Consent Manager 2.0.1

Version 2.0.1 — March 30, 2026

New Features

• IP Anonymization — New setting to control how visitor IP addresses are stored in consent logs. Options: Anonymized (last octet removed, default), Hashed (SHA-256, irreversible), Do not store, or Full IP. Recommended setting for GDPR compliance: Anonymized.
• Privacy Notice on /consent page — Automatic privacy notice explaining what data is collected, how the IP is handled (adapts to the selected setting), and how long data is retained. References GDPR Art. 7(1).
• Setup Guide — New admin page with step-by-step instructions for setting up Google Funding Choices via AdSense or Ad Manager, and configuring the Revenue Dashboard via OAuth2. Includes direct links to Google Cloud Console, API Library and OAuth credential pages. Shows your dynamic callback URI with a copy button. Available in 8 languages (EN, DE, ES, FR, IT, NL, PL, PT).
• Publishing status reminder — Setup guide now includes a step to change the OAuth consent screen from testing to production, preventing token expiration after 7 days.

Bug Fixes

• Fixed: Database migration now ensures all required columns exist regardless of which version you upgrade from (device_type, country_code, referrer, adblock_detected)
• Fixed: Fresh installations now include all columns in the initial table creation
• Fixed: Cookie declaration page (/consent) crashed on fresh installations due to a reference to the removed Vendor repository
• Fixed: OAuth scope for Ad Manager was incorrect (admanager.report does not exist, corrected to admanager)
• Fixed: number_currency template function does not exist in XenForo, replaced with number
• Fixed: Cookie scanner now detects XenForo style_variation cookie (set without prefix)
• Fixed: Reopen consent button on /consent page now uses Google FC API (googlefc.showRevocationMessage) instead of removed custom banner JS
• Fixed: Removed reference to non-existent deb_consent_cmp.js on the /consent page

Translation System

• All 8 languages (EN, DE, ES, FR, IT, NL, PL, PT) are now automatically imported and compiled on every install and upgrade
• Translations are guaranteed to work regardless of upgrade path or version history
• Templates are automatically recompiled after phrase import to ensure correct language display

• Fixed: Cookie declaration page (/consent) crashed on fresh installations due to a reference to the removed Vendor repository

• Fixed: Database migration now ensures all required columns exist regardless of which version you upgrade from (device_type, country_code, referrer, adblock_detected)
• Fixed: Fresh installations now include all columns in the initial table creation

Why this major update?
Version 1.x included a custom-built IAB TCF 2.2 consent banner with full TC String encoding, cross-frame TCF API, Google Consent Mode v2 integration and vendor management. While technically compliant and validated by external tools (Kukie.io, Consentik, IAB TCF Decoder), real-world testing revealed a significant problem: Google's ad systems (AdSense, Ad Manager, GPT) consistently delivered lower bidding rates and served more non-personalized ads (npa=1) when consent came from a third-party CMP — even with an identical TC String. This isn't a bug. It's how Google's ecosystem works. Google trusts its own CMP (Google Funding Choices, CMP ID 300) more than any third-party implementation. Rather than fighting this, v2.0.0 embraces it: Google handles the banner, we handle everything else.

What's new

• Google Funding Choices as consent provider — Google FC displays the banner and manages consent. No more custom banner.
• Analytics Dashboard — 5 KPI cards (Impressions, Accept Rate, Reject Rate, Custom Rate, Ad Blocker Rate), 30-day trend chart with week-over-week alerts, consent distribution donut chart, per-purpose acceptance rates, device breakdown, top 10 referrer sources
• Google Ad Manager Revenue Dashboard — OAuth2 integration with Google AdSense API v2. Revenue overview (Today / 7 Days / 30 Days) with page views, clicks and RPM directly in your XenForo admin panel
• Revenue Forecast — Estimated monthly revenue at your current consent rate, at 80%, 90% and 100%
• Consent Rate by Device & Country — Pulled from Google Ad Manager reporting API
• Ad Blocker Detection — Client-side detection of blocked ad scripts with daily tracking and dashboard percentage
• Cookie Scanner — Hybrid scan (server-side HTTP headers + client-side JavaScript cookies) with integrated Open Cookie Database (2200+ known cookies) and automatic XenForo cookie prefix detection
• Consent Rate Email Alerts — Automatic daily check against a configurable threshold. Get notified when your accept rate drops below target
• GDPR Compliance Report — CSV export of all consent data for audits (30-day report with daily breakdown)
• 9-Point Configuration Validator — Checks GCM defaults, tracking script, footer link, TC String format, API connection and more
• Scheduled Re-Consent — Configurable interval to automatically re-trigger the consent banner (GDPR recommends every 12 months)
• Manual API Sync — Instant data refresh button in the dashboard, plus automatic cron sync with configurable cache TTL
• Bot Filtering — Intelligent exclusion of Googlebot, Bingbot, crawlers, API clients and headless browsers from all tracking

What changed

• Google Consent Mode v2 defaults are now injected automatically in <head> before any Google tag
• Google Publisher Tag (GPT) auto-loads for Ad Manager users
• Consent tracking now uses Google's native __tcfapi and googlefc.callbackQueue APIs
• User and page criteria now control Google FC via googlefc.controlledMessagingFunction
• Footer link triggers googlefc.showRevocationMessage() for re-consent
• Settings simplified from 7 tabs to 4 (General, Google API, User Criteria, Page Criteria)

What was removed

• Custom DEBtech consent banner (3-layer system, colors, logo, position, animations)
• Built-in TC String encoder/decoder
• Built-in __tcfapi JavaScript stub
• Banner design settings (colors, position, custom CSS)
• Purposes configuration tab (Google FC manages this)
• Google Consent Mode mapping tab (Google FC handles this automatically)
• Vendor management UI (GVL import, AC import, vendor activation)

Changelog v1.0.4​

New Features — Google Revenue Fix​

• Google Additional Consent (AC) Spec: addtlConsent cookie is now set alongside euconsent-v2 — 199 Google AC vendors (Google #229, Xandr #80, Index Exchange #126, Criteo #154, Amazon #7, LiveRamp #12 etc.) can now bid in auctions
• GVL Import: Now also fetches Google's commonly-used-providers.json and stores google_ac_id per vendor — fully automatic, no manual setup
• __tcfapiLocator iframe: IAB-required cross-frame locator so iframed ad scripts (Prebid, Google GPT, etc.) can discover the CMP
• postMessage handler: Full cross-frame TCF API — ad iframes can query consent via postMessage (both in head stub and CMP JS)
• ping command in stub: Head stub now responds to ping immediately (before CMP loads) with cmpStatus: 'stub'

New Features — Dashboard​

• Re-request Consent: Dashboard button to invalidate all existing consents — increases consent version, all visitors see the banner again on next visit
• Reset Statistics: Dashboard button to delete all consent stats and logs with one click
• Consent version display: Shows current consent version in the dashboard Consent Management section

New Features — Validator​

Validator extended from 8 to 12 checks with 4 new Google integration tests:

• __tcfapiLocator iframe present
• Cross-frame postMessage handler active
• Google Additional Consent (AC) cookie support
• Active Google AC vendors count

Bug Fixes​

• Fixed 4 missing phrase definitions (deb_consent_vendor_special_purposes, _explain, deb_consent_vendor_features, _explain) — previously showed raw phrase keys in vendor edit form
• Fixed __tcfapi getTCData response now includes addtlConsent field for programmatic access

Technical​

• New DB column: google_ac_id (UINT, nullable) on xf_deb_consent_vendor
• New config key: consent_version in xf_deb_consent_config
• Head stub rewritten: TCF API stub with ping, __tcfapiLocator iframe, postMessage handler
• CMP JS: restoreConsent() now checks cmpVersion against consentVersion for re-consent
• CMP JS: persistConsent() encodes current consentVersion as cmpVersion in TC string
• New Repository method: Vendor::findByAcId()

---

Update Guide: v1.0.3 → v1.0.4​

v1.0.4 fixes a revenue problem: Many important ad bidders (Google, Xandr, Criteo, Index Exchange, Amazon, etc.) were not bidding even though the TCF string was correctly set.

Root causes & fixes:

1. Google Additional Consent (AC): The addtlConsent cookie was missing — ~199 vendors from Google's "commonly used providers" list require this cookie in addition to euconsent-v2
2. Cross-Frame TCF: The __tcfapiLocator iframe and postMessage handler were missing — ad scripts in iframes (Google GPT, Prebid, etc.) could not discover the CMP
3. Re-Consent: After the update, all existing users must re-consent so the new addtlConsent cookie gets set

---

Step 1: Upload ZIP & install​

Code:

Admin Panel → Setup → Add-ons → Install/upgrade add-on → Upload DEB-ConsentManager-1.0.4.zip

The upgrade automatically creates:

• New DB column google_ac_id in the vendor table
• Updated head stub template modification (with __tcfapiLocator + postMessage)
• New phrases (EN + DE)

Step 2: Import GVL (load Google AC IDs)​

Code:

Admin Panel → Consent Manager → Dashboard → "GVL Import" → Click "Start Import"

This imports:

• IAB Global Vendor List (updates vendor data)
• NEW: Google's commonly-used-providers.json → sets google_ac_id for ~199 vendors

Verification: After import, check the vendor list → the "AC" column should show green ID badges for many vendors.

Step 3: Activate vendors​

Code:

Admin Panel → Consent Manager → Vendors → "Activate All"

Step 4: Re-request consent (IMPORTANT!)​

IMPORTANT: Existing users have the old cookie WITHOUT addtlConsent. To set the new cookie, all users must re-consent.

Code:

Admin Panel → Consent Manager → Dashboard → Scroll to "Consent Management" → Click "Re-request Consent"

This increases the consent version. On the next page load, every visitor will see the consent banner again.

Step 5: Run validator​

Code:

Admin Panel → Consent Manager → Dashboard → "Run Validation"

Expected result: 12/12 checks passed, including:

• __tcfapiLocator iframe
• Cross-Frame postMessage
• Google Additional Consent (AC)
• Google AC Vendors (199 active)

Step 6: Browser verification​

1. Clear cookies (or use incognito window)
2. Open your site → Banner must appear
3. Click "Accept"
4. DevTools → Application → Cookies— check:
   • euconsent-v2 = set
   • addtlConsent = 2~7.11.12.15...229...
5. DevTools → Console — enter:
   
   Code:

   window.__tcfapi('getTCData', 2, function(d, s) { console.log('addtlConsent:', d.addtlConsent); });

   → Must output the AC string

---

Optional: Reset statistics​

To start with fresh numbers after the update:

Code:

Admin Panel → Consent Manager → Dashboard → "Consent Management" → "Reset Statistics"

Deletes all consent logs and statistics.

---

Troubleshooting​

Banner does not appear after re-consent:

• Check consent version (Dashboard → "Current consent version: 2")
• Clear browser cache (Ctrl+Shift+R)
• Check addon is enabled (Settings → "Enable Consent Manager")

addtlConsent cookie missing:

• Run GVL import (Vendor list → AC column)
• Activate vendors
• Clear browser cache and re-consent

Validator shows less than 12/12:

• __tcfapiLocator missing: Recompile templates or reinstall add-on
• AC Vendors = 0: Run GVL import
• postMessage missing: Check head stub template modification

---

Technical comparison​

Component	v1.0.3	v1.0.4
Cookies	euconsent-v2	euconsent-v2 + addtlConsent
Head Stub	Simple queue	+ __tcfapiLocator + postMessage + ping
Validator	8 checks	12 checks (+ Google integration)
Vendor DB	iab_vendor_id	+ google_ac_id
Dashboard	KPIs + Charts + Logs	+ Re-Consent + Stats Reset
CMP JS	No version check	cmpVersion ↔ consentVersion comparison

Bug Fixes:

• Fixed vendor edit form not pre-selecting checkboxes for Consent Purposes, Legitimate Interest Purposes, and Special Features when editing existing vendors
• Fixed purpose labels showing generic "Purpose 1", "Purpose 2" etc. instead of proper TCF purpose names in vendor edit form
• Fixed vendor list table not using full available width in admin panel

Improvements:

• GVL import now uses privacy URL as vendor URL fallback (GVL does not provide a separate website URL)
• Vendor edit form uses phrase-based purpose labels consistent with settings page (supports all installed languages)
• Vendor list table columns optimized for better readability at full width

Bug Fixes:
- Fixed consent toggle states not restored when reopening the consent dialog (e.g. "Select basic ads"
showing OFF even though it was saved as ON)
- Fixed public JavaScript file (js/addons/) not being updated during build - only the source copy
(src/addons/) was updated, causing the live server to serve the old version

Deleted cookie → Banner appears
Clicked "Customize" → Layer 2 opens
Enabled Purpose 2 "Select basic ads" → Toggle ON
Clicked "Save Selection" → Banner closes
Navigated to /consent/ → Clicked "Change Cookie Settings"
Dialog reopens → P1: ON, P2: ON, rest OFF

Note for Cloudflare users:
If you use Cloudflare, please purge your Cloudflare cache after installing this update
(Dashboard > Caching > Purge Everything). Clearing only the browser cache is not sufficient
as Cloudflare caches JavaScript files independently. Without purging, your visitors may
still receive the old JavaScript file.

Bug Fixes:

• Fixed Google Consent Mode script loading AFTER AdSense/gtag.js (moved to top of <head>)
• Fixed returning visitors seeing 'denied' consent until page fully loaded (cookie check now in <head>)
• Fixed Global Scope toggle breaking all banner JavaScript when disabled (XF renders false as empty string)
• Fixed missing XenForo cookie consent page phrases (third-party group and euconsent-v2 description)

New Features:

• Search/filter field in admin vendor list (filter by name, IAB ID, purposes, status)
• Search/filter field in admin consent logs (filter by user, IP, action, date)

Improvements:

• Google Consent Mode defaults + cookie check now injected at top of <head> before any Google script
• Changed German phrase "Cookie-Einstellungen ändern" to "Cookie-Einstellungen zurücksetzen"
• isServiceSpecific uses <xf:if> instead of JS negation (prevents broken JS when value is false)

Bug Fixes:

• Fixed "Function datetime is unknown" error on dashboard and logs (changed to date_time)
• Fixed banner not closing after Accept/Reject/Save when CMP JavaScript throws an error

Improvements:

• Banner buttons now hide wrapper before CMP call with try/catch error handling
• Banner always closes reliably regardless of JavaScript errors

Bug Fixes:

• Fixed ads not showing after consent was given (Google Consent Mode remained 'denied' on page load)
• Fixed Layer 2 Accept/Save/Reject buttons not working when reopened via "Change Cookie Settings"
• Fixed footer cookie settings link not clickable on mobile browsers (touch target too small)
• Fixed admin permission not auto-assigned to super admins on fresh install
• Fixed Layer 3 (Vendor Details) showing empty list
• Fixed Cookie Declaration link using button color instead of text color
• Fixed vendor privacy links using button color instead of text color
• Fixed duplicate font-size declaration in button CSS
• Fixed Dark Mode using wrong selectors root/.xfDark instead of XF 2.3 data-color-scheme)
• Fixed banner description text using opacity hack instead of proper secondary color
• Fixed purpose names showing raw phrase keys (deb_consent_purpose_{$purposeId}_name) in banner Layer 2
• Fixed IP address not displayed in dashboard and consent logs (missing Entity getter)
• Fixed date without time in log entries (date() changed to datetime())
• Fixed purpose settings having no effect on banner, consent page or vendor list

New Features:

• Vendor list in Layer 3 with search field and pagination (50 per page)
• IP address column in dashboard recent logs and consent log page
• Full datetime (date + time) in all log views
• Purpose settings now fully functional: disabled purposes are hidden from banner, consent page and vendor list
• Vendor list filtered by enabled purposes (vendors with only disabled purposes are removed)
• Vendor purpose badges filtered to show only enabled purposes

Improvements:

• All links use text color with underline on hover only
• Footer link has 44px min-height on mobile for reliable touch targets
• Google Consent Mode signals restored to 'granted' on every page load when cookie exists
• Banner event listeners always attached regardless of consent state for re-consent flow
• Dynamic purpose rendering via xf:foreach instead of hardcoded HTML
• Purpose names and descriptions resolved via XF phrases for proper translations
• Improved mobile responsive: smaller title, reduced modal padding, vendors stack vertically
• Dark Mode uses correct XF 2.3 selector [data-color-scheme="dark"]