What are cookies and what do they do?
A cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Cookies are used to tell the server that users have returned to a particular website.
Cookies can have different functions and serve different purposes.
Authentication cookies are used to authenticate that a user is logged in, and with which account they are logged in. Without the cookie, users would need to authenticate themselves by logging in every time they visit a page containing sensitive information that they wish to access.
Tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing histories — a potential privacy concern.
Why must cookie consent be obtained?
Cookies can identify people and store their personal information which can be shared with third parties and are a privacy concern.
The EU GDPR made it a legal requirement to solicit cookie consent. Quoting from GDPR's Recital 30: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
⚠️ Important: The GDPR imposes heavy fines on instances of non-compliance, among other serious consequences.
Given that cookies are a privacy concern, it's essential that you gather candidates' consent for cookies through a cookie policy on Full Fabric.
See the next article on how to set up a cookie policy.
How Full Fabric collects consent on your behalf Updated
Full Fabric is a registered Consent Management Platform (CMP). This means we handle the full consent flow directly within your portal — collecting, recording, and communicating your applicants' cookie preferences to any third-party vendors you have configured.
Our CMP is built to the IAB Europe Transparency & Consent Framework (TCF) v2.3 standard. When an applicant makes their choices, we encode those preferences into a TC string — a standardised, machine-readable token that downstream vendors use to determine what data processing the user has and has not agreed to.
The consent banner (first layer)
When a user visits your portal for the first time, Full Fabric shows a consent banner. To meet TCF v2.3 requirements, it always includes:
A statement that information is stored or accessed on their device.
A description of personal data processing, with at least one concrete example (e.g. "unique identifiers, browsing data").
The number of third-party vendors configured on your portal, with a link to view them all.
The Purposes and Special Features for which consent is being requested, using the standard TCF names.
The scope of consent — whether it applies to your portal only, or to a group of services.
Clear instructions on withdrawing consent at any time, with a link to reopen the consent UI.
Granular controls (second layer)
Applicants can click through to a detailed view to make more granular choices. Full Fabric surfaces all controls required by TCF v2.3:
Individual toggles per Purpose and per vendor for consent-based processing.
Separate opt-in controls for each Special Feature.
Clear labelling of vendors that rely on legitimate interest rather than consent, with the ability to object per Purpose and per vendor individually.
Full vendor information: privacy policy link, data retention period, data categories processed, and a legitimate interest explanation link where applicable.
Vendor counts per Purpose, for both consent and legitimate interest bases.
Any non-IAB-registered vendors shown in a clearly separate section from TCF-registered vendors.
ℹ️ Always up to date: All Purpose and vendor names shown in the consent UI are pulled live from the IAB Global Vendor List (GVL), never hardcoded. Full Fabric automatically refreshes the GVL within the required 7-day window so the information your applicants see is always current.
Withdrawing or updating consent
Applicants can reopen the consent UI at any time via the link on the initial banner or through the cookie settings link on your portal. When they change their preferences, Full Fabric generates a new TC string and updates their consent record. Any processing that relied on withdrawn consent stops immediately.
What you need to configure New
Full Fabric manages the consent mechanics, but you are responsible for configuring the CMP correctly for your institution. The consent your applicants give is only as accurate as the vendor list you set up.
Enable only the vendors you actually use. Including vendors you don't use adds unnecessary friction for applicants and creates compliance risk.
Keep your vendor list up to date. Whenever you add or remove a third-party tool from your portal, update your CMP configuration to match.
Flag non-TCF vendors correctly. Any tool not registered with the IAB must be listed and will be displayed separately from registered vendors in the consent UI.
Set the correct consent scope. If your institution operates across multiple brands or campuses under group consent, configure the group information page link in your settings.
See Setting up a cookie policy in Full Fabric for step-by-step configuration instructions.