Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Quantcast Choice is one of the most widely deployed Consent Management Platforms in Europe, certified as an IAB Europe TCF v2.2 CMP. It serves a consent banner, stores the user's choices in the euconsent-v2 cookie, and exposes the __tcfapi() interface so that downstream advertising and analytics vendors can read the consent signal. Site operators must configure it correctly to meet CNIL, ICO and Garante guidance, and must distinguish between the CMP itself and Quantcast's separate Measure measurement product.
Quantcast Choice is a free Consent Management Platform (CMP) operated by Quantcast Inc. It was one of the first CMPs to support the IAB Europe Transparency and Consent Framework (TCF) and remains certified for TCF v2.2. The platform delivers a customisable consent banner, captures the user''s choices for each TCF purpose and vendor, encodes them into the IAB consent string, and stores that string on the device so it can be replayed to every downstream tag. Quantcast Choice is widely used by publishers, brands and agencies in Europe because of its free tier and TCF certification, although users should distinguish it from Quantcast Measure, the separate audience and measurement product offered by the same company.
The CMP writes the euconsent-v2 cookie (default 12 month lifetime) containing the TCF v2.2 consent string: a base64 encoded structure that records the visitor''s purpose level consent, vendor level consent, special features and publisher restrictions. It also writes a consentUUID identifier and stores a mirror copy of the consent string in browser local storage. The Quantcast servers receive the IP address of every page that loads the CMP banner, plus the consent decisions for audit purposes. When integrated with Google Consent Mode v2, Quantcast Choice also sets the gtag default consent and updates it after the user choice.
Recital 30 of the ePrivacy Directive accepts that storing the user''s consent record is itself necessary processing, so the CMP can load before consent. However, the design of the banner must meet GDPR and EDPB guidance: equal visual prominence between accept and reject options, no pre ticked boxes, no nudging through colour, no obstruction of content, a clearly accessible withdrawal link, and granular control per purpose and vendor. The February 2022 Belgian APD ruling against IAB Europe found that the TCF as originally designed did not meet GDPR standards, citing problems with vendor legitimate interest claims, the legal status of IAB Europe itself, and the integrity of the consent record. IAB Europe has since updated the framework to v2.2 with mandatory action items, but operators using TCF based CMPs remain responsible for downstream vendor compliance.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Choice exposes the standard __tcfapi() global, which downstream vendors call to retrieve the consent string before firing any cookies or pixels. Operators must wire each non TCF vendor (custom tags, non IAB SDKs) to the same consent state via tag manager rules or server side gating. Vendor lists in the banner must reflect the real downstream vendors, and a complete vendor table is required on the cookie policy page. The CMP supports the Google Additional Consent string for Google vendors that are not part of the IAB TCF list, but operators must explicitly enable this and inform users in the cookie policy.
Quantcast Inc. is a US company, with EU operations through Quantcast International Ltd in Ireland. The CMP banner can be served from EU edge nodes, but the consent record audit log is pooled with Quantcast US infrastructure under SCCs and the EU US Data Privacy Framework. Operators using Quantcast Measure or audience targeting alongside Choice should treat those as separate processing activities, each with its own legal basis, and disclose Quantcast as a vendor in the privacy notice. The TCF vendor ID for Quantcast is 11.
Configure the banner with a reject all button at first layer, equal prominence with accept all, granular controls one tap away, and no dark patterns. Set the consent lifetime to no more than 13 months as per CNIL guidance, and require fresh consent when the vendor list materially changes. Maintain a real time vendor table on the cookie policy page, listing each TCF vendor with the purposes claimed under legitimate interest or consent. Integrate with Google Consent Mode v2 so that ad_storage, analytics_storage, ad_user_data and ad_personalization map to the corresponding TCF purposes. Run regular cookie scans to verify that downstream tags actually honour the consent string.
Websites using Quantcast Choice must obtain user consent under GDPR regulations.
DPIA considerations
Quantcast Choice writes the euconsent-v2 cookie (12 month default lifetime) containing the IAB TCF v2.2 consent string, plus its own consentUUID identifier for cross device consent sync. DPIA considerations: (1) the consent string itself qualifies as personal data because it is linked to an IP address and a persistent identifier, so its processing falls under the GDPR; (2) the Belgian APD ruled in February 2022 that the IAB Europe TCF framework breached the GDPR, with corrective measures completed in 2023 but the underlying architecture still relies on broad legitimate interest claims by hundreds of downstream vendors; (3) bundling the CMP with Quantcast Measure adds behavioural tracking that requires its own consent flow; (4) the CMP itself can be loaded before consent under recital 30 of the ePrivacy Directive (consent management is necessary processing), but any analytics or A/B testing of banner variants requires a separate basis; (5) UI design must comply with CNIL guidance, equal prominence of accept and reject, no pre ticked boxes, no nudging colours, and a clear withdrawal mechanism. A DPIA is recommended whenever the CMP is bundled with Quantcast Measure or audience syncing features.
Sample consent text
We use Quantcast Choice as our Consent Management Platform. It stores your cookie and tracking preferences in a small cookie called euconsent-v2 on your device, valid for 12 months, and shares your choices with the advertising and analytics partners listed in our vendor table under the IAB Europe Transparency and Consent Framework v2.2. You can change or withdraw your consent at any time via the cookie settings link in the footer.
Third-party domains contacted
quantcast.mgr.consensu.orgcmp.quantcast.comquantcount.comstatic.quantcast.mgr.consensu.orgquantcast.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| euconsent-v2 | Strictly Necessary / Consent | 12 months | Set by Quantcast Choice. Stores the IAB Europe TCF v2.2 consent string, encoding the visitor's purpose level and vendor level consent. Read by every downstream TCF compliant tag through the __tcfapi() interface. |
| consentUUID | Strictly Necessary / Consent | 12 months | Set by Quantcast Choice. A unique identifier used to reconcile the same visitor's consent across subdomains and to deduplicate audit log entries on the Quantcast servers. |
| addtl_consent | Strictly Necessary / Consent | 12 months | Set by Quantcast Choice when Google Additional Consent is enabled. Stores consent for Google vendors that are not part of the IAB TCF Global Vendor List, formatted per Google's Additional Consent specification. |
| eupubconsent-v2 | Strictly Necessary / Consent | 12 months | Set by Quantcast Choice when publisher restrictions are configured. Stores the publisher specific consent string separately from the global TCF string, allowing the operator to enforce stricter purpose limitations than those declared by downstream vendors. |
| __cmpcvc | Strictly Necessary / Consent | 12 months | Set by Quantcast Choice. Stores the version of the consent vendor list shown when the visitor made their choice, so that a new consent request is triggered if the vendor list materially changes. |
Quantcast Choice is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Quantcast Choice writes the euconsent-v2 cookie (12 month default lifetime) holding the IAB TCF v2.2 consent string, a consentUUID identifier used to reconcile consents across subdomains, and an addtl_consent string when Google Additional Consent is enabled. A mirror copy of the consent string is also kept in browser local storage. These cookies are first party but the consent record is synchronised to Quantcast servers.
Recital 30 of the ePrivacy Directive accepts that storing the user's consent record is necessary processing, so the CMP can fire before consent. However the banner must not perform any other processing beyond capturing and storing the choice: no analytics on banner interactions without consent, no A/B testing of accept versus reject layouts unless a separate basis applies, no third party fonts or scripts unless they are strictly required to render the banner.
The EDPB and CNIL accept that storing the consent decision rests on legitimate interest under GDPR Art. 6(1)(f), or alternatively on legal obligation under Art. 6(1)(c) since GDPR Art. 7(1) requires the controller to demonstrate consent. The IP address and timestamp recorded for proof of consent are also stored under this basis. Any other Quantcast processing (Measure, audience) requires its own basis, generally consent.
Yes for the consent audit log, which is centralised on Quantcast US infrastructure. Quantcast self certifies under the EU US Data Privacy Framework and uses Standard Contractual Clauses for transfers outside the DPF. The banner itself can be served from EU edges. Operators must declare Quantcast as a vendor in their privacy notice and reference the transfer mechanism.
A DPIA is generally not required for the CMP alone, since it processes minimal personal data and falls under the consent record legitimate interest. A DPIA is recommended where Choice is bundled with Quantcast Measure or audience syncing, or where the site combines TCF based consent with extensive third party tracking. The Belgian APD ruling against IAB Europe and the ongoing scrutiny of the TCF framework should be reflected in the DPIA when it applies.
Configure equal prominence between accept and reject at first layer with the same visual weight, no pre ticked boxes, granular controls accessible in one click, vendor list reflecting actual downstream vendors. Set consent lifetime to no more than 13 months. Integrate Google Consent Mode v2 mapping ad_storage and analytics_storage to TCF purposes. Maintain a vendor table on the cookie policy page. Test downstream tags with __tcfapi() to confirm they honour the consent string.
IAB TCF v2.2 certified CMPs include Didomi (France), Sourcepoint, OneTrust, Cookiebot, Usercentrics (Germany), Sirdata (France), Axeptio (France) and CookieFirst. Non TCF CMPs such as Klaro, Cookie Information and Consent Manager focus on simple non programmatic sites. For publishers monetising through programmatic ads, TCF support is generally required by SSP partners. For non programmatic sites, lighter non TCF CMPs may be sufficient.
List euconsent-v2, consentUUID and addtl_consent under strictly necessary cookies, with their purposes and durations. Maintain a real time vendor table showing each TCF vendor with its purposes and bases (legitimate interest or consent). Reference the Belgian APD ruling against IAB Europe if you want to be transparent about the framework history. Provide a working withdrawal link in the footer that reopens the Choice banner.