GDPR and US State Privacy Laws
Overview
Taboola is committed to complying with data-protection laws and best practices, including:
- GDPR
- US State Privacy Laws
In order to serve personalized recommendations in the EU and US, you need to implement the relevant flows, as described on this page.
Important
If you skip this setup, Taboola may not be able to serve personalized recommendations.
Frameworks
Taboola supports the following frameworks:
- GPP (Global Privacy Platform)
Handles both GDPR and US State Privacy Laws, and is generally preferred.
- TCF 2.2 (Transparency and Consent Framework)
Handles GDPR only.
GDPR
When a request originates from the EU, make sure that the user's preferences are communicated.
2 flows are supported:
- (Preferred) Use a CMP (Consent Management Platform).
- Pass consent directly.
Implement 1 of the above flows (not both).
Flow I: Use a CMP (Preferred)
If your web page integrates with a CMP (Consent Management Platform), Taboola will collect the consent automatically. No further action is required on your part.
Load your CMP script as early as possible (before Taboola content is fetched).
Flow II: Pass consent directly
On each page, pass a cex
flag, with a boolean value (as a String). Make sure to pass a new value for each new user session.
By default, the value of the cex
flag is 'true'
, allowing Taboola to make use of the user's data.
If GDPR applies, set the flag accordingly (otherwise, take no action):
'true'
- end-user consented.'false'
- end-user declined.
Example
Add the following line to the page <body>
, as early as possible:
window._taboola = window._taboola || [];
_taboola.push({ cex: 'true' }); // User consented
The respective flows for GDPR and US State Privacy Laws use
'true'
and'false'
in opposite ways.
US State Privacy Laws
When a request originates from a U.S. state that has a privacy law (such as CCPA in California), make sure that the user's preferences are communicated.
2 flows are supported:
- (Preferred) Use a GPP CMP (Consent Management Platform).
- Pass consent directly.
Implement 1 of the above flows (not both).
Flow I: Use a GPP CMP (Preferred)
If your web page integrates with a GPP-compliant CMP (Consent Management Platform), Taboola will collect the consent automatically. No further action is required on your part.
Guidelines
Load your GPP CMP script as early as possible (before Taboola content is fetched).
Flow II: Pass consent directly
On each page, pass a cdns
flag, with a String value. Make sure to pass a new value for each new user session.
You can set the flag with the following values:
'true'
- US State Privacy Laws apply - and the end-user declined ("Do not sell" is true).'false'
- US State Privacy Laws apply - and the end-user consented ("Do not sell" is false).'none'
- US State Privacy Laws do not apply (default).
Example
Add the following line to the page <body>
, as early as possible:
window._taboola = window._taboola || [];
_taboola.push({ cdns: 'false' }); // User consented
The respective flows for GDPR and US State Privacy Laws use
'true'
and'false'
in opposite ways.
Need a hand?
Go ahead! Ask a question in our Support Forum.
Updated 10 days ago