The Final Sprint for TCF v2.0 Compliance is On!
When IAB Europe launched TCF v2.0 in August 2019, it was a huge achievement for the whole industry. It also felt like the finish line of a long marathon in which all body parts had been called to contribute intensely. Yet this was also the beginning of a new race.
Vendors and Consent Management Platforms (CMPs) then needed to appreciate the complexity of TCF v2 and figure out how to implement it and take full advantage of all its benefits in comparison to TCF v1, while maintaining their revenue streams. The main benefits of TCF v2 include 1) better adherence to GDPR requirements 2) more transparency & control for users 3) more control for publishers in their choice of vendors, and 4) additional legal bases flexibility for vendors.
Now CMPs are rushing to the finish line to get TCF v2.0 compliant and contribute to improving the level of GDPR compliance across the digital advertising ecosystem.
All new CMPs looking to participate in the TCF should register and submit their TCF v2 implementation demo as soon as possible. All new CMPs should indeed be validated before they can receive their sub-domain and their CMP ID. In parallel, all existing CMPs should request TCF v2 participation and submit their TCF v2 implementation. On 30 June, TCF v1 will be deprecated.
When CMPs are certified as compliant, they are published on a dedicated list here before they can be published in the TCF v2 JSON file here. IAB Europe also provides compliant CMPs with a seal as one of the tools they can use to communicate their compliance effort to stakeholders.
Now, just a few days after the 31 March deadline, there are already TCF v2 compliant CMPs. More have submitted their implementation and are working on updates.
On CMP compliance, the TCF Steering Group has adopted as of 7 April, two “hotfixes” to the TCF v2.0 policies, aimed at improving CMP flexibility and their ability to deliver a user-friendly experience in the first layer of v2 user interfaces. These include the introduction of five new Stacks for CMPs to choose from (Stacks 38-42); and the removal of the requirement to disclose Special Purposes and Features in the 1st UI layer.
Please note that the latest version of the TCF Policy document is now Version 2020-04-08.3a. The amended TCF Policies is available here. Furthermore, a few compliance failures have caught our attention so below we’ve provided some additional guidance to help CMPs.
CMP Compliance Guidance 101
Policy Check 2: Can users review the standard legal text?
It is required that the UI includes the standard legal text of all Purposes, Special purposes, Features and Special Features in the UI. The standard legal text does not necessarily need to be featured in the first layer.
Policy Check 10: Does the 1st layer of the UI provide an example of personal data processed?
It is required that the first layer of the UI includes an example of personal data processed. The sole mention of “cookies” does not qualify as an example.
Policy Check 12: Does the 1st layer of the UI provide information about the Purposes and/or Stacks, and Special Features used by third parties? (Updated on 7 April 2020)
Many CMPs are concerned about how much information should appear on the first layer and to not overwhelm their users. This was also a major concern for TCF v2 contributors when they drafted the TCF v2 Policies and its Data Processing purposes. This is how the concept of “Stacks” emerged. “Stacks” are a combination of purposes allowing CMPs to provide information about TCF v2 purposes in the first layer in a user-friendly way. Also note that, while in TCF v1 it was possible to use tooltips or expansion options to show this information, TCF v2 is more stringent in that the information must be immediately visible, so it is no longer possible to use these approaches in TCF v2. As of 7 April, it is no longer required to include Special purposes and Features in the first layer of the User Interface.
Policy Check 14: Does the 1st layer of the UI provide information about the scope of the consent choice, i.e. global consent, service-specific consent, or group-specific consent?
CMPs need to send two sets of test results, one for a service-specific configuration and one for a global configuration.
Policy Check 17: Does the 1st layer of the UI advise the user of their right to object to their personal data being processed on the basis of legitimate interest (if any)?
Most CMPs mention the legitimate interest legal basis in the first layer but they fail to properly advise users of their right to “object” per se. Other ways of formulating users’ “right to object” will not be reviewed as compliant.
Many CMPs provide a list of the vendors but they fail to provide the list of purposes that the vendors process data for and its corresponding legal basis in the UI.
Policy Check 23: If legitimate interest is used by any Vendors as a legal basis, does the 2nd layer allow users to object to the processing of their personal data, per Purpose and per Vendor?
Most CMPs use separate toggle for the consent legal basis and for the legitimate interest legal basis, per vendor and per purpose (where applicable). This is what IAB Europe recommends. In case CMPs want to use the same toggle for legitimate interest and for consent, the toggle must be ‘off’ by default and as such, both the consent signals and legitimate interest signals need to be ‘off’ by default.
TCF v2 compliance is of crucial importance and we want to thank all CMPs, vendors and publishers for their efforts in the roll-out of TCF v2 to the market. For more information about registration, please contact firstname.lastname@example.org. To submit your TCF v2 implementation demo, please contact email@example.com.
Colombe Michaud, Project Lead, Data Protection & Privacy, IAB Europe.