@noidme/consent-standards
v0.1.0-beta.0
Published
IAB standards CMP surfaces — TCF v2 (__tcfapi) + GPP (__gpp) — driven by a purpose-based consent map. Refuses to impersonate a loaded CMP until you register (cmpStatus:error until then, so vendors fall back to no-consent, safely). Framework-agnostic, zero
Maintainers
Readme
@noidme/consent-standards
IAB standards CMP surfaces — TCF v2 (__tcfapi) + GPP (__gpp) — from a purpose-based consent map.
Framework-agnostic, zero-dependency. A noidme.js plugin, usable
standalone.
import { createTcfApi, createGppApi } from '@noidme/consent-standards';
const getConsent = () => ({ advertising: false, analytics: true }); // e.g. from @noidme/consent
// IAB TCF v2 — installs a __tcfapi vendors can call.
const tcf = createTcfApi({ getConsent, cmpId: 0 /* your registered CMP id */, registered: false });
(window as any).__tcfapi = tcf.api;
tcf.notify(); // call on every consent change → fires TCF event listeners
// IAB GPP (US Privacy) — installs a __gpp.
const gpp = createGppApi({ getConsent, registered: false });
(window as any).__gpp = gpp.api;
gpp.notify();Safety first (please read)
Until you are a registered IAB CMP (a real cmpId + registered: true), both APIs report
cmpStatus: 'error' and a stub TC/GPP string. That is deliberate: a compliant vendor then falls back
to no consent (the safe default) rather than trusting a fake "loaded CMP". Do not set
registered: true until you are actually listed — impersonating a loaded CMP with a bogus TC string is
both non-compliant and dangerous (vendors would act on it).
- TCF v2:
ping,getTCData,addEventListener/removeEventListener; purpose consents (1–11) mapped from your purposes viapurposeMap. - GPP:
ping,getGPPData, listeners; US-national section by default, withparsedSectionssurfacing the opt-out so consumers can react without decoding the string.
Install
npm i @noidme/consent-standardsLicense
MIT.
