GDPR IAB support

This guide outlines the steps required to support the GDPR IAB TCF v2 message as part of the UMP SDK. It is intended to be paired with Get started which gives an overview of how to get your app running with the UMP SDK and the basics of setting up your message. The following guidance is specific to the GDPR IAB TCF v2 message.


Delay app measurement

By default, the Google Mobile Ads SDK initializes app measurement and begins sending user-level event data to Google immediately when the app starts. This initialization behavior ensures that you can enable Ad Manager user metrics without making additional code changes.

However, if your app requires user consent before these events can be sent, you can delay app measurement until you explicitly initialize the Mobile Ads SDK or load an ad.

To delay app measurement, add the GADDelayAppMeasurementInit key with a boolean value of YES to your app's Info.plist. You can make this change programmatically:


GDPR requires consent revocation to allow users to withdraw their consent choices at any time. See Privacy options to implement a way for users to withdraw their consent choices.


Follow the steps in Add ad partners to published GDPR messages to add your mediation partners to the ad partners list. Failure to do so can lead to partners failing to serve ads on your app.

Mediation partners might also have additional tools to help with GDPR compliance. See a specific partner's integration guide for more details.

After GDPR consent has been collected, you can read consent choices from local storage following the TCF v2 spec. The IABTCF_PurposeConsents key indicates consent for each of the TCF purposes.

The following code snippet shows how to check consent for Purpose 1:


// Example value: "1111111111"
let purposeConsents = UserDefaults.standard.string(forKey: "IABTCF_PurposeConsents")
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
let hasConsentForPurposeOne = purposeConsents?.first == "1"


// Example value: "1111111111"
NSString *purposeConsents = [NSUserDefaults.standardUserDefaults
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
BOOL hasConsentForPurposeOne = [purposeConsents hasPrefix:@"1"];

Frequently asked questions

What happens if I take no action to meet the Consent Management Platform Requirements for serving ads in the EEA and UK?

Beginning January 16, 2024, if a partner doesn't adopt a Google-certified CMP, only Limited Ads will be eligible to serve on EEA and UK traffic. Per the Limited Ads "Demand Eligibility" section, the initial offering for Limited Ads is just waterfall mediation, meaning no ads are returned from the Ad Manager network.

Enforcement will begin January 16, 2024 on a small percentage of EEA and UK traffic and will ramp up until Google enforces across all EEA and UK traffic by the end of February 2024. Have a certified CMP in place by January 16, 2024 to ensure your monetization is not impacted.

What happens if I implement a CMP and users don't consent?

Limited Ads serving applies if there is no consent for IAB TCF Purpose 1 in accordance with the EU user consent policy. Per the Limited Ads "Demand Eligibility" section, the initial offering in limited ads is just waterfall mediation, meaning no ads are returned from the Ad Manager network.

See Ad serving modes for more information.

How can I check if the user consented?

Consent is not represented by a single bit, but rather a set of purposes and vendors as defined in the IAB TCF specification. See Consent Policies: Personalized & Non-Personalized Ads for criteria for Google Ads personalization.

See How to read consent choices for information on reading consent choices programmatically. The IAB also provides a web tool where you can manually decode the TC String.

Do I need to use Google's UMP SDK to meet the CMP requirement?

No, you can use any CMP from the List Google-certified CMP to serve ads.

I integrated a Google-certified CMP, but I'm not seeing any ad requests get made to mediation partners even from users who consented. Why is this happening?

Under TCF, Google checks that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall. Navigate to the mediation section for more information.

Some mediation partners in Google's Ad Tech Providers (ATP) list are not registered in the TCF vendor list. These partners instead use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location:

The UMP SDK supports storing the ACString, enabling you to Add ad partners to published GDPR messages without needing to understand whether partners are TCF-registered. When using a third-party CMP, you should do the following:

  1. Confirm the third-party CMP supports storing the ACString.
  2. Include each mediation partner in the list of ad technology providers the third-party CMP uses to gather consent.
Can I change how my app functions if users don't consent? Is this allowed by policy?

Publishers can read the IAB TCF string in their apps. See How to read consent choices for information on reading consent choices programmatically. Publishers should review their obligations under relevant regulations with legal counsel.

What is the best practice for showing both the iOS ATT alert and GDPR consent to the same user?

We recommend showing the GDPR consent message first and the iOS ATT alert second if the user consented to GDPR. This is already handled by the UMP SDK if you configure both messages in the Ad Manager UI. See Which message your users will see for more information.

If you are not showing the ATT alert using the UMP SDK, we recommend you read consent choices once GDPR consent is collected to determine whether to show the iOS ATT alert.

How do I fix the error "The TC string last updated date was more than 13 months ago"?

Consent must be reobtained from the user. You should call requestConsentInfoUpdateWithParameters:completionHandler: at the start of every app session. If the TC string is expired, the UMP SDK indicates that consent must be reobtained by setting UMPConsentInformation.consentStatus to UMPConsentStatus.required. If you haven't already, implement a request to load and present a new UMP form in your app.

It's possible for the TC string to expire mid-session, resulting in a small amount of 3.3 errors. And if on the next app session you start loading ads at the same time as you check requestConsentInfoUpdateWithParameters:completionHandler:, those requests could also give 3.3 errors until requestConsentInfoUpdateWithParameters:completionHandler: completes; however, this should be a tiny fraction of overall 3.3 errors (less than 0.1%). that are expected.