iabtcf-es Vendors without any purposes

Version 1.5.13

Module (core, cmpapi, cli, stub, or testing) Core

Describe with reproduction steps – What is the expected behavior? Hello, wanted to ask about expected behaviour and potentially report a bug. We have for example this vendor (ID: 279), that doesn't have any purposes, but do have special purposes and legitimate interest. LegInt works normally, but when trying to save normal consent for this vendor, it's not being included in TcString. I use function tcModel.vendorConsents.set(), pass this array as value: [279], and get this tcstring: CQCQqgAQCQqgAF-feBENAXEgAAAAAAAAAB5YAAAAAAAA.YAAAAAAAAAAA, by using this function TCString.encode(tcModel);

I saw some people reporting that it's expected behaviour and vendors without purposes should be ignored, but here https://www.uniconsent.com/ and here https://iabtcf.com/#/encode they are being saved into TCstring. So i'm super confused.

So my question is: How should we treat and handle vendors without purposes, but only with special purposes? Should we have toggle for users to opt-in/out? But if so, how could we implement it into TCstring if it's being ignored during encoding?

Jul 24 '24 17:07 jedlikk

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

Jul 24 '24 19:07 sevriugin

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

Jul 25 '24 08:07 jedlikk

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA The format of the string is not correct, so it's difficult to say what is inside

Jul 25 '24 08:07 sevriugin

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA The format of the string is not correct, so it's difficult to say what is inside

Sorry, mistake in pasting:

CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-_IwP2ar-N_-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

Jul 25 '24 08:07 jedlikk

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

Jul 25 '24 08:07 sevriugin

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

I tried it that way and still can't see,

but good to know that's not my mistake and that's just the way it's supposed to be. Thanks for your answers.

Jul 25 '24 08:07 jedlikk

We reviewed this in the TCF compliance team. It is possible for vendors do not declare any purposes but only special purposes. The behavior of the library is correct. The CMP that you list, if it allows to set purposes for vendors that are not exposing purposes, is not compliant with the TCF policy. This would need to be fixed by the CMP.

Aug 23 '24 21:08 HeinzBaumann

How would you propose the UI should be shown for these vendors? A checkbox / toggle does not make sense as storing the enabled status for that vendor in the TCString is not supported and hence will show this vendor as always “not consented” even if “Consent all” has been chosen.

Would not showing a checkbox / toggle make it more transparent for a visitor that this vendor does not request consent?

Additionally, I think the library should not allow to set vendor consent for a vendor without purposes, nor should setAllVendorConsents set consent for vendors without purposes:

const tcModel = new TCModel(gvl);
tcModel.setAllVendorsAllowed();
tcModel.setAllPurposeConsents();
tcModel.setAllPurposeLegitimateInterests();
tcModel.setAllVendorConsents();
tcModel.setAllVendorLegitimateInterests();
tcModel.setAllSpecialFeatureOptins();
tcModel.cmpId = CMP_ID;
tcModel.cmpVersion = 1;
// Should be false, but currently is true
tcModel.vendorConsents.has(279);

Your insights and opinions are highly appreciated.

Jan 14 '25 13:01 morinel

Regarding the UI, I remember the some of the CMPs that I am familiar with don't show vendors w/o any purpose consent declared in their UI. Typically they differentiate in the UI between vendors using consent and vendor using LI. In the case of your example that vendor would not show under vendor using consent but will be listed under vendor using LI. The use can toggle the opt out for LI. That vendor's consent signal will always be 0. Regarding the library I will need to double check this in the debugger. From looking in the code it does have a step to check of no consent and if so to reset the flag to 0.

Jan 14 '25 23:01 HeinzBaumann

@morinel I reviewed the implementation of the TS library as well as your code sample. The library has checks built into the string encoder that will update the settings based on given restrictions like the one that you pointed out. In your code you should call something similar to this: const encodedString = TCString.encode(tcModel); const newModel2 = TCString.decode(encodedString); before you check the values newModel2.vendorConsents.has(279); // now it will return false

Jan 28 '25 19:01 HeinzBaumann

This was addressed with recent TCF 2.3 update.

Sep 03 '25 00:09 HeinzBaumann