IAB Europe Launches New TCF Vendor Compliance Programme
As the managing organisation of the Transparency & Consent Framework (TCF), IAB Europe constantly strives to protect the integrity of the Framework and ensure that organisations who have signed up to the TCF comply with their commitments under the Framework Policies.
IAB Europe has been operating a Consent Management Platform (CMP) Compliance programme for CMPs registered for TCF since 2019. The CMP compliance programme comprises a pre-implementation validation stage and a post-implementation enforcement stage, which enables IAB Europe to monitor live CMP implementations for compliance with the TCF Policies. The CMP enforcement process can result in the suspension of the participating CMP from the Framework for non-resolved breaches of TCF Policies.
IAB Europe is now expanding the Compliance programme to Vendors registered for the TCF. The aim is to identify and enforce against instances of non-compliant Vendor implementations, which may reduce consumer protection, expose Publishers and Vendors to legal risks, and undermine the reputation of the TCF in the eyes of both regulators and users.
Scope of the Vendor Compliance Programme
In this first iteration of the TCF Vendor Compliance Programme, IAB Europe will audit live installations of Vendor technologies as integrated on Publisher properties and focus on assessing compliance with the following TCF policies:
Chapter III 16 (1) “A Vendor must not store information or access information on a user’s device without consent, unless the law exempts such storage of information or accessing of information on a user’s device from an obligation to obtain consent.”
Chapter III 16 (2bis) “A Vendor shall indicate on the GVL the maximum duration of information stored on a user’s device, including whether such duration may be refreshed.”
Chapter III 13 (6) “A Vendor must not create Signals where no CMP has communicated a Signal, and shall only transmit Signals communicated by a CMP or received from a Vendor who forwarded a Signal originating from a CMP without extension, modification, or supplementation, except as expressly allowed for in the Policies and/or Specifications.”
Chapter III 16 (17) “A Vendor must not transmit personal data to another Vendor unless the Framework’s Signals show that the receiving Vendor has a Legal Basis for the processing of the personal data. For the avoidance of doubt, a Vendor may in addition choose not to transmit any data to another Vendor for any reason”.
Chapter III 16 (20) “If a Vendor receives a user’s personal data without having a Legal Basis for the processing of that data, the Vendor must quickly cease processing the personal data and must not further transmit the personal data to any other party, even if that party has a Legal Basis for processing the personal data in question”.
Over time, IAB Europe will aim to expand its automated audit capabilities to enable it to carry out more comprehensive and efficient assessments of Vendor compliance. Needless to say that, while the policies above constitute the focus of this initial phase of the TCF Programme, IAB Europe will continue to monitor compliance with all TCF Policies and adopt enforcement measures where non-compliance is identified, in line with its prerogatives under the TCF Policies and Terms and Conditions.
From the 1st of September 2021, the enforcement process will be as follows:
- IAB Europe will regularly monitor top websites in key markets.
- IAB Europe may also act on TCF community reports of non-compliance.
- Where a live Vendor installation is found to be in breach of the policies, the following process applies:
- If this is the first, second or third time a breach has been identified, in each instance, the Vendor will be given 28 calendar days to remedy the issues. If, following the expiration of the 28 day period, the issues have not been resolved, the Vendor will be suspended from the Framework and removed from the Global Vendor List until all compliance failures have been remedied;
- If this is the fourth time within a twelve-month period that a breach has been identified, the Vendor will be suspended from the Global Vendor List with immediate effect for a minimum of 14 days and until all compliance failures have been remedied.
What is the TCF?
The IAB Europe Transparency and Consent Framework (TCF) was created to help companies that serve, measure and manage digital and personalised advertising content comply with certain obligations of the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) when processing personal data or accessing and/or storing information on a user’s device. It consists of Technical Specifications and Policies that assist all companies in the digital advertising supply chain to meet transparency and user choice requirements.
The TCF enables publishers, through the means of a CMP, to inform and allow their users to exercise their choices on data processing pursued by them and/or the technology providers operating on their services (vendors). User choices are then recorded by the CMP in the form of signals (TC strings) to be transmitted and respected by the latter.
To ensure all parties can rely confidently on TC strings to determine their ability to process data, the TCF policies and technical specifications layout specific obligations and provisions for each category of participants (publishers, vendors and CMPs). IAB Europe supports participants in the application of their respective requirements through its compliance programmes.
For more information on the TCF or should you have any further questions on the TCF Vendor Compliance Programme, please do not hesitate to contact us at: email@example.com