Consent Manager 2.0.0 Patch 3

• Fixed: Cookie declaration page (/consent) crashed on fresh installations due to a reference to the removed Vendor repository

• Fixed: Database migration now ensures all required columns exist regardless of which version you upgrade from (device_type, country_code, referrer, adblock_detected)
• Fixed: Fresh installations now include all columns in the initial table creation

Why this major update?
Version 1.x included a custom-built IAB TCF 2.2 consent banner with full TC String encoding, cross-frame TCF API, Google Consent Mode v2 integration and vendor management. While technically compliant and validated by external tools (Kukie.io, Consentik, IAB TCF Decoder), real-world testing revealed a significant problem: Google's ad systems (AdSense, Ad Manager, GPT) consistently delivered lower bidding rates and served more non-personalized ads (npa=1) when consent came from a third-party CMP — even with an identical TC String. This isn't a bug. It's how Google's ecosystem works. Google trusts its own CMP (Google Funding Choices, CMP ID 300) more than any third-party implementation. Rather than fighting this, v2.0.0 embraces it: Google handles the banner, we handle everything else.

What's new

• Google Funding Choices as consent provider — Google FC displays the banner and manages consent. No more custom banner.
• Analytics Dashboard — 5 KPI cards (Impressions, Accept Rate, Reject Rate, Custom Rate, Ad Blocker Rate), 30-day trend chart with week-over-week alerts, consent distribution donut chart, per-purpose acceptance rates, device breakdown, top 10 referrer sources
• Google Ad Manager Revenue Dashboard — OAuth2 integration with Google AdSense API v2. Revenue overview (Today / 7 Days / 30 Days) with page views, clicks and RPM directly in your XenForo admin panel
• Revenue Forecast — Estimated monthly revenue at your current consent rate, at 80%, 90% and 100%
• Consent Rate by Device & Country — Pulled from Google Ad Manager reporting API
• Ad Blocker Detection — Client-side detection of blocked ad scripts with daily tracking and dashboard percentage
• Cookie Scanner — Hybrid scan (server-side HTTP headers + client-side JavaScript cookies) with integrated Open Cookie Database (2200+ known cookies) and automatic XenForo cookie prefix detection
• Consent Rate Email Alerts — Automatic daily check against a configurable threshold. Get notified when your accept rate drops below target
• GDPR Compliance Report — CSV export of all consent data for audits (30-day report with daily breakdown)
• 9-Point Configuration Validator — Checks GCM defaults, tracking script, footer link, TC String format, API connection and more
• Scheduled Re-Consent — Configurable interval to automatically re-trigger the consent banner (GDPR recommends every 12 months)
• Manual API Sync — Instant data refresh button in the dashboard, plus automatic cron sync with configurable cache TTL
• Bot Filtering — Intelligent exclusion of Googlebot, Bingbot, crawlers, API clients and headless browsers from all tracking

What changed

• Google Consent Mode v2 defaults are now injected automatically in <head> before any Google tag
• Google Publisher Tag (GPT) auto-loads for Ad Manager users
• Consent tracking now uses Google's native __tcfapi and googlefc.callbackQueue APIs
• User and page criteria now control Google FC via googlefc.controlledMessagingFunction
• Footer link triggers googlefc.showRevocationMessage() for re-consent
• Settings simplified from 7 tabs to 4 (General, Google API, User Criteria, Page Criteria)

What was removed

• Custom DEBtech consent banner (3-layer system, colors, logo, position, animations)
• Built-in TC String encoder/decoder
• Built-in __tcfapi JavaScript stub
• Banner design settings (colors, position, custom CSS)
• Purposes configuration tab (Google FC manages this)
• Google Consent Mode mapping tab (Google FC handles this automatically)
• Vendor management UI (GVL import, AC import, vendor activation)

Changelog v1.0.4​

New Features — Google Revenue Fix​

• Google Additional Consent (AC) Spec: addtlConsent cookie is now set alongside euconsent-v2 — 199 Google AC vendors (Google #229, Xandr #80, Index Exchange #126, Criteo #154, Amazon #7, LiveRamp #12 etc.) can now bid in auctions
• GVL Import: Now also fetches Google's commonly-used-providers.json and stores google_ac_id per vendor — fully automatic, no manual setup
• __tcfapiLocator iframe: IAB-required cross-frame locator so iframed ad scripts (Prebid, Google GPT, etc.) can discover the CMP
• postMessage handler: Full cross-frame TCF API — ad iframes can query consent via postMessage (both in head stub and CMP JS)
• ping command in stub: Head stub now responds to ping immediately (before CMP loads) with cmpStatus: 'stub'

New Features — Dashboard​

• Re-request Consent: Dashboard button to invalidate all existing consents — increases consent version, all visitors see the banner again on next visit
• Reset Statistics: Dashboard button to delete all consent stats and logs with one click
• Consent version display: Shows current consent version in the dashboard Consent Management section

New Features — Validator​

Validator extended from 8 to 12 checks with 4 new Google integration tests:

• __tcfapiLocator iframe present
• Cross-frame postMessage handler active
• Google Additional Consent (AC) cookie support
• Active Google AC vendors count

Bug Fixes​

• Fixed 4 missing phrase definitions (deb_consent_vendor_special_purposes, _explain, deb_consent_vendor_features, _explain) — previously showed raw phrase keys in vendor edit form
• Fixed __tcfapi getTCData response now includes addtlConsent field for programmatic access

Technical​

• New DB column: google_ac_id (UINT, nullable) on xf_deb_consent_vendor
• New config key: consent_version in xf_deb_consent_config
• Head stub rewritten: TCF API stub with ping, __tcfapiLocator iframe, postMessage handler
• CMP JS: restoreConsent() now checks cmpVersion against consentVersion for re-consent
• CMP JS: persistConsent() encodes current consentVersion as cmpVersion in TC string
• New Repository method: Vendor::findByAcId()

---

Update Guide: v1.0.3 → v1.0.4​

v1.0.4 fixes a revenue problem: Many important ad bidders (Google, Xandr, Criteo, Index Exchange, Amazon, etc.) were not bidding even though the TCF string was correctly set.

Root causes & fixes:

1. Google Additional Consent (AC): The addtlConsent cookie was missing — ~199 vendors from Google's "commonly used providers" list require this cookie in addition to euconsent-v2
2. Cross-Frame TCF: The __tcfapiLocator iframe and postMessage handler were missing — ad scripts in iframes (Google GPT, Prebid, etc.) could not discover the CMP
3. Re-Consent: After the update, all existing users must re-consent so the new addtlConsent cookie gets set

---

Step 1: Upload ZIP & install​

Code:

Admin Panel → Setup → Add-ons → Install/upgrade add-on → Upload DEB-ConsentManager-1.0.4.zip

The upgrade automatically creates:

• New DB column google_ac_id in the vendor table
• Updated head stub template modification (with __tcfapiLocator + postMessage)
• New phrases (EN + DE)

Step 2: Import GVL (load Google AC IDs)​

Code:

Admin Panel → Consent Manager → Dashboard → "GVL Import" → Click "Start Import"

This imports:

• IAB Global Vendor List (updates vendor data)
• NEW: Google's commonly-used-providers.json → sets google_ac_id for ~199 vendors

Verification: After import, check the vendor list → the "AC" column should show green ID badges for many vendors.

Step 3: Activate vendors​

Code:

Admin Panel → Consent Manager → Vendors → "Activate All"

Step 4: Re-request consent (IMPORTANT!)​

IMPORTANT: Existing users have the old cookie WITHOUT addtlConsent. To set the new cookie, all users must re-consent.

Code:

Admin Panel → Consent Manager → Dashboard → Scroll to "Consent Management" → Click "Re-request Consent"

This increases the consent version. On the next page load, every visitor will see the consent banner again.

Step 5: Run validator​

Code:

Admin Panel → Consent Manager → Dashboard → "Run Validation"

Expected result: 12/12 checks passed, including:

• __tcfapiLocator iframe
• Cross-Frame postMessage
• Google Additional Consent (AC)
• Google AC Vendors (199 active)

Step 6: Browser verification​

1. Clear cookies (or use incognito window)
2. Open your site → Banner must appear
3. Click "Accept"
4. DevTools → Application → Cookies— check:
   • euconsent-v2 = set
   • addtlConsent = 2~7.11.12.15...229...
5. DevTools → Console — enter:
   
   Code:

   window.__tcfapi('getTCData', 2, function(d, s) { console.log('addtlConsent:', d.addtlConsent); });

   → Must output the AC string

---

Optional: Reset statistics​

To start with fresh numbers after the update:

Code:

Admin Panel → Consent Manager → Dashboard → "Consent Management" → "Reset Statistics"

Deletes all consent logs and statistics.

---

Troubleshooting​

Banner does not appear after re-consent:

• Check consent version (Dashboard → "Current consent version: 2")
• Clear browser cache (Ctrl+Shift+R)
• Check addon is enabled (Settings → "Enable Consent Manager")

addtlConsent cookie missing:

• Run GVL import (Vendor list → AC column)
• Activate vendors
• Clear browser cache and re-consent

Validator shows less than 12/12:

• __tcfapiLocator missing: Recompile templates or reinstall add-on
• AC Vendors = 0: Run GVL import
• postMessage missing: Check head stub template modification

---

Technical comparison​

Component	v1.0.3	v1.0.4
Cookies	euconsent-v2	euconsent-v2 + addtlConsent
Head Stub	Simple queue	+ __tcfapiLocator + postMessage + ping
Validator	8 checks	12 checks (+ Google integration)
Vendor DB	iab_vendor_id	+ google_ac_id
Dashboard	KPIs + Charts + Logs	+ Re-Consent + Stats Reset
CMP JS	No version check	cmpVersion ↔ consentVersion comparison

Bug Fixes:

• Fixed vendor edit form not pre-selecting checkboxes for Consent Purposes, Legitimate Interest Purposes, and Special Features when editing existing vendors
• Fixed purpose labels showing generic "Purpose 1", "Purpose 2" etc. instead of proper TCF purpose names in vendor edit form
• Fixed vendor list table not using full available width in admin panel

Improvements:

• GVL import now uses privacy URL as vendor URL fallback (GVL does not provide a separate website URL)
• Vendor edit form uses phrase-based purpose labels consistent with settings page (supports all installed languages)
• Vendor list table columns optimized for better readability at full width

Bug Fixes:
- Fixed consent toggle states not restored when reopening the consent dialog (e.g. "Select basic ads"
showing OFF even though it was saved as ON)
- Fixed public JavaScript file (js/addons/) not being updated during build - only the source copy
(src/addons/) was updated, causing the live server to serve the old version

Deleted cookie → Banner appears
Clicked "Customize" → Layer 2 opens
Enabled Purpose 2 "Select basic ads" → Toggle ON
Clicked "Save Selection" → Banner closes
Navigated to /consent/ → Clicked "Change Cookie Settings"
Dialog reopens → P1: ON, P2: ON, rest OFF

Note for Cloudflare users:
If you use Cloudflare, please purge your Cloudflare cache after installing this update
(Dashboard > Caching > Purge Everything). Clearing only the browser cache is not sufficient
as Cloudflare caches JavaScript files independently. Without purging, your visitors may
still receive the old JavaScript file.

Bug Fixes:

• Fixed Google Consent Mode script loading AFTER AdSense/gtag.js (moved to top of <head>)
• Fixed returning visitors seeing 'denied' consent until page fully loaded (cookie check now in <head>)
• Fixed Global Scope toggle breaking all banner JavaScript when disabled (XF renders false as empty string)
• Fixed missing XenForo cookie consent page phrases (third-party group and euconsent-v2 description)

New Features:

• Search/filter field in admin vendor list (filter by name, IAB ID, purposes, status)
• Search/filter field in admin consent logs (filter by user, IP, action, date)

Improvements:

• Google Consent Mode defaults + cookie check now injected at top of <head> before any Google script
• Changed German phrase "Cookie-Einstellungen ändern" to "Cookie-Einstellungen zurücksetzen"
• isServiceSpecific uses <xf:if> instead of JS negation (prevents broken JS when value is false)

Bug Fixes:

• Fixed "Function datetime is unknown" error on dashboard and logs (changed to date_time)
• Fixed banner not closing after Accept/Reject/Save when CMP JavaScript throws an error

Improvements:

• Banner buttons now hide wrapper before CMP call with try/catch error handling
• Banner always closes reliably regardless of JavaScript errors

Bug Fixes:

• Fixed ads not showing after consent was given (Google Consent Mode remained 'denied' on page load)
• Fixed Layer 2 Accept/Save/Reject buttons not working when reopened via "Change Cookie Settings"
• Fixed footer cookie settings link not clickable on mobile browsers (touch target too small)
• Fixed admin permission not auto-assigned to super admins on fresh install
• Fixed Layer 3 (Vendor Details) showing empty list
• Fixed Cookie Declaration link using button color instead of text color
• Fixed vendor privacy links using button color instead of text color
• Fixed duplicate font-size declaration in button CSS
• Fixed Dark Mode using wrong selectors root/.xfDark instead of XF 2.3 data-color-scheme)
• Fixed banner description text using opacity hack instead of proper secondary color
• Fixed purpose names showing raw phrase keys (deb_consent_purpose_{$purposeId}_name) in banner Layer 2
• Fixed IP address not displayed in dashboard and consent logs (missing Entity getter)
• Fixed date without time in log entries (date() changed to datetime())
• Fixed purpose settings having no effect on banner, consent page or vendor list

New Features:

• Vendor list in Layer 3 with search field and pagination (50 per page)
• IP address column in dashboard recent logs and consent log page
• Full datetime (date + time) in all log views
• Purpose settings now fully functional: disabled purposes are hidden from banner, consent page and vendor list
• Vendor list filtered by enabled purposes (vendors with only disabled purposes are removed)
• Vendor purpose badges filtered to show only enabled purposes

Improvements:

• All links use text color with underline on hover only
• Footer link has 44px min-height on mobile for reliable touch targets
• Google Consent Mode signals restored to 'granted' on every page load when cookie exists
• Banner event listeners always attached regardless of consent state for re-consent flow
• Dynamic purpose rendering via xf:foreach instead of hardcoded HTML
• Purpose names and descriptions resolved via XF phrases for proper translations
• Improved mobile responsive: smaller title, reduced modal padding, vendors stack vertically
• Dark Mode uses correct XF 2.3 selector [data-color-scheme="dark"]

Bug Fixes

• Fixed purpose acceptance rates chart showing empty (per-purpose stats were not recorded during consent actions)
• Fixed "Change Cookie Settings" button on /consent page not opening purpose selection layer
• Fixed settings not persisting after save due to entity cache not being cleared
• Fixed leading comma in purpose badges on logs, dashboard, vendors and consent page (XF foreach $i is 1-based)
• Fixed purpose chart labels showing only numeric IDs instead of readable names

Improvements

• Cookie settings button now opens Layer 2 (purpose selection) instead of revoking consent
• Added retry logic for deferred CMP JavaScript loading on consent page
• Purpose chart shows labeled bars (e.g. "P1: Store/access info")