Understand GDPR, CCPA, TCF 2.2, and Notice frameworks in CookieFrame for global privacy compliance.

Compliance Frameworks

CookieFrame supports multiple privacy compliance frameworks to help you meet legal requirements worldwide. Each framework has different consent requirements, default behaviors, and user interface elements.

Overview

Framework	Regions	Consent Model	Default State
GDPR	EU/EEA + 27 countries	Opt-in	All non-necessary OFF
CCPA	US states (CA, VA, CO, etc.)	Opt-out	All ON
TCF 2.2	EU/EEA (ad tech)	Granular opt-in	Per-purpose defaults
Notice	Rest of world	Acknowledgment	All ON

Geo-Detection

CookieFrame automatically determines which framework to apply based on the user's location.

How It Works

User visits your site
CookieFrame reads geo headers from your CDN (Vercel, Cloudflare, AWS)
Country code maps to the appropriate framework
Correct consent UI and defaults are applied

Supported Headers

x-vercel-ip-country
cf-ipcountry (Cloudflare)
cloudfront-viewer-country (AWS)

If no geo header is detected, CookieFrame falls back to the Notice framework. You can configure a different default in Settings → Compliance.

Disabling Geo-Detection

If you prefer to use a single framework for all visitors:

Go to Settings → Compliance
Disable Geo-targeting
Select your preferred framework

This is useful for region-specific sites where all visitors are from the same jurisdiction.

The General Data Protection Regulation applies to users in the European Union, European Economic Area, and 27 additional countries with similar privacy laws.

Key Requirements

Explicit consent before setting non-essential cookies
Granular control over cookie categories
Easy withdrawal of consent at any time
Clear information about what cookies do and why

Covered Regions

EU member states, EEA countries (Norway, Iceland, Liechtenstein), plus:

United Kingdom
Switzerland
Brazil (LGPD)
Japan
South Korea
And others with adequacy decisions

Category	Default
Necessary	ON (always)
Analytics	OFF
Marketing	OFF
Preferences	OFF

Banner blocks non-essential scripts until consent
Users must explicitly accept or configure preferences
"Reject All" option must be equally prominent as "Accept All"

[SCREENSHOT PLACEHOLDER: GDPR consent banner example]

CCPA

The California Consumer Privacy Act (and similar US state laws) follows an opt-out model where cookies are allowed by default.

Key Requirements

Opt-out option for sale/sharing of personal information
"Do Not Sell or Share" link in footer
Notice at collection about data practices
Equal service regardless of opt-out choice

Covered Regions

California (CCPA/CPRA)
Virginia (VCDPA)
Colorado (CPA)
Connecticut (CTDPA)
Utah (UCPA)
And other US states with privacy laws

Category	Default
Necessary	ON
Analytics	ON
Marketing	ON
Preferences	ON

All cookies active by default
Banner serves as notice, not consent gate
Users can opt-out via preferences or "Do Not Sell" link

Do Not Sell Link

CCPA requires a "Do Not Sell or Share My Personal Information" link. Add it using:

<a href="#" data-cookieframe="do-not-sell">Do Not Sell or Share My Personal Information</a>

Or via JavaScript:

window.CookieFrame.doNotSell();

California users must be able to opt-out without creating an account. The Do Not Sell link must be easily accessible, typically in the footer.

TCF 2.2

The IAB Transparency and Consent Framework version 2.2 provides granular consent management for advertising technology.

When to Use TCF

Enable TCF if you:

Serve programmatic ads in the EU/EEA
Work with ad tech vendors requiring TCF strings
Need vendor-level consent tracking

Key Concepts

Term	Description
Purpose	A reason for processing data (11 defined purposes)
Special Feature	Processing requiring explicit opt-in (2 features)
Vendor	Company processing data under TCF (from Global Vendor List)
TC String	Encoded consent state transmitted to vendors

TCF Purposes

#	Purpose	Description
1	Store/access information	Use cookies and device identifiers
2	Basic ads	Select and deliver ads
3	Personalized ads profile	Build a profile for ad targeting
4	Personalized ads	Use profile to select ads
5	Personalized content profile	Build a profile for content
6	Personalized content	Use profile to select content
7	Ad performance	Measure ad effectiveness
8	Content performance	Measure content effectiveness
9	Market research	Generate audience insights
10	Product development	Improve products and services
11	Special purpose: Security	Ensure security and prevent fraud

Special Features

#	Feature	Description
1	Precise geolocation	Use GPS or precise location
2	Device scanning	Identify device via fingerprinting

Special features require explicit opt-in consent and cannot be set by default, even under legitimate interest.

CMP API

When TCF is enabled, CookieFrame exposes the standard __tcfapi interface:

__tcfapi('getTCData', 2, (tcData, success) => {
  if (success) {
    console.log('TC String:', tcData.tcString);
    console.log('GDPR applies:', tcData.gdprApplies);
  }
});

TCF consent is stored in localStorage:

Key	Description
`cf_tcf_string`	Encoded TC String
`cf_tcf_consent`	Parsed consent object

For detailed TCF configuration, see TCF Vendors.

Notice

The Notice framework is a simple acknowledgment mode for regions without specific consent requirements.

When Notice Applies

Countries without cookie consent laws
Internal tools or authenticated applications
When you only use strictly necessary cookies

Category	Default
Necessary	ON
Analytics	ON
Marketing	ON
Preferences	ON

Single "I Understand" or "Got It" button
No blocking of scripts
Serves as notification only

[SCREENSHOT PLACEHOLDER: Notice banner example]

Framework Comparison

Feature	GDPR	CCPA	TCF	Notice
Model	Opt-in	Opt-out	Granular opt-in	Acknowledge
Blocks scripts	Yes	No	Yes	No
Category control	Yes	Yes	Purpose-level	No
Vendor consent	No	No	Yes	No
TC String	No	No	Yes	No
Default analytics	OFF	ON	Per-purpose	ON
Default marketing	OFF	ON	Per-purpose	ON

Configuration

Enable Frameworks

Go to Settings → Compliance
Enable the frameworks you need
Configure region assignments (if using geo-detection)

Framework Priority

When geo-detection is enabled, frameworks apply in this order:

TCF - If enabled and user is in TCF region
GDPR - If enabled and user is in GDPR region
CCPA - If enabled and user is in US state with privacy law
Notice - Fallback for all other regions

Custom Region Mapping

Override default region assignments:

Go to Settings → Compliance → Regions
Select a country
Choose which framework applies

This is useful for applying GDPR-style consent in countries without specific laws.

CookieFrame automatically integrates with Google Consent Mode v2, mapping frameworks to Google's consent signals:

Framework	`analytics_storage`	`ad_storage`	`ad_user_data`	`ad_personalization`
GDPR	denied → granted	denied → granted	denied → granted	denied → granted
CCPA	granted	granted → denied	granted → denied	granted → denied
TCF	Per purpose 7	Per purpose 2-4	Per purpose 1	Per purpose 3-4
Notice	granted	granted	granted	granted

For setup instructions, see Google Tag Manager Integration.

Best Practices

Enable geo-detection for global sites to show appropriate consent UI
Use TCF only if you work with IAB-registered ad tech vendors
Test each framework using VPN or browser location spoofing
Review defaults to ensure they match your legal requirements
Consult legal counsel for jurisdiction-specific questions

Next Steps

Consent Banner Design - Customize your banner appearance
Cookie Scanning - Detect cookies on your site
TCF Vendors - Configure IAB vendor consent
Integrations - Install CookieFrame on your site

Compliance Frameworks

Compliance Frameworks

Overview

Geo-Detection

How It Works

Supported Headers

Disabling Geo-Detection

Key Requirements

Covered Regions

Banner Behavior

CCPA

Key Requirements

Covered Regions

Banner Behavior

Do Not Sell Link

TCF 2.2

When to Use TCF

Key Concepts

TCF Purposes

Special Features

CMP API

Notice

When Notice Applies

Banner Behavior

Framework Comparison

Configuration

Enable Frameworks

Framework Priority

Custom Region Mapping

Best Practices

Next Steps

On this page