The main consent frameworks: GCM, UET, IAB TCF, and Meta CAPI

Four consent frameworks dominate the web: Google Consent Mode, Microsoft UET Consent Mode, IAB TCF, and Meta Conversions API. They are not alternatives to each other. Most sites operating in the EU or UK need more than one - the frameworks serve different advertising ecosystems, and those ecosystems frequently run on the same page at the same time.

Understanding what each framework actually does (and what it does not do) is the starting point for building a consent implementation that holds up.

At a glance

Framework	Who needs it	What it controls	Compliance scope
Google Consent Mode (GCM)	Anyone using GA4, Google Ads, or GTM	How Google tags behave when consent is denied	EU/UK required; global best practice
Microsoft UET Consent Mode	Microsoft Advertising users	How the UET tag behaves when consent is denied	EU/UK required; growing global relevance
IAB TCF	Publishers with programmatic ad inventory	How ad-tech vendors receive and act on consent across the supply chain	EU/UK programmatic advertising
Meta Conversions API (CAPI)	Facebook/Instagram advertisers	Server-side conversion sending, with consent flags	EU/UK required for compliant tracking

Google Consent Mode (GCM)

GCM is the framework with the broadest reach. If a site uses Google Analytics 4 or any Google Ads product, GCM is effectively mandatory in the EU and UK.

The core mechanic is a set of four parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization) that Google tags read before deciding how to behave. In Advanced mode, tags still fire when consent is denied - but without writing or reading identifiers. Google uses these "cookieless pings" to model the traffic it cannot directly measure.

Basic mode (blocking tags until consent) is easier to implement but sacrifices measurement accuracy entirely. Most serious implementations use Advanced mode.

The most common failure mode is not absence of GCM but misconfiguration: a default consent state of 'granted' rather than 'denied', meaning the framework is present but provides no actual protection.

Read the full GCM guide →

Microsoft UET Consent Mode

UET (Universal Event Tracking) is Microsoft Advertising's site tag. If you run Bing Ads campaigns, UET is almost certainly on your site.

Microsoft's consent mode works similarly to GCM: the UET tag reads a consent signal and adjusts its behaviour accordingly. When consent is denied, the tag can operate without writing or reading marketing identifiers. The practical benefit - like GCM Advanced - is preserving some level of measurement signal without non-compliant tracking.

Sites often implement GCM but overlook UET consent mode. The regulatory risk is the same: if the UET tag writes cookies before consent, that is a breach regardless of whether GCM is correctly configured.

Read the full UET guide →

IAB Transparency and Consent Framework (TCF)

The IAB TCF operates at a different level from GCM or UET. Where those frameworks govern individual vendor tags, the TCF governs the supply chain - it is the mechanism by which a publisher's consent choices propagate across dozens or hundreds of ad-tech vendors simultaneously.

The key artefact is the TC String: a base64-encoded record of which vendors a user has consented to and for which purposes. The string is stored in a cookie (euconsent-v2) and passed in programmatic bid requests, allowing ad exchanges and DSPs to decide in milliseconds whether they are permitted to serve a personalised ad to that user.

The TCF matters primarily for publishers with programmatic ad revenue. If you monetise via Google AdSense or Ad Manager in the EU, TCF compliance is a requirement for accessing personalised demand. Sites without programmatic advertising typically do not need the TCF.

Read the full IAB TCF guide →

Meta Conversions API (CAPI)

Meta CAPI is different in character from the other three. Rather than adjusting the behaviour of a browser-side tag, CAPI sends conversion events server-to-server - directly from your infrastructure to Meta's - bypassing browser tracking restrictions entirely.

The consent angle is handled via event parameters: when sending a conversion, you include a flag indicating whether the associated user has consented to data sharing for advertising. This allows Meta to apply the conversion appropriately in campaign measurement while respecting the user's choice.

CAPI is particularly valuable for e-commerce and lead-generation sites where browser-based tracking (the Meta Pixel) is increasingly unreliable due to third-party cookie restrictions and ad blockers. It improves attribution accuracy while providing a path to compliant tracking.

How they fit together

For a typical UK or EU e-commerce site running Google, Microsoft, and Meta advertising:

1. GCM Advanced handles GA4 and Google Ads consent signalling.
2. UET Consent Mode handles Microsoft Advertising.
3. Meta CAPI replaces or supplements the browser pixel with server-side conversion sending.
4. IAB TCF is only necessary if the site carries programmatic display advertising from external ad networks.

All four frameworks assume a properly configured CMP sits upstream, capturing user consent choices and distributing signals to each integration. The CMP is the single source of truth; the frameworks are the wiring that connects it to each advertising ecosystem.

Where ConsentScout fits

ConsentScout's first-load scan checks whether each framework is present and whether it appears to be operating correctly. Key signals the scanner looks for:

• GCM: gcs parameter in Google requests; absence of GA/Ads cookies before interaction
• UET: consent parameters in Microsoft tag requests; absence of UET-related cookies before interaction
• TCF: presence of the __tcfapi API; euconsent-v2 cookie set only after interaction

A site can have all four frameworks technically present and still fail the scan - the most common scenario is GCM Advanced with a granted default, or TCF configured but cookies set before the string is written. Framework presence is necessary but not sufficient. Configuration is where compliance actually happens.