Google Additional Consent (GAC) is a technical specification created by Google to obtain consent for advertising partners that are not registered in the IAB Europe Transparency & Consent Framework (TCF). In this article, you will learn what Google Additional Consent specifically defines, how the standard can be implemented in practice on WordPress websites, and what data protection risks it poses. We will compare it to the TCF to provide a better understanding of its advantages and disadvantages.
Finally, we will provide recommendations for operators of WordPress websites and users of Real Cookie Banner who are considering using Google Additional Consent.
What is Google Additional Consent?
Google Additional Consent (GAC) is an addition to the classic TCF consent string that publishers can use to provide Google with consent to process personal data and set/read cookies and similar technologies for Google’s Ad Tech Providers (ATP) that are not listed in the Global Vendor List (GVL) of the TCF standards and are not certified by IAB Europe.
The aim of GAC is to expand the circle of permissible advertising partners and thus allow a larger number of bidders to participate in the auction process in Google AdSense, Ad Manager, or AdMob, for example. This potentially means more revenue for publishers (website operators) through advertising on their websites, but they must ensure that each ATP is only included in the AC string (technical definition of consent collected) if legally effective consent has been obtained. By transmitting the AC string, you as the website operator certify to Google that you have obtained consent correctly, enabling Google to fulfill its obligation to provide proof in accordance with, among other regulations, the Digital Market Act.
Although Google Additional Consent is transmitted together with the TCF string, Google does not define any requirements for the design of the consent dialog (cookie banner), information obligations, or consent modalities — this responsibility remains entirely with the website operators, with the support of their consent management platform (CMP) if necessary.
How does Google Additional Consent differ from the Transparency & Consent Framework (TCF) of IAB Europe?
TCF is a comprehensive legal and technical framework that contains binding rules for all parties involved (vendors, publishers, CMPs) and has already been extensively reviewed by data protection supervisory authorities such as the Belgian APD (DOS-2019-01377). The framework ensures that all vendors listed in the GVL provide uniformly structured information to fulfill the information requirements of the GDPR and ePrivacy Directive.
Google Additional Consent, on the other hand, is only a technical specification for encoding consent in the form of AC strings. Participating advertising networks, Google’s Ad Tech Providers, can register on the ATP list. There are no binding requirements as to how publishers (website operators) must inform their website visitors or what scope the consent must have. Google expressly points out that publishers are solely responsible for obtaining and documenting consent in accordance with the law.
Comparison of the information in the ATP and GVL
Both the Ad Tech Provider List (ATP) for GAC and the Global Vendor List (GVL) for TCF serve as a database for website operators to fulfill their information obligations in accordance with Art. 13 f. GDPR and the ePrivacy Directive. However, the two lists differ significantly in the depth and scope of the information provided.
Contents of the Global Vendor List (GVL) for Transparency & Consent Framework
The GVL contains comprehensive information on each registered vendor (advertising partner). This includes, in particular, the legal identity, the breakdown of processing purposes and legitimate interests, details on storage periods and cookies and similar technologies used, as well as links to privacy policies in all supported languages. Vendors also undergo a certification process by IAB Europe, which serves, among other things, to ensure the quality of the information provided. This structured database covers a large part of the information obligations that website operators must fulfill for each vendor as required by the GDPR and the ePrivacy Directive.
Download: GVL v3 from Transparency & Consent Framework
Contents of the ATP for Google Additional Consent
In contrast, the ATP list for Google Additional Consent only provides basic data on advertising partners that do not participate in the IAB Europe’s TCF. The ATP list only contains the product or brand name (but not the legal identity of the advertising partner), a non-localized URL to the privacy policy, and the domains associated with the advertising platform. All further information – such as the specific processing purposes, legal bases, or cookies and similar technologies – must be researched and documented by the publisher itself if it wishes to comply with the information requirements of the GDPR and ePrivacy Directive.
The ATP is a dynamically growing list with around 600 advertising companies as of April 2025.
Download: ATP v2 from Google Additional Consent
Data protection criticism of Google Additional Consent
Google Additional Consent shifts the entire responsibility for legally compliant consent to publishers without providing a reliable database in the form of a list containing complete information about the participating advertising partners. The ATP list is published as a regularly updated CSV file, but only contains basic information on several hundred advertising partners, without the essential details required to fulfill the information obligations under the GDPR.
Apart from the enormous amount of manual research this entails, there is a risk that data subjects will not be sufficiently informed about which advertising partners they are giving their consent to due to Google’s undefined framework for obtaining consent from a legal perspective. The lack of clear information on storage periods or specific processing purposes may lead to violations of the GDPR and Google’s own EU User Consent Policy by the website operator.
In comparison, IAB Europe, with the GVL at the heart of TCF, demonstrates how a structured vendor database can look. As long as Google does not offer comparable transparency for ATP, we consider the use of GAC to be a compliance risk that is unmanageable for most website operators.
Technical functionality of Google Additional Consent
To use GAC on your website, your cookie banner must download the ATP list and display the advertising partners with information provided by you as the website operator (see previous section) so that your visitors can give informed consent to each advertising partner. Only when you provide transparency about which ATPs are available for voluntary selection and your website visitors have been comprehensively informed in advance in accordance with Art. 13 para. 1 GDPR about the processing of their personal data, can you obtain effective, informed consent.
Technically, the additional consent string (technically called addtlConsent; verbally AC string) is generated in parallel to the TC string by TCF. Your cookie banner stores the AC string either as a cookie in cookie-like technologies. You then transmit it to Google, for example via OpenRTB bid requests or as a URL parameter to Google endpoints. If integrated correctly, this happens automatically when, for example, advertising is integrated into your Google AdSense. Google evaluates the AC string to check which ATPs are allowed to participate in the auction.
Recommended actions for website operators
If you are a website operator and are considering using Google Additional Consent (GAC) in addition to TCF, you should carry out a careful risk assessment. Although GAC promises potentially higher advertising revenues through an expanded partner network, it is practically nearly impossible to fulfill your information obligations. In our legal opinion, the ATP list on which GAC is based does not provide sufficient information about the advertising partners to enable you to fully comply with your information obligations under the GDPR. There is a lack of structured information on the identity and contact details of the advertising partners, processing purposes, legal bases, and storage periods. We consider it practically impossible for you, as a website operator, to maintain these details manually for hundreds of advertisers on a case-by-case basis.
Real Cookie Banner therefore deliberately does not support Google Additional Consent.
We recommend that you rely exclusively on the TCF from IAB Europe instead. This will ensure that you obtain consent for advertisements on your website in the most legally compliant and transparent manner possible. How to set up Real Cookie TCF in general or set up TCF explicitly for Google Ads is explained in separate articles. The full implementation of TCF in Real Cookie Banner has been certified by IAB Europe.