAP_gAEPgACiQIzQAQIzAAAAA.IIzwEwAIAAVAAuABkAEAAPAAjgBbAEEAOcAhACNQF5gL3AX-AyQBxYD_YIzAjOAA",
        "gdprApplies": true,
        "tcfApiStatus": 1
    }
}
*/

/* On your backend

{
  "context": {    
    "consent": {
      // still set this
      "explicit": BOOL
      
      "optOut": {
        // initialize any categories if needed
        "somecategory": BOOL,
        
        // add the updated optOuts from analytics.getTcfContextConsent()
        ...updatedContextConsent.optOut,
      },
      
      // add the tcf object (note it may be undefined)
      "tcf": updatedContextConsent.tcf,
    },
  },
}
*/

1. Retrieving TCF Consent Signals from Standalone Sync Injector Files

// load the stand alone sync injector
const results = syncInjector = await syncInjector('init');

// handle integration results
console.log(result.integrations);

// get updated consent.optOut and consent.tcf and send to your backend
// consent.tcf will only be set if at least one identity sync is tcf enabled
const updatedContextConsent = await syncInjector.getTcfContextConsent();

/* Example output

{
    "optOut": {
        "somecategory": false,
        "googleads": true,
        "micosoftads": true,
        // additional categories defined by the customer
    },
    "tcf": undefined || {
        "tcString": "CQYWmsAQYWmsADcABBENB6FAAP_gAEPgACiQIzQAQIzAAAAA.IIzwEwAIAAVAAuABkAEAAPAAjgBbAEEAOcAhACNQF5gL3AX-AyQBxYD_YIzAjOAA",
        "gdprApplies": true,
        "tcfApiStatus": 1
    }
}
*/

/* On your backend

{
  "context": {    
    "consent": {
      // still set this
      "explicit": BOOL
      
      "optOut": {
        // initialize any categories if needed
        "somecategory": BOOL,
        
        // add the updated optOuts from analytics.getTcfContextConsent()
        ...updatedContextConsent.optOut,
      },
      
      // add the tcf object (note: it may be undefined)
      "tcf": updatedContextConsent.tcf,
    },
  },
}
*/

3. Using the HTTP API (or Mobile) Without AJS or Standalone Sync Injector Files

When sending events directly via the HTTP API (or from mobile apps without a MetaRouter SDK) with a TC string, you must still include consent signals to ensure correct processing.

• Continue sending context.consent.optOut for each relevant integration.
• If optOut is set to true, the event will be filtered before the TC string can be evaluated.
  • Example: context.consent.optOut.googleAdvertisingProducts: true
• Set optOut to false if you want the TC string to be evaluated for that integration.
  • Example: context.consent.optOut.googleAdvertisingProducts: false

Send both the TC string and consent signals in the following format:

/* On your backend

{
  "context": {    
    "consent": {
      // still set this
      "explicit": BOOL
      
      "optOut": {
        // initialize any categories if needed
        "somecategory": BOOL,
        
        // set to false if you want the TC string to be used
        "googleads": BOOL, 
        
        // other categories
      },
      
      // Include the TC String
      "tcf": {
        "tcString": STRING
      }
    },
  },
}
*/

Ensure that appropriate Pipeline Transformations and Playbook Filters are in place. These will decode TC strings, structure consent correctly and ensure events are filtered accordingly.

Handling Non-IAB Vendors

Some vendors MetaRouter integrates with are not registered with the IAB. These vendors cannot be covered by TCF consent signals. Instead, you should continue using your standard consent tooling, including consent categories, to handle consent signals for these integrations.

Additional Information

• Ensure that consent classifications are consistent between integrations added to a given pipeline and those added to related syncs within the Sync Injector settings of your AJS (or Standalone Sync Injector) file builder.
• Take special care when implementing Gtag for Google products. Gtag can generally be classified as either an Analytics tool if used in conjunction with Google Analytics, or as an Advertising tool if used in conjunction with Google Ads, DV360, etc. Consult with the MetaRouter team and your legal team if you are unsure of Gtag’s classification for TCF of general consent purposes.