Custom Purposes: Managing Consent Beyond Standard Privacy Frameworks

The IAB Transparency and Consent Framework (TCF) and IAB Global Privacy Platform (GPP) cover a broad range of advertising and data processing scenarios. But many websites collect and process data for purposes that don't fit into these frameworks at all — newsletter tracking, A/B testing, session recordings, chatbot interactions, or industry-specific regulatory requirements.

Custom Purposes: Managing Consent Beyond Standard Privacy Frameworks

UniConsent Custom Purposes let you define your own consent categories, display them in the consent banner alongside standard purposes, and manage them through the same JavaScript API and tag loading tools you already use.

Why Standard Purposes Don't Cover Everything

IAB TCF defines purposes like:

• Purpose 1: Store and/or access information on a device
• Purpose 2: Use limited data to select advertising
• Purpose 3: Create profiles for personalised advertising
• Purpose 7: Measure advertising performance
• Purpose 10: Develop and improve services

These work well for advertising — ad targeting, measurement, content personalization. But if your website runs A/B tests, records user sessions with Hotjar, sends newsletters with open-rate tracking, or operates in a regulated industry like gambling or healthcare, none of those activities map to a TCF purpose.

The same gap exists on the US side. The IAB GPP framework handles opt-out signals for state privacy laws like CCPA, but it doesn't provide a mechanism for collecting opt-in consent for sensitive data categories that many state laws now require.

Custom Purposes fill that gap.

E-Commerce: Recommendations, A/B Testing, and Dynamic Pricing

Most e-commerce websites go well beyond basic advertising. They build shopping profiles from browsing history and purchase patterns to drive product recommendations. They run A/B tests across checkout flows, landing pages, and pricing. Some use dynamic pricing based on location, device, or browsing behavior.

None of this maps to a TCF purpose. Product recommendation profiling is more granular than TCF's content personalization. A/B testing tracks sessions across experimental variants for conversion optimization, not advertising. Dynamic pricing uses personal data to adjust what individual visitors see — a practice that increasingly draws regulatory attention across the EU.

Example custom purposes for an e-commerce site:

• product_recommendations — Building shopping profiles to personalize suggestions
• ab_testing — Tracking sessions across website optimization experiments
• dynamic_pricing — Using browsing data to personalize pricing and offers
• post_purchase_tracking — Analyzing return patterns and review behavior

Media and Publishing: Paywalls, Newsletters, and Reader Profiling

European publishers operating consent-or-pay models — common since CNIL's 2020 cookie guidelines in France — need consent management that goes beyond advertising. They track reading habits to personalize editorial content, monitor user journeys from free articles through paywall conversion, share reader data across titles within a media group, and track newsletter engagement with open rates and click data.

TCF Purpose 6 (use profiles to select personalised content) is scoped to the TCF vendor ecosystem. It doesn't cover first-party editorial personalization, subscription analytics, or cross-site reader profiles within a media group.

Example custom purposes for a publishing site:

• editorial_personalization — Tracking reading habits to personalize editorial content
• subscription_analytics — Analyzing paywall conversion and subscription behavior
• cross_site_sharing — Sharing reader profiles across websites in the media group
• newsletter_tracking — Tracking engagement within email newsletters

SaaS Platforms: Session Recordings, Chatbots, and Product Analytics

SaaS platforms and web applications process interaction data that has nothing to do with advertising. Tools like Hotjar, FullStory, and Microsoft Clarity capture mouse movements, clicks, and page interactions. AI-powered chatbots store and analyze conversation data. Product teams track feature adoption, workflow completion, and engagement patterns.

All of this falls outside IAB TCF. A session recording is product analytics, not ad measurement. A chatbot conversation log is customer support data, not an advertising profile.

Example custom purposes for a SaaS platform:

• session_recording — Recording and analyzing user interactions on the website
• ai_chatbot — Storing and analyzing chatbot conversation data
• product_analytics — Tracking feature usage and interaction patterns
• user_feedback — Collecting and linking in-app survey and feedback data

Online Gambling: Player Profiling Beyond Responsible Gaming

Gambling websites in regulated markets like the Netherlands face a split between mandatory and optional data processing. The Dutch Gaming Authority (Kansspelautoriteit, or KSA) requires operators to perform age verification, monitor player behavior for responsible gaming, and report to regulators. These are legal obligations — operators don't need consent for them.

But gambling sites also do things that go beyond those obligations: personalized game recommendations based on play history, cross-product profiling across casino, sports betting, and poker, sharing player data with affiliate and marketing partners, and running behavioral analytics for business intelligence. These optional activities require consent, and none of them fit into TCF.

Example custom purposes for a gambling site:

• gaming_recommendations — Using play history to personalize game and promotion suggestions
• cross_platform_profiling — Combining player data across gaming products
• marketing_data_sharing — Sharing player data with marketing and affiliate partners
• enhanced_analytics — Behavioral analysis beyond mandatory responsible gaming

Health and Wellness: Sensitive Data Outside HIPAA

In the US, HIPAA covers hospitals and their business associates, but many health information websites, wellness portals, and telehealth platforms fall outside its scope. The FTC has taken action against health websites that shared browsing data with advertising platforms — the BetterHelp settlement in 2023 is a notable example.

Health websites that track symptom searches, condition page views, or wellness quiz results often share that data with analytics platforms. Some build audience segments based on health-related browsing for advertising. Others share anonymized browsing patterns with pharmaceutical companies or research institutions. All of these require clear consent, and standard advertising frameworks don't address them.

Example custom purposes for a health website:

• health_analytics — Processing health-related browsing data with third-party analytics
• health_interest_ads — Using health-related browsing data for advertising
• health_profile — Building a health interest profile across connected web properties
• research_sharing — Sharing anonymized health browsing data with research partners

US State Privacy Laws: Sensitive Data That Requires Opt-In

The growing list of US state privacy laws — CCPA in California, CPA in Colorado, CTDPA in Connecticut, VCDPA in Virginia, TDPSA in Texas, and others — defines sensitive data categories that require opt-in consent before processing. The IAB GPP framework handles opt-out signals but doesn't provide a mechanism for these opt-in requirements.

Sensitive categories that websites commonly encounter include precise geolocation (GPS-level data, defined as within 1,750 feet under many state laws), biometric identifiers like facial recognition or fingerprint login, data from visitors under 16 (or 13 in some states), and inferred sensitive characteristics like health conditions or religious beliefs derived from browsing patterns.

States like Illinois (BIPA), Texas, and Washington have separate biometric-specific consent requirements on top of their general privacy laws.

Example custom purposes for a US website:

• precise_geolocation — Collecting GPS-level location data for personalization and analytics
• biometric_data — Collecting and processing biometric identifiers
• minor_data_processing — Processing data of visitors under 16
• sensitive_inference — Processing that may infer sensitive personal characteristics

EdTech: Student Data Beyond Core Education

Online learning platforms sit at the intersection of multiple privacy regulations. In the US, FERPA and COPPA set the baseline, but states like California (SOPIPA) and New York (Education Law 2-d) add specific student data privacy requirements. In the EU, processing student data for purposes beyond education delivery requires separate consent.

EdTech websites often analyze student behavior — time on task, click patterns, course completion rates — to build engagement profiles that go beyond what's needed to deliver the course. They run AI-driven personalization to adjust learning pathways. They track email and notification engagement for marketing. And they share student interaction data with third-party content providers, assessment tools, or tutoring services.

Example custom purposes for an EdTech website:

• student_analytics — Analyzing student behavior beyond core educational delivery
• ai_personalization — AI-driven personalization of learning content and pathways
• communication_tracking — Monitoring engagement with platform communications
• third_party_content — Sharing interaction data with educational content partners

How It Works

Custom Purposes work alongside your existing consent setup — they don't replace TCF or any other framework. Consent is stored separately from the TCF consent string, so your TCF compliance stays intact. Custom purposes appear in the same consent banner, respond to "Agree All" and "Reject All" actions, and users can toggle each one individually.

They work across all law frameworks UniConsent supports: GDPR, TCF Canada, CCPA, US State Privacy, LGPD, PIPL, POPIA, and Simple Mode. On the technical side, custom purposes integrate with the JavaScript API, Google Tag Manager dataLayer, and UnicScript conditional tag loading.

For setup instructions and technical details, see the Custom Purposes documentation.

Wrapping Up

Standard privacy frameworks cover advertising well, but most websites do more than serve ads. If your site runs A/B tests, records sessions, tracks newsletter engagement, processes sensitive data, or operates in a regulated industry, you likely have consent requirements that TCF and GPP weren't built to handle.

Custom Purposes give you a way to manage those requirements within the same consent infrastructure — no separate popups, no custom-built solutions, full compatibility with every major privacy framework.