A bigger product update from us this week. Three things shipped, and they may change what your ConsentGuard report looks like.
1. We now support IAB TCF
Until now, ConsentGuard could validate Google Consent Mode setups: the gcs and gcd parameters that Google relies on to decide what to track and how.
But some of you are plugged into wider ad networks, where consent gets broadcast a different way. CMPs like CookieBot, Didomi, OneTrust and Sourcepoint emit an IAB TCF TC string, which downstream vendors then read via the gdpr_consent parameter on their requests.
We now validate that flow on Google Ads / DoubleClick: we read the gdpr_consent parameter on those requests and check that what your CMP is broadcasting matches what's actually firing on the page.
Google Ads is the first vendor we've added TCF support for. The plumbing is now in place, so more will follow.
2. Fewer false positives
We dug into a stack of reports where we were flagging things that weren't actually violations.
The pattern was the same in most cases: requests that just load a tracking library, or do a harmless lookup, were being treated as tracking requests. They aren't.
A library loading itself isn't tracking you. A lookup that doesn't carry user identifiers isn't tracking you. We were lumping them in with the real tracking calls and flagging them as violations.
We've taught the validator to tell the difference. The fix touches Google Ads, the DoubleClick IDE cookie path, and a handful of other vendors. If your previous report had violations in any of those areas, it's very possible they were noise, and your real score is better than it looked.
3. We catch PII leaking to ad networks
A new violation has joined the report: CRITICAL_PII_LEAK.
We now flag when personal data (email addresses, phone numbers, and similar) is being sent to ad networks, both before consent (which is almost always a serious problem) and after consent (which can still be a problem depending on what was disclosed).
PII leaks are one of the higher-risk things you can do from a GDPR standpoint, so this one is worth taking seriously when it shows up.
If you got a low score before, please run a new check
Between TCF support and the false positives we removed, there's a real chance your old score doesn't reflect reality anymore.
👉 Run a fresh check. The report should look quite different.
A reminder: Microsoft UET is also supported
In case you missed it back in January, we also validate Microsoft / Bing Ads consent setups. See the Microsoft UET announcement for the details. If you're spending on Microsoft Ads and haven't scanned yet, it's worth a couple of minutes.
Final thoughts
We're still in beta, and your reports are what drive these updates. The false positives in particular wouldn't have surfaced without people running checks on real, weird, in-the-wild setups and telling us when something looked off.
If something doesn't look right in your new check, get in touch. That's how the next round of fixes happens.
— Mihai Cofounder, ConsentGuard.io