The Transparency and Consent Framework (TCF) was created to help companies that serve, measure and manage digital and personalised advertising content comply with certain obligations of the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) when processing personal data or accessing and/or storing information on a user’s device. It consists of Technical Specifications and Policies for the digital sector that assist companies to meet transparency and user choice requirements. In the first of this blog series, we seek to dispel some of the myths around what the TCF Policies actually require.
The TCF is not more restrictive than European privacy and data protection law : TCF v2.0 Policies have been carefully drafted by the TCF Working Groups in a way that balances the need for stability within the standard with updated interpretations of requirements directly drawn from the GDPR and the ePrivacy Directive (2009/136/EC). The TCF instances take individual DPA guidance into account to the extent that synergies and common interpretations of EU-level requirements emerge, and refrain from adopting or updating Policies where such interpretations diverge. In this way, while it seeks to establish minimum requirements enabling participants to effectively collaborate across European borders, the TCF provides sufficient flexibility allowing it to be implemented in all European markets and adapt to national DPAs different guidelines where necessary.
TCF Policies require CMPs to implement a “reject all” button in their initial UI layer
Not true. According to TCF v2.0 Policies, the initial layer of TCF UIs must, at the very least, include a call to action for the user to express their consent (for example “Accept”, “Okay”, “Approve”, etc.) and a call to action for the user to customise their choices (for example “Advanced Settings”, “Customise Choices”, etc.). The TCF Policies most definitely do not require CMPs to include a call to action for the user to refuse consent on the initial layer of the UI, while not preventing CMPs from doing so if they wish, at the request of the Publisher, or if more stringent local requirements apply.
TCF Policies require CMPs to provide granular consent choices in their initial UI layer
Not true. Although TCF v2.0 Policies require the inclusion of the list of standard purposes or standard Stacks for which third party vendors are processing data in the initial layer of the UI, there is currently no requirement for CMPs to provide granular consent choices. CMPs remain, however, free to do so if they wish, at the request of the Publisher or if more stringent local requirements apply.
TCF Policies prohibit “scrolling” consent
Not true. TCF does not define the notion of "affirmative" / "unambiguous" in terms of gathering valid consent and hence does not have policies preventing organisations from implementing "scrolling consent", if they consider this practice acceptable. Note that a European definition of this concept appears to be emerging, since the EDPB has clearly flagged that it considers this illegal in the most recent update to its Guidelines on Consent in May 2020 (see para. 86) and that DPAs which have previously considered this practice acceptable will likely align their approach with the EDPB in the near future.
Please visit https://stg-iabeurope-iabeuropeold.kinsta.cloud/tcf-2-0/ for information on TCF v2.0 Policies, Technical Specifications, Implementation Guidelines, FAQ and more.
For more information, please contact Filip Sedefov, Director, Legal at IAB Europe (email@example.com) and Ninon Vagner, Privacy & Compliance Manager at IAB Europe (firstname.lastname@example.org).