Interactive Advertising Bureau

IAB Europe Transparency & Consent Framework Policies

IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Through its membership of national IABs and media, technology and marketing companies, its mission is to lead political representation and promote industry collaboration to deliver frameworks, standards and industry programmes that enable business to thrive in the European market
Version 2023-05-15.4.0.a
  • This document lays out the Policies applicable to participants in the IAB Europe Transparency & Consent Framework.
  • Participants may include publishers, advertisers, vendors, and/or CMPs. Each category of participant has specific obligations and requirements which are included in these Policies.
  • Participants must adhere to these Policies to maintain their participation in the Framework.
  • Participants must not amend, supplement, or modify their implementation of the Framework unless expressly provided for in the Policies or Specifications.
  • Participants must follow applicable privacy and data protection laws. In the event of a conflict between applicable law and the Policies, the law prevails.

Preamble

i. The Transparency and Consent Framework consists of a set of technical specifications and policies to which publishers, advertisers, technology providers, and others for whom the Framework is of interest may voluntarily choose to adhere.

ii. The goal of the Framework is to help players in the online ecosystem meet certain requirements of the ePrivacy Directive (and by extension its successor, the upcoming ePrivacy Regulation), and General Data Protection Regulation by providing a way of informing users about inter alia the storing and/or accessing of information on their devices, the fact that their personal data is processed, the purposes for which their personal data is processed, the companies that are seeking to process their personal data for these purposes, providing users with choice about the same, and signalling to third parties inter alia which information has been disclosed to users and what users’ choices are. For the avoidance of doubt, the Framework also serves to help meet requirements of the UK’s General Data Protection Regulation and the UK’s Privacy and Electronic Communications Regulations, to the extent that the relevant provisions in the former remain identical to those of the EU’s General Data Protection Regulation, and that the relevant provisions in the latter remain consistent with an implementation of the EU’s ePrivacy Directive.

iii. Achieving the goals of the Framework requires standardisation of technology, for example of how information is disclosed and how user choices are stored and signalled to participants. It also requires standardising certain information provided to users, choices given to users, and behaviours that participants engage in when interacting with users or responding to requests between participants.

iv. The Framework is not intended, nor has it been designed, to facilitate the lawful processing of special categories of personal data or data relating to criminal convictions, or for engaging in certain more strictly regulated processing activities, such as transferring personal data outside of the EU, or taking automated decisions, including profiling, that produce legal or similarly significant effects, for which the law requires meeting additional requirements such as obtaining explicit consent.

v. While participation in the Framework may be a useful, indeed essential building block for the online ecosystem’s compliance with EU privacy and data protection law it is not a substitute for individual participants taking responsibility for their obligations under the law.

vi. The Framework is intended to be updated over time as legislation is updated (e.g. with the upcoming ePrivacy Regulation replacing the ePrivacy Directive), and legal requirements, regulatory practice, business practices, business needs and other relevant factors change.

1. Definitions

Chapter I: Definitions

1. “Transparency and Consent Framework” (the “Framework”, or the “TCF”) means the Framework comprising the various parts defined under these Policies. It has the objective to help all parties in the digital environment to comply with the EU’s General Data Protection Regulation (“GDPR”) and ePrivacy Directive (“ePD”) when processing personal data and/or accessing and/or storing information on a user’s device.

2. “Interactive Advertising Bureau Europe aisbl” (“IAB Europe”, the “Managing Organization”, or the “MO”) means the entity that manages and governs the Framework, including the Policies, Specifications, and the GVL. IAB Europe may update these Policies from time to time as it reasonably determines is necessary to ensure the ongoing success of the Framework.

3. “Framework Policies” (the “Policies”) means this or any other official policy documentation disseminated by IAB Europe and updated from time to time, that defines the requirements for compliant participation in, and use of, the Framework, including, but not limited to, Appendix A and Appendix B of these Policies, and any associated policy guidance, or publicly communicated, enforcement actions.

4. “Framework Specifications” (the “Specifications”) means any official technical documentation disseminated by IAB Europe in concert with IAB Tech Lab or future designated technical body, and updated from time to time, that defines the technical implementation of the Framework, including, but not limited to, the Transparency and Consent String with Global Vendor List Format specification, the Consent Management Platform API specification, and any associated implementation guidance.

5. “Global Vendor List” (the “GVL”, or the “Vendor List”) means the list of Vendors who have registered with IAB Europe for participating in the Framework. The list is managed and maintained by IAB Europe, and is referenced by CMPs, Publishers and individual Vendors. Its structure and content shall be defined by the Specifications.

6. “Transparency and Consent Management Platform” (“Consent Management Platform”, or “CMP”) means the company or organisation that centralises and manages transparency for, and consent and objections of the end user. The CMP can read and update the Legal Basis status of Vendors on the GVL, and acts as an intermediary between a Publisher, an end user, and Vendors to provide transparency, help Vendors and Publishers establish Legal Bases for processing, acquire user consent as needed and manage user objections, and communicate Legal Basis, consent or and/or objection status to the ecosystem. A CMP may be the party that surfaces, usually on behalf of the publisher, the UI to a user, though that may also be another party. CMPs may be private or commercial. A private CMP means a Publisher that implements its own CMP for its own purposes. A commercial CMP offers CMP services to other parties. Unless specifically noted otherwise, these policies apply to both private and commercial CMPs.

7. “Vendor” means a company that participates in the delivery of digital advertising or other online activities within a Publisher’s website, app, or other digital content, to the extent that company is not acting as a Publisher or CMP, and that either accesses an end user’s device or processes personal data about end users visiting the Publisher’s content and adheres to the Policies. A Vendor may be considered under the GDPR to be a Controller, a Processor, or both, depending on specific circumstances.

8. “Publisher” means an operator of a Digital Property and who is primarily responsible for ensuring the Framework UI is presented to users and that Legal Bases, including consent, are established with respect to Vendors that may process personal data based on users’ visits to the Publisher’s content.

9. “Digital Property” means a website, app, or other content or service delivery mechanism where digital ads and/or content are displayed, or information is collected and/or used for any Purpose or Special Purpose.

10. “Framework UI” (“UI”) means the user interface or user experience defined by the Specifications for presentation to a user in order to establish Legal Bases for GVL Vendors as part of their compliance with European privacy and data protection laws. The Policies and Specifications define requirements for the UI along with aspects that are configurable by Publishers.

11. “Initial Layer” refers to information that must be made visible to the user in the UI prior to the user being able to give his or her consent. For the avoidance of doubt, the use of the term “visible” should not be understood as excluding other forms of information presentation used, for example, for assisted internet access, or on devices with non-visual user interfaces.

12. “Purpose” means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is given choice, i.e. to consent or to object depending on the Legal Basis for the processing, by a CMP.

13. “Special Purpose” means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is not given choice by a CMP.

14. “Feature” means one of the features of processing personal data used by participants in the Framework that are defined in the Policies or the Specifications used in pursuit of one or several Purposes for which the user is not given choice separately to the choice afforded regarding the Purposes for which they are used.

15. “Special Feature” means one of the features of processing personal data used by participants in the Framework that are defined in the Policies or the Specifications used in pursuit of one or several Purposes for which the user is given the choice to opt-in separately from the choice afforded regarding the Purposes which they support.

16. “Stack” means one of the combinations of Purposes and/or Special Features of processing personal data used by participants in the Framework that may be used to substitute or supplement more granular Purpose and/or Special Feature descriptions in the Initial Layer of a UI.

17. “Category of data” means one of the categories of data collected and processed by Framework participants in pursuit of one or several Purposes and that are defined in the Policies or the Specifications.

18. “Signal” means any signal defined by the Policies or Specifications sent by a CMP, usually on behalf of a Publisher, to Vendors that includes, amongst others, information about the transparency, consent, and/or objection status of a Vendor and/or Purpose, the opt-in status of a Special Feature, and Publisher restrictions.

19. “Precise Geolocation Data” means information about a user’s geographic location accurate to up to 500 metres and/or latitude and longitude data beyond two decimal points.

20. “Legal Basis” means a lawful ground for processing defined in Article 6 GDPR and supported by the Framework, which are consent in accordance with Article 6(1)(a) GDPR and legitimate interests in accordance with Article 6(1)(f) GDPR. Legal Bases in the Framework can be established with

(a) Service-specific scope, which means a Legal Basis is applicable only on the service, for example a Publisher website or app, on which the Legal Basis is obtained and managed;

or

(b) Group-specific scope, which means a Legal Basis is applicable only on a pre-defined group of services, for example a number of Digital Properties of one or more Publishers that implement CMPs with their group’s scope, each of which allows users to manage their choices regarding Legal Bases established for the group across all the services of the group.

21. “Device” means electronic equipment, such as a computer, tablet, phone, TV, watch, that is capable of accessing the internet, including any software run on the electronic equipment to connect to the internet, such as a browser or app.

Chapter II: Policies for CMPs

2. Applying and Registering

1. CMPs must apply to IAB Europe for participation in the Framework. IAB Europe shall take reasonable steps to vet and approve a CMP’s application according to procedures adopted, and updated from time to time, by the MO.

2. CMPs must provide all information requested by IAB Europe that is required to fulfil IAB Europe’s CMP application and approval procedures.

3. IAB Europe shall not approve a CMP’s application unless or until IAB Europe can verify to its satisfaction the identity of the party or parties controlling the CMP, as well as the CMP’s ability to maintain its service and adhere to the Policies and Specifications.

3. Adherence to Framework Policies

1. A CMP must adhere to all Policies applicable to CMPs that are disseminated by the MO in the Policies or in documentation that implements the Policies, such as in operating policies and procedures, guidance, and enforcement decisions.

2. A CMP must make a public attestation of compliance with the Policies in a prominent disclosure, such as in a privacy policy. This attestation must at minimum include: (i) an affirmation of the CMP’s participation in the IAB Europe Transparency & Consent Framework; (ii) an affirmation of its compliance with the Policies and Specifications of the Transparency & Consent Framework; (ii) the IAB Europe-assigned ID of the CMP. Example:

<Organisation> participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. <Organisation> operates Consent Management Platform with the identification number <CMP ID>.

4. Adherence to the Specifications

1. In addition to implementing the Framework according to the Specifications, a CMP must support the full Specifications, unless the Specifications expressly state that a feature is optional, in which case a CMP may choose to implement the optional feature but need not to do so.

2. A private CMP need only implement the Specifications to the extent necessary to support the needs of the Vendors, Purposes, and Special Features selected by its Publisher owner.

3. A CMP must disclose Vendors’ GVL information, including Legal Bases, as declared, and update Vendors’ GVL information, including Legal Bases status in the Framework, wherever stored, according to the Specifications, without extension, modification, or supplementation, except as expressly allowed for in the Specifications.

4. A CMP must not read, write, or communicate any Vendor’s Legal Bases except according to and as provided for under the Specifications.

5. Managing Purposes and Legal Bases

1. A CMP will remind the user of their right to withdraw consent and/or right to object to processing with respect to any Vendor or Purpose in accordance with the requirements laid down by the relevant Authorities.

2. A CMP must resolve conflicts in Signals or merge Signals before transmitting it in accordance with the Policies and Specifications.

3. A CMP must only generate a positive consent Signal on the basis of a clear affirmative action taken by a user that unambiguously signifies that user’s agreement on the basis of appropriate information in accordance with the law.

4. A CMP must only generate a positive legitimate interest Signal on the basis of the provision of transparency by the CMP about processing on the basis of a legitimate interest and must always generate a negative legitimate interest Signal if the user has indicated an objection to such processing on the basis of a legitimate interest.

5. A CMP must only generate a positive opt-in Signal for Special Features on the basis of a clear affirmative action taken by a user that unambiguously signifies that user’s agreement on the basis of appropriate information.

6. A CMP will establish Legal Bases only in accordance with the declarations made by Vendors in the GVL and using the definitions of the Purposes and/or their translations found in the GVL, without extension, modification, or supplementation, except as expressly allowed for in the Policies.

7. A CMP must resurface the Framework UI if the MO indicates, in accordance with the Policies and Specifications, that changes to the Policies are of such a nature as to require re-establishing Legal Bases.

8. A CMP may be instructed by its Publisher which Purposes, Special Features, and/or Vendors to disclose. If a Publisher instructs a CMP not to disclose a Purpose, Special Feature, and/or a Vendor, the Signals the CMP generates must appropriately reflect in the Signal that no Legal Bases and/or opt-ins have been established for the respective Purposes, Special Features, and/or Vendors. For the avoidance of doubt: Special Purposes, and Features must always be disclosed if at least one of the Vendors disclosed has declared itself using them.

9. A CMP must implement any Publisher restrictions, such as a restriction of Purposes per Vendors, by making appropriate changes in the User Interface to reflect such restrictions, and by creating the appropriate Signals containing the Publisher restrictions in accordance with the Policies and Specifications.

11. A CMP may be instructed by its Publisher to establish, record and transmit information about Legal Bases applicable to data processing performed by the Publisher, including Legal Bases for purposes that are not standardised by the Framework.

6. Working with Vendors

1. If a CMP works with Vendors who are not participating in the Framework and published on the GVL, the CMP must make it possible for users to distinguish between those Vendors who are participating in the Framework, on the one hand, and those who are not, on the other. CMPs must not misrepresent Vendors who are not registered with IAB Europe as participating in the Framework and published on the GVL.

2. If a Publisher or Vendor operates a CMP, the Policies for CMPs shall apply only to the extent of that party’s CMP operation. For example, if a Publisher operates a CMP, the prohibition against a CMP discriminating against Vendors shall apply to the Publisher’s CMP only, while the Publisher remains free to make choices with respect to Vendors appearing on its sites or apps.

3. In any interaction with the Framework, a CMP may not exclude, discriminate against, or give preferential treatment to a Vendor except pursuant to explicit instructions from the Publisher involved in that interaction and in accordance with the Specifications and the Policies. A commercial CMP shall allow the Publisher using its CMP to make choices with respect to each Vendor appearing on its sites or apps and may not impose a list of Vendors. Additionally, it should inform the Publisher of the legal risk described in Chapter IV (20)(1). For the avoidance of doubt, nothing in this paragraph prevents a private CMP from fully implementing instructions from its Publisher owner.

4. If a Vendor also operates a CMP, it may require a Publisher to whom it provides the CMP service to work with its Vendor-owner and Vendor-partners as part of the terms and conditions of using the CMP. Such a requirement shall not constitute preferential treatment in the meaning of Policy 6(3).

5. If a CMP reasonably believes that a Vendor is not in compliance with the Specifications and/or the Policies, it must promptly notify IAB Europe according to MO procedures and may, as provided for by MO procedures, pause working with the Vendor while the matter is addressed.

7. Working with Publishers

1. A CMP shall only work with Publishers within the Framework that are in full compliance with the Policies, including but not limited to the requirement to make an attestation of compliance in a prominent location, such as a privacy policy.

2. A CMP is responsible for ensuring that its UIs and Signals comply with the Policies and Specifications. Where a commercial CMP is not able to ensure such compliance, for example because it offers Publishers the option to customise aspects that may impact compliance, the Publisher using such customisation options must assume responsibility for compliance with the Policies for CMPs, register a private CMP within the Framework, and use the commercial CMPs offering in association with the Publisher’s assigned private CMP ID.

3. If a CMP reasonably believes that a Publisher using its CMP is not in compliance with the Specifications and/or the Policies, it must promptly notify IAB Europe according to MO procedures and may, as provided for by MO procedures, pause working with the Publisher while the matter is addressed. For the avoidance of doubt, where a commercial CMP receives an instruction from a Publisher that is in violation of these Policies, the CMP shall not act on the instruction.

4. The MO may prevent a Publisher from participation in the Framework for violations of Framework Policies that are willful and/or severe according to MO procedures. The MO may enact a suspension or block of a Publisher by notifying CMPs that the Publisher is not in full compliance.

8. Accountability

1. IAB Europe shall take reasonable steps to periodically review and verify a CMP’s compliance with the Policies and/or the Specifications according to procedures adopted, and updated from time to time, by the MO. A CMP will provide, without undue delay, any information reasonably requested by IAB Europe to verify compliance (which, for the avoidance of doubt, does not include information that might be related to users).

2. IAB Europe may suspend a CMP from participation in the Framework for any failure to comply with the Policies and/or the Specifications until the CMP comes into full compliance and demonstrates its intention and ability to remain so to the MO’s satisfaction. The MO may expel a CMP from participation in the Framework for violations of Policies that are willful and/or severe.

3. Additionally, IAB Europe may, at its discretion and according to MO procedures, take additional actions in response to a CMP’s non-compliance, including publicly communicating the CMP’s non-compliance and reporting the non-compliance to data protection authorities.

Chapter III: Policies for Vendors

9. Applying and Registering

1. Vendors must apply to IAB Europe for participation in the Framework. IAB Europe shall take reasonable steps to vet and approve a Vendor’s application according to procedures adopted, and updated from time to time, by the MO.

2. Vendors must provide all information requested by the MO that is reasonably required to fulfil the MO’s application and approval procedures.

3. Vendors must have all legally-required disclosures in a prominent, public-facing privacy policy on their websites.

4. The MO will not approve a Vendor’s application unless or until the MO can verify to its satisfaction the identity of the party or parties controlling the Vendor, as well as the Vendor’s ability to maintain its service and adhere to the Framework policies.

5. A Vendor will provide to the MO, and maintain as complete and accurate, all information required for inclusion in the GVL, according to the GVL Specifications. This includes the Purposes and Special Purposes for which it collects and processes personal data, the Legal Bases it relies on for processing personal data for each Purpose and Special Purpose and, where applicable, a link to an explanation of its legitimate interest(s) at stake, the retention period of data processed for each Purpose and Special Purpose, the Features and Special Features it relies on in pursuit of such Purposes and Special Purposes, the categories of data it collects and processes in pursuit of the Purposes and Special Purposes it has declared, and its requirements regarding storing and/or accessing information on users’ devices. It will ensure its Purposes, Legal Bases, and access to a user’s device, are completely and accurately included in the GVL. It will notify the MO of any changes in a timely manner.

10. Adherence to Framework Policies

1. A Vendor must adhere to all policies applicable to Vendors that are disseminated by the MO in this document or in documentation that implements the Policies, such as in operating policies and procedures, guidance, and enforcement decisions. See Accountability below regarding enforcement.

2. A Vendor must make a public attestation of compliance with the Policies in a prominent disclosure, such as in a privacy policy. This language must at a minimum include: (i) participation in the IAB Europe Transparency & Consent Framework; (ii) compliance with the Policies and Specifications with the Transparency & Consent Framework; (ii) the IAB Europe assigned ID that the Vendor uses. Example:

<Organisation> participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. <Organisation>’s identification number within the framework is <Vendor ID>.

11. Adherence to the Specifications

1. In addition to implementing the Framework only according to the Specifications, a Vendor must support the full Specifications, including being able to retrieve and/or pass on Signals in the technical formats required by the Specifications and in accordance with Policies, when available.

12. Working with CMPs

1. A Vendor shall work with a CMP within the Framework only if the CMP is in full compliance with the Policies, including but not limited to the requirements to register with IAB Europe, and to make a public attestation of compliance.

2. If a Vendor reasonably believes that a CMP is not in compliance with the Specifications and/or the Policies, it must promptly notify IAB Europe according to MO procedures and may, as provided for by MO procedures, pause working with the CMP while the matter is addressed.

3. A Vendor must respect Signals communicated by a CMP or received from a Vendor who forwarded the Signal originating from a CMP in accordance with the Specifications and Policies, and act accordingly. A Vendor must respect Signals on an individual basis in real-time and must not rely on a stored version of a previously received Signal to store and/or access information on a device, or to process personal data for any Purpose and/or use any Special Feature where a more recent Signal has been received by that Vendor.

4. If a Vendor is unable to read or process the contents of a received Signal, the Vendor must assume that it does not have permission to store and/or access information on a device, or to process personal data for any Purpose and/or Special Purpose.

5. If a Vendor is unable to act in accordance with the contents of a received Signal, the Vendor must not store and/or access information on a device, or process personal data for any Purpose and/or Special Purpose.

6. A Vendor must not create Signals where no CMP has communicated a Signal, and shall only transmit Signals communicated by a CMP or received from a Vendor who forwarded a Signal originating from a CMP without extension, modification, or supplementation, except as expressly allowed for in the Policies and/or Specifications.

7. A Vendor must not obtain a Signal from a CMP except according to and as provided for under the Specifications and, where applicable, using the API provided by a CMP according to the Specifications. For the avoidance of doubt, this shall not preclude receiving a Signal that has been properly obtained using the API provided by a CMP in accordance with the Specifications.

13. Working with Publishers

1. A Vendor shall work with a Publisher within the Framework only if the Publisher is in full compliance with the Policies, including but not limited to the requirement to make a public attestation of compliance.

2. If a Vendor reasonably believes that a Publisher is not in compliance with the Specifications and/or the Policies, it must promptly notify IAB Europe according to MO procedures and may, as provided for by MO procedures, pause working with the Publisher while the matter is addressed.

3. For the avoidance of doubt, contractual obligations that a Vendor is subject to with respect to the use of data override more permissive Signals for that Vendor about permissions to that data.

4. A Vendor must update its software for use by its Publisher- and Vendor-partners, such as scripts and tags that result in personal data processing or the storing and/or accessing of information on user devices, to ensure compliance with the Specifications, and/or the Policies. In particular, the requirement to not process personal data prior to verifiably establishing a Legal Basis for processing personal data as communicated by the appropriate Signal in accordance with the Policies and Specifications, and not storing and/or accessing information on a user’s device that is not exempted from the obligation to obtain consent, prior to verifiably having obtained consent as communicated by the appropriate Signal in accord with the Policies and Specifications.

5. A Vendor shall update software provided by its Vendor-partners present on its services, such as scripts and tags that result in personal data processing or the storing and/or accessing of information on user devices, if the Vendor-partner has provided updated software for the purpose of complying with the Specifications and/or the Policies.

6. Where applicable, a Vendor must forward the Signal communicated by a CMP or received from a Vendor who forwarded a Signal originating from a CMP, in accordance with the Specifications and Policies to its Vendor-partners present on its services.

14. Purposes, Special Purposes and Legal Bases, Special Features and Opt-Ins

1. A Vendor must not store information or access information on a user’s device without consent, unless the law exempts such storage of information or accessing of information on a user’s device from an obligation to obtain consent.

2. A Vendor shall indicate on the global vendor list if it seeks consent for storing information or accessing information on a user’s device where such consent is necessary. A Vendor must not store information or access information on a user’s device without consent where such consent is necessary.

2bis. A Vendor shall indicate on the GVL the maximum duration of information stored on a user’s device, including whether such duration may be refreshed. A Vendor must, in addition, provide more detailed and purpose-specific storage and access information in accordance with the Specifications.

3. A Vendor must not process personal data relating to a user without a Legal Basis to do so.

4. A Vendor shall indicate on the Global Vendor List:

(a) that it seeks to establish one of the Legal Bases available under the Framework for processing toward a Purpose;

(b) the Legal Basis or Legal Bases it seeks to establish for processing toward a Purpose, specifically whether it wishes to rely on:

i. consent as its sole legal base
ii. legitimate interest as its sole legal base
iii. consent or legitimate interest as its Legal Bases, selected in accordance with the Policy and Specifications

(c) the default Legal Basis to be used by CMPs where the Vendor declares two possible Legal Bases under Policy 4(b)(iii).

5. A Vendor shall indicate on the Global Vendor List that it seeks to establish a legitimate interest for processing for a Special Purpose.

6. A Vendor shall indicate on the Global Vendor List the Features it relies on in support of one or more Purposes and/or Special Purposes.

7. A Vendor shall indicate on the Global Vendor List the Special Features it relies on in support of one or more Purposes and/or Special Purposes.

8. Where a situation falls within the Framework, in addition to complying with relevant data protection laws, a Vendor wishing to rely on the user’s consent for the processing of his or her personal data will only do so if it can verify by way of the appropriate Signal in accord with the Specifications and Policies that the user has given his or her appropriate consent for the storing and/or accessing of information on a user’s device and/or processing of his or her personal data before any information is stored and/or accessed on the user’s device or any personal data is processed.

9. Where a situation falls within the Framework, in addition to complying with relevant data protection laws, a Vendor wishing to rely on its legitimate interest for the processing of personal data will only do so if:

(a) it can verify by way of the appropriate Signal in accordance with the Specifications and Policies that the appropriate information has been provided to the user at the time that the processing of his or her personal data starts.

(b) the user has not exercised his or her right to object to such processing as indicated in the appropriate Signal in accord with the Policies and the Specifications.

10. Where a situation falls within the Framework, in addition to complying with relevant data protection laws, a Vendor wishing to make use of a Feature will only do so if it has indicated on the Global Vendor List its use of the Features it wishes to rely on in support of one or more Purposes and/or Special Purposes.

11. By way of derogation of Policy 14(10), a Vendor may identify devices based on information transmitted automatically without having indicated on the Global Vendor List its use of the Feature to identify devices based on information transmitted automatically to:

(a) process the identifiers based on information transmitted automatically for the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors provided that

(i) the Vendor complies with relevant data protection law;
(ii) the Vendor has conducted a data protection impact assessment for the processing of identifiers based on information transmitted automatically collected and/or processed under this derogation;
(iii) the Vendor actively minimises collection and/or processing of identifiers based on information transmitted automatically collected and/or processed under this derogation;
(iv) the Vendor puts in place reasonable retention periods for the identifiers based on information transmitted automatically collected and/or processed under this derogation;
(v) the Vendor only retains the identifiers based on information transmitted automatically collected and/or processed under this derogation in an identifiable state for as long as is necessary to fulfil the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors;
(vi) the Vendor erases the data associated with identifiers based on information transmitted automatically collected and/or processed under this derogation as soon as possible; and
(vii) the data associated with identifiers based on information transmitted automatically collected and/or processed under this derogation is never used for any other Purposes and/or Special Purposes. The prohibition of change of purpose of the processing of data associated with identifiers based on information transmitted automatically under this derogation does not preclude a Vendor from indicating on the Global Vendor List its use of the Feature to identify devices based on information transmitted automatically at a later time and associating data with such identifiers for other Purposes and/or Special Purposes after having made the indication. However, the prohibition does not permit using any data associated with the identifier for the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors that has occurred under this derogation for any other Purposes and/or Special Purposes and, for example, also precludes changing Purpose with the explicit consent of the user.

12. Where a situation falls within the Framework, in addition to complying with relevant data protection laws, a Vendor wishing to make use of a Special Feature will only do so with the opt-in of the user and if it can verify by way of the appropriate Signal in accord with the Specifications and Policies that the user has given his or her opt-in for the use of the Special Feature before any Special Feature is used by the Vendor, unless expressly provided for by, and subject to, the Policies and/or Specifications.

13. By way of derogation of Policy 14(12), a Vendor may process Precise Geolocation Data without the opt-in of the user to the Special Feature of using Precise Geolocation Data to:

(b) immediately render the Precise Geolocation Data into a non-precise state, for example by truncating decimals of latitude and longitude data, without processing the Precise Geolocation Data in its precise state in any other way;
(c) process the Precise Geolocation Data for the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors, provided that

(i) the Vendor complies with relevant data protection law;
(ii) the Vendor has conducted a data protection impact assessment for the processing of Precise Geolocation Data collected and/or processed under this derogation;
(iii) the Vendor actively minimises collection and/or processing of Precise Geolocation Data collected and/or processed under this derogation;
(iv) the Vendor puts in place reasonable retention periods for the Precise Geolocation Data collected and/or processed under this derogation;
(v) only retains the Precise Geolocation Data collected and/or processed under this derogation in an identifiable and/or precise state for as long as is necessary to fulfil the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors;
(ivi) erases the Precise Geolocation Data collected and/or processed under this derogation as soon as possible; and
(vii) the Precise Geolocation Data collected and/or processed under this derogation is never used for any other Purposes and/or Special Purposes. The prohibition of change of purpose of the processing of Precise Geolocation Data collected under this derogation is absolute, and, for example, also precludes changing Purpose with the explicit consent of the user.

14. By way of derogation of Policy 14(12), a Vendor may actively scan device characteristics for identification without the opt-in of the user to the Special Feature of actively scanning device characteristics for identification to:

(a) process the identifiers obtained through actively scanning device characteristics for identification for the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors provided that

(i) the Vendor complies with relevant data protection law;
(ii) the Vendor has conducted a data protection impact assessment for the processing of identifiers obtained through actively scanning device characteristics for identification collected and/or processed under this derogation;
(iii) the Vendor actively minimises collection and/or processing of identifiers obtained through actively scanning device characteristics for identification collected and/or processed under this derogation;
(iv) the Vendor puts in place reasonable retention periods for the identifiers obtained through actively scanning device characteristics for identification collected and/or processed under this derogation;
(v) only retains the identifiers obtained through actively scanning device characteristics for identification collected and/or processed under this derogation in an identifiable state for as long as is necessary to fulfil the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors;
(vi) the Vendor erases the data associated with identifiers obtained through actively scanning device characteristics for identification collected and/or processed under this derogation as soon as possible;
(vii) the Vendor identifiers obtained through actively scanning device characteristics for identification collected and/or processed and any data associated with this identifier under this derogation are never used for any other Purposes and/or Special Purposes. The prohibition of change of purpose of the processing of identifiers obtained through actively scanning device characteristics for identification and data associated with this identifier under this derogation does not preclude obtaining an opt-in for actively scanning device characteristics for identification at a later time and associating data with such identifiers for other Purposes and/or Special Purposes after having obtained such an opt-in. However, the prohibition does not permit using any data associated with the identifier for the Special Purpose of ensuring security, preventing and detecting fraud, and fixing errors that has occurred under this derogation for any other Purposes and/or Special Purposes and, for example, also precludes changing purpose with the explicit consent of the user.

15. A Vendor must not transmit personal data to another Vendor unless the Framework’s Signals show that the receiving Vendor has a Legal Basis for the processing of the personal data. For the avoidance of doubt, a Vendor may in addition choose not to transmit any data to another Vendor for any reason.

16. A Vendor must not transmit a user’s personal data to an entity outside of the Framework unless it has a justified basis for relying on that entity’s having a Legal Basis for processing the personal data in question.

17. If a Vendor receives a user’s personal data without having a Legal Basis for the processing of that data, the Vendor must quickly cease processing the personal data and must not further transmit the personal data to any other party, even if that party has a Legal Basis for processing the personal data in question.

18. If a Vendor is unable to receive and respect Signals in real-time, it must put in place reasonable measures to regularly verify the validity of the Signal it relies upon and put in place a limited retention period to mechanically cease processing of user’s personal data when the Signal cannot be verified.

15. Accountability

1. The MO may adopt procedures for periodically reviewing and verifying a Vendor’s compliance with the Policies. A Vendor will provide, without undue delay, any information reasonably requested by the MO to verify compliance (which, for the avoidance of doubt, does not include information that might be related to users).

2. The MO may suspend a Vendor from participation in the Framework for its failure to comply with the Policies until the Vendor comes into full compliance and demonstrates its intention and ability to remain so. The MO may expel a Vendor from participation in the Framework for violations of the Policies that are willful and/or severe.

3. Additionally, the MO may, at its discretion and according to MO procedures, take additional actions in response to a Vendor’s non-compliance, including publicly communicating the Vendor’s non-compliance and reporting the non-compliance to data protection authorities.

Chapter IV: Policies for Publishers

16. Participation

1. A Publisher may adopt and use the Framework in association with its content as long as it adheres to the Policies and the Specifications.

2. Publishers must have and maintain all legally-required disclosures in a public-facing privacy policy prominently linked to from the content in association with which they are using the Framework.

17. Adherence to Framework Policies

1. In addition to implementing the Framework only according to the Specifications, a Publisher must adhere to all policies applicable to Publishers that are disseminated by the MO in this document or in documentation that implements the Policies, such as in operating policies and procedures, guidance, and enforcement decisions. See Accountability below regarding enforcement.

2. A Publisher must make a public attestation of compliance with the Policies in a prominent disclosure, such as in a privacy policy. This language must at a minimum include: (i) an affirmation of its participation in the IAB Europe Transparency & Consent Framework; (ii) an affirmation of its compliance with the Policies and Specifications with the Transparency & Consent Framework; (ii) the IAB Europe assigned ID of the CMP that the publisher uses. Example:

<Organisation> participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. <Organisation> [operates|uses] the Consent Management Platform with the identification number <CMP ID>.

18. Adherence to the Specifications

1. A Publisher must support and adhere to the full Specifications, without extension, modification, or supplementation except as expressly allowed for in the Specifications.

19. Working with CMPs

1. A Publisher will work with a CMP within the Framework only if the CMP is in full compliance with the Policies and the Specifications, including but not limited to the requirement for the CMP to register with the MO.

2. If a Publisher reasonably believes that a CMP is not in compliance with the Specifications and/or the Policies, it must promptly notify the MO according to MO procedures and may, as provided for by MO procedures, pause working with the CMP while the matter is addressed.

3. A Publisher may operate a private CMP. A Publisher’s private CMP is subject to the Policies for CMPs just as a commercial CMP is, unless expressly stated otherwise in the Framework Policies or the Specifications.

20. Working with Vendors

1. A Publisher may choose the Vendors for which it wishes to provide transparency and help establish Legal Bases within the Framework. A Publisher may further specify the individual Purposes for which it wishes to help establish Legal Bases for each Vendor. The Publisher communicates, or instructs its CMP to communicate, its preferences to Vendors in accordance with the Specifications and Policies

WARNING: Publishers should consider the number of Vendors they work with, and put in place a selection process (Publishers may use the Additional Vendor Information List to facilitate such selection). Providing transparency and helping to establish Legal Bases within the Framework for an unjustifiably large number of Vendors may impact users’ ability to make informed choices and increase Publisher and Vendor legal risk.

2. A Publisher will, in accordance with the Specifications and Policies, and considering and respecting each Vendor’s declarations on the GVL, signal, or instruct to Vendors which Legal Basis it has established on behalf of each Vendor.

3. For the avoidance of doubt, contractual obligations that a Publisher is subject to with respect to the permissions of a Vendor to use of data must be reflected by Signals to align with those contractual obligations.

4. A Publisher may work with Vendors that are not in the GVL but must be careful not to confuse or mislead users as to which Vendors are operating within the Policies

5. For the avoidance of doubt, contractual obligations that a Vendor is subject to with respect to the use of data override more permissive Signals for that Vendor about permissions to that data.

6. If a Publisher reasonably believes that a Vendor is not in compliance with the Specifications and/or the Policies, it must promptly notify the MO according to MO procedures and may, as provided for by those procedures, pause working with the Vendor while the matter is addressed.

7. A Publisher will undertake to update software present on its services of its Vendor-partners, such as scripts and tags that result in personal data processing or the storing and/or accessing of information on user devices, if the Vendor has provided updated software for the purpose of complying with the Specifications and/or the Policies.

8. Where applicable, a Publisher must forward the Signal communicated by a CMP in accordance with the Specifications and Policies to its Vendor-partners present on its services.

21. Managing Purposes and Legal Bases

1. The Framework does not dictate how Publishers respond to a user’s acceptance or rejection of Purposes, Special Features, and/or Vendors.

2. A Publisher using the Framework is required to help establish transparency, Legal Bases and/or opt-ins for the specific Purposes, Special Purposes, Features, and Special Features that Vendors claim, in accord with the Policies and Specifications.

3. A Publisher may choose which Purposes, Special Features, and/or Vendors to disclose. If a Publisher chooses not to disclose a Purpose, Special Feature, and/or a Vendor, the Signals must appropriately reflect in the Signal that no Legal Bases and/or opt-ins have been established for the respective Purposes, Special Features, and/or Vendors. For the avoidance of doubt: Special Purposes, and Features must always be disclosed if at least one of the Vendors disclosed has declared to be using them.

4. A Publisher may restrict certain Purposes for specific Vendors, these restrictions must be implemented by the CMP, which shall reflect Publisher restrictions in both the User Interface and the Signals in accordance with the Policies and Specifications.

5. A Publisher must not modify, or instruct its CMP to modify the Purpose, Special Purpose, Feature, or Special Feature names, definitions and/or their translations, or Stack names or their translations.

6. A Publisher must not modify, or instruct its CMP to modify, Stack descriptions and/or their translations unless:

(a) the Publisher has registered a private CMP with the Framework, or its commercial CMP is using a CMP ID assigned to the Publisher for use with a private CMP;
(b) the modified Stack descriptions cover the substance of standard Stack descriptions, such as accurately and fully covering all Purposes that form part of the Stack;
(c) Vendors are alerted to the fact of a Publisher using custom Stack descriptions through the appropriate Signal in accordance with the Specification.

7. A publisher must not modify or supplement, or instruct its CMP to modify or supplement, standard illustrations and/or their translations unless:

(a) the Publisher follows any guidance that may be disseminated or updated by the MO so that the modified or additional illustrations provide accurate examples of data processing operations performed by Vendors under the Purposes;
(b) the Publisher can modify only one of the two standard illustrations presented for each Purpose. Modifying the standard illustrations for Special Purposes and Purpose 1 (store and/or access information on a device) is not permitted;
(c) Vendors are alerted to the fact of a Publisher using custom illustrations through the appropriate Signal in accordance with the Specification.

WARNING: Publishers should consider carefully the consequences of modifying and/or supplementing stacks descriptions or standard illustrations, even when permitted. Unfaithful, inaccurate or incomplete representations of data processing activities carried out by Vendors may impact users' ability to make informed choices and increase Publisher and Vendor legal risk. It may therefore result in Vendors refusing to work with Publishers using the permissions described in Chapter IV (21)(6) and Chapter IV (21)(7).

8. If a Vendor that was not included in a prior use of the Framework UI is added by the Publisher, the Publisher must resurface or instruct its CMP to resurface the Framework UI to establish that Vendor’s Legal Bases before signalling that the Vendor’s Legal Bases have been established. It also means resurfacing the UI, for example, when a previously surfaced Vendor claims a previously undisclosed Purpose or changes its declared Legal Basis for a previously disclosed Purpose before signalling that the Vendor’s Legal Bases have been established.

9. Publishers should remind users, or instruct their CMPs to do so, of their right to object to processing or withdraw consent, as applicable, in accordance with the requirements laid down by relevant authorities.

10. A Publisher will not be required to resurface the Framework UI, or instruct its CMP to do so, if it has established a Vendor’s Purposes and Legal Bases in accordance with the Policies prior to a Vendor joining the GVL.

11. A Publisher must resurface the Framework UI, or instruct its CMP to do so, if the MO notifies participants that changes to the Framework are of such a nature as to require re-establishing Legal Bases.

12. A Publisher may use the Specification to manage and store, or instruct its CMP to do so, its own Legal Bases in conjunction with its own processing or for processing conducted on its behalf by a Vendor who is acting as its processor under the law, including Legal Bases for purposes that are not standardised by the Framework.

22. Accountability

1. The MO may adopt procedures for periodically reviewing and verifying a Publisher’s compliance with Framework Policies. A Publisher will provide, without undue delay, any information reasonably requested by the MO to verify compliance (which, for the avoidance of doubt, does not include information that might be related to users).

2. The MO may suspend a Publisher from participation in the Framework for its failure to comply with Framework Policies until the Publisher comes into full compliance and demonstrates its intention and ability to remain so. The MO may block a Publisher from participation in the Framework for violations of Framework Policies that are wilful and/or severe. The MO may enact a suspension or block of a Publisher by notifying CMPs that the Publisher is not in full compliance.

3. Additionally, the MO may, at its discretion and according to MO procedures, take additional actions in response to a Publisher’s non-compliance, including publicly communicating the Publisher’s non-compliance and reporting the non-compliance to data protection authorities.

Chapter V: Interacting with Users

1. Chapter II (Policies for CMPs), Chapter IV (Policies for Publishers), Appendix A (Purposes and Features Definitions), and Appendix B (User Interface Requirements) set out requirements for interacting with users. CMPs and/or Publishers are responsible for interacting with users in accordance with these Policies and the Specifications.

Appendix A: Definitions Of Purposes, Features And Categories Of Data

A. Purposes

Purpose 1
Store and/or access information on a device
Number
1
User-friendly text
Cookies, device or similar online identifiers (e.g. login-based identifiers, randomly assigned identifiers, network based identifiers) together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here.
Illustration(s)
Most purposes explained in this notice rely on the storage or accessing of information from your device when you use an app or visit a website. For example, a vendor or publisher might need to store a cookie on your device during your first visit on a website, to be able to recognise your device during your next visits (by accessing this cookie each time).
Vendor guidance
  • Allowable Lawful Basis: Consent.
  • Purpose 1 is meant to signal whether the condition for lawful storing and/or accessing information on a user’s device is met where this is required. It is not a purpose for personal data processing in itself, unlike all other Purposes the Framework covers. Purpose 1 corresponds to the obligation of Article 5(3) of the ePrivacy Directive. While Purpose 1 is not a data processing purpose, it is technically treated the same way for signalling purposes.
  • Purpose 1 does not apply to processing identifiers or client information, etc. that is not accessed on a user device. For example, reading a device’s IDFA falls within Purpose 1, however processing an IDFA outside of reading it from a device, e.g. when receiving it as part of information sent through an ad request is not covered by Purpose 1.
  • If information stored or accessed falls within the information covered by Special Feature 2 or Feature 3, Vendors must make sure to adhere to the opt in requirement of Special Feature 2 and the disclosure requirement of Feature 3 respectively in addition to the consent requirement of Purpose 1.
  • Controllers may register for Purpose 1 only in conjunction with another Purpose, Feature, Special Purpose, and/or Special Feature. Any personal data stored and/or accessed via Purpose 1 still requires another Purpose to actually be processed. For example, reading a user identifier from a stored cookie cannot be used to create a personalised ads profile without having obtained consent for Purpose 3.
  • Personal data stored and/or accessed via Purpose 1 may not require another Purpose to be processed where a Vendor is acting as a data processor for purposes for which the data controller responsible for the processing has established a legal basis. In such cases, Vendors acting as data processors should only process data in accordance with the legal bases established by their controller.
Purpose 2
Use limited data to select advertising
Number
2
User-friendly text
Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).
Illustration(s)
A car manufacturer wants to promote its electric vehicles to environmentally conscious users living in the city after office hours. The advertising is presented on a page with related content (such as an article on climate change actions) after 6:30 p.m. to users whose non-precise location suggests that they are in an urban zone.
A large producer of watercolour paints wants to carry out an online advertising campaign for its latest watercolour range, diversifying its audience to reach as many amateur and professional artists as possible and avoiding showing the ad next to mismatched content (for instance, articles about how to paint your house). The number of times that the ad has been presented to you is detected and limited, to avoid presenting it too often.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • This purpose is intended to enable processing activities such as:
    • Selection and delivery of an ad based on real-time data (e.g. information about the page content, app type, non-precise geolocation data etc.)
    • Real time data, as referenced above, may be used for positive or negative targeting e.g. to serve an ad adapted to the online context or prevent an ad from serving in an unsuitable (brand-unsafe) context
    • Control the frequency of ads shown to a user Sequence the order in which ads are shown to a user Note: This purpose allows processing of non-precise geolocation data to select and deliver an ad. However, processing precise geolocation data for this purpose requires the user’s opt-in to Special Feature 1 in addition to having obtained consent or met requirements for processing under a legitimate interest for this Purpose.
    • [with Feature 1] Combine data obtained offline with data available in the moment, about the user, to select an ad
    • [with Feature 2] Link different devices in order to select an ad
    • [with Feature 3] Identify a device by receiving and using automatically sent device characteristics in order to select an ad in the moment
    • [with opt-in for Special Feature 1] Use precise geolocation data to select and deliver an ad in the moment, without storing it
    • [with opt-in for Special Feature 2] Identify a device by actively scanning device characteristics in order to select an ad in the moment
  • This purpose does not cover processing activities such as:
    • Create an advertising profile about a user (including a user’s prior activity, interests, visits to sites or apps, location, or demographic information) without having obtained consent for Purpose 3
    • Use an advertising profile to select future ads about a user (including a user’s prior activity, interests, visits to sites or apps, location, or demographic information) without having obtained consent for Purpose 4
Purpose 3
Create profiles for personalised advertising
Number
3
User-friendly text
Information about your activity on this service (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information from your previous activity on this service and other websites or apps) or similar users. This is then used to build or improve a profile about you (that might include possible interests and personal aspects). Your profile can be used (also later) to present advertising that appears more relevant based on your possible interests by this and other entities.
Illustration(s)
If you read several articles about the best bike accessories to buy, this information could be used to create a profile about your interest in bike accessories. Such a profile may be used or improved later on, on the same or a different website or app to present you with advertising for a particular bike accessory brand. If you also look at a configurator for a vehicle on a luxury car manufacturer website, this information could be combined with your interest in bikes to refine your profile and make an assumption that you are interested in luxury cycling gear.
An apparel company wishes to promote its new line of high-end baby clothes. It gets in touch with an agency that has a network of clients with high income customers (such as high-end supermarkets) and asks the agency to create profiles of young parents or couples who can be assumed to be wealthy and to have a new child, so that these can later be used to present advertising within partner apps based on those profiles.
Vendor guidance
  • Allowable Lawful Basis: Consent
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis.
    • This purpose is intended to enable processing activities such as:
    • Associate data collected, including information about the content and the device, such as: device type and capabilities, user agent, URL, IP address with a new or existing ad profile based on user interests or personal aspect of the user
    • Establish retargeting criteria
    • Establish positive or negative targeting criteria
    • [with Feature 1] Associate data obtained offline with an online user to create or edit a user profile for use in advertising, provided that a legal basis was established offline at the point of data collection
    • [with Feature 2] Collecting data for deterministic cross-device mapping (e.g. if a user logs into an account on one device and then on another)
    • [with Feature 3] Associate an identifier obtained by receiving and using automatically sent device characteristics, with a profile for use in advertising
    • [with opt-in for Special Feature 1] Select a personalised ad, based on a personalised ads profile, by processing precise geolocation previously stored or made available in the moment
    • [with opt-in for Special Feature 2] Associate an identifier obtained by actively scanning device characteristics with a profile for use in advertising
  • This purpose does not cover processing activities such as:
    • Keep track of ad frequency and ad sequence which can be done on the basis of Purpose 2, and do not require Purpose 3
    • Create a shared profile for both personalised ads and content, the vendor should only create and/or update that profile with the appropriate established legal basis for both Purpose 3 and 5
    • Measure ad performance which can be done on the basis of Purpose 7
Purpose 4
Use profiles to select personalised advertising
Number
4
User-friendly text
Advertising presented to you on this service can be based on your advertising profiles, which can reflect your activity on this service or other websites or apps (like the forms you submit, content you look at), possible interests and personal aspects.
Illustration(s)
An online retailer wants to advertise a limited sale on running shoes. It wants to target advertising to users who previously looked at running shoes on its mobile app. Tracking technologies might be used to recognise that you have previously used the mobile app to consult running shoes, in order to present you with the corresponding advertisement on the app.
A profile created for personalised advertising in relation to a person having searched for bike accessories on a website can be used to present the relevant advertisement for bike accessories on a mobile app of another organisation.
Vendor guidance
  • Allowable Lawful Basis: Consent
  • Requires having obtained consent or met requirements for processing under a legitimate interest for Purpose 2 (Use limited data to select advertising) to be used
  • This purpose is intended to enable processing activities such as:
    • Select ads based on a personalised ads profile
    • Select an ad based on retargeting criteria
    • Select an ad based on positive or negative targeting criteria tied to a profile
    • Select dynamic creative based on an ad profile, or other historical information
    • [with Feature 1] Select a personalised ad, based on a personalised ads profile, by matching and combining data obtained offline with the data stored in an online profile
    • [with Feature 2] Select a personalised ad, based on a personalised ads profile, by linking different devices
    • [with Feature 3] Select an ad based on a personalised profile associated with an identifier obtained by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Select an ad based on precise geolocation previously stored
    • [with opt-in for Special Feature 2] Select an ad based on a personalised profile associated with an identifier obtained by actively scanning device characteristics
  • This purpose does not cover processing activities such as:
    • Select ads based on ad frequency and ad sequence which can be done on the basis of Purpose 2, and do not require Purpose 4
    • Use a shared profile to select both personalised ads and content, the vendor should only use that profile with the appropriate established legal bases for both Purpose 4 and 6
Purpose 5
Create profiles to personalise content
Number
5
User-friendly text
Information about your activity on this service (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on this service or other websites or apps) or similar users. This is then used to build or improve a profile about you (which might for example include possible interests and personal aspects). Your profile can be used (also later) to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests.
Illustration(s)
You read several articles on how to build a treehouse on a social media platform. This information might be added to a profile to mark your interest in content related to outdoors as well as do-it-yourself guides (with the objective of allowing the personalisation of content, so that for example you are presented with more blog posts and articles on treehouses and wood cabins in the future).
You have viewed three videos on space exploration across different TV apps. An unrelated news platform with which you have had no contact builds a profile based on that viewing behaviour, marking space exploration as a topic of possible interest for other videos.
Vendor guidance
  • Allowable Lawful Basis: Consent
  • Content refers to elements of the service (e.g. products for an e-commerce service; articles and videos for a media company) and not advertising as such. Creating a profile for advertising personalisation, such as paid cross-site content promotion and native advertising is not included in Purpose 5, but the corresponding ad-related Purpose 3.
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis.
  • This purpose is intended to enable processing activities such as:
    • Associate data collected, including information about the content and the device, such as: device type and capabilities, user agent, URL, IP address with a new or existing content profile based on user interests or personal characteristics of the user
    • Establish positive or negative targeting criteria
    • [with Feature 1] Associate offline data with an online user to create or edit a user profile for use in content personalisation provided that a legal basis was established offline at the point of data collection
    • [with Feature 2] Collecting data for deterministic cross-device mapping (e.g. if a user logs into an account on one device and then on another)
    • [with Feature 3] Associate an identifier obtained by receiving and using automatically sent device characteristics, with a profile for use in content personalisation
    • [with opt-in for Special Feature 1] Store precise geolocation data in a profile for use in content personalisation.
    • [with opt-in for Special Feature 2] Associate an identifier obtained by actively scanning device characteristics with a profile for use in content personalisation
  • This purpose does not cover processing activities such as:
    • Create a shared profile for both personalised ads and content, the vendor should only create and/or update that profile with the appropriate established legal basis for both Purpose 3 and 5
    • Measure content performance which can be done on the basis of Purpose 8
Purpose 6
Use profiles to select personalised content
Number
6
User-friendly text
Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests.
Illustration(s)
You read articles on vegetarian food on a social media platform and then use the cooking app of an unrelated company. The profile built about you on the social media platform will be used to present you vegetarian recipes on the welcome screen of the cooking app.
You have viewed three videos about rowing across different websites. An unrelated video sharing platform will recommend five other videos on rowing that may be of interest to you when you use your TV app, based on a profile built about you when you visited those different websites to watch online videos.
Vendor guidance
  • Allowable Lawful Basis: Consent
  • Content refers to elements of the service (e.g. products for an e-commerce service; articles and videos for a media company) and not advertising as such. Personalising advertising content, such as paid cross-site content promotion and native advertising is not included in Purpose 6, but the corresponding ad-related Purpose 4.
  • This purpose is intended to enable processing activities such as:
    • Select content based on a personalised content profile
    • [with Feature 1] Select personalised content, based on a personalised content profile, by matching and combining data obtained offline with the data stored in an online profile
    • [with Feature 2] Select personalised content, based on a personalised content profile, by linking different devices
    • [with Feature 3] Select personalised content based on a personalised profile associated with an identifier obtained by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Select personalised content, based on a content profile, by processing precise geolocation previously stored or made available in the moment
    • [with opt-in for Special Feature 2] Select personalised content, based on a personalised content profile by using an identifier obtained by actively scanning device characteristics
  • This purpose does not cover processing activities such as: Use a shared profile to select both personalised ads and content, the vendor should only use that profile with the appropriate established legal bases for both Purpose 4 and 6
Purpose 7
Measure advertising performance
Number
7
User-friendly text
Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns.
Illustration(s)
You have clicked on an advertisement about a “black Friday” discount by an online shop on the website of a publisher and purchased a product. Your click will be linked to this purchase. Your interaction and that of other users will be measured to know how many clicks on the ad led to a purchase.
You are one of very few to have clicked on an advertisement about an “international appreciation day” discount by an online gift shop within the app of a publisher. The publisher wants to have reports to understand how often a specific ad placement within the app, and notably the “international appreciation day” ad, has been viewed or clicked by you and other users, in order to help the publisher and its partners (such as agencies) optimise ad placements.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis.
  • This purpose is intended to enable processing activities such as:
    • Measure how brand suitable or safe the content of the digital property where the ad was served was
    • Measure the percentage of the ad that had the opportunity to be seen and for how long
    • Measure how many users engaged with an ad, for how long and what was the nature of that engagement (click, tap, hover, scroll etc.)
    • Determine how many unique users or devices an ad was served to
      • Measure the time when users saw the ad
      • Measure/ analyse the characteristics of the device the ad was served to (non-precise location, type of device, screen size, language of the device, operating system/browser, mobile carrier)
      • Measure ad attribution, conversions, sales lift
      • Report on an individual and aggregate level
    • [with Feature 1] Measure ad performance by matching and combining data obtained offline with the data obtained online
    • [with Feature 2] Measure ad performance by linking different devices
    • [with Feature 3] Measure ad performance by using an identifier obtained by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Measure ad performance by processing precise geolocation previously stored or made available in the moment
    • [with opt-in for Special Feature 2] Measure ad performance by using an identifier obtained by actively scanning device characteristics
  • This purpose does not cover processing activities such as:apply panel-derived demographic information to the measurement data unless the user has also granted the appropriate legal basis for Purpose 9.
  • improve individual profile or segment data for other purposes
Purpose 8
Measure content performance
Number
8
User-friendly text
Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on this service and the web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you.
Illustration(s)
You have read a blog post about hiking on a mobile app of a publisher and followed a link to a recommended and related post. Your interactions will be recorded as showing that the initial hiking post was useful to you and that it was successful in interesting you in the related post. This will be measured to know whether to produce more posts on hiking in the future and where to place them on the home screen of the mobile app. You were presented a video on fashion trends, but you and several other users stopped watching after 30 seconds. This information is then used to evaluate the right length of future videos on fashion trends.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • Content refers to elements of the service (e.g. products for an e-commerce service; articles and videos for a media company) and not advertising as such. Advertising performance measurement of paid cross-site content promotion and native advertising is not included in Purpose 8, but should be conducted under Purpose 7.
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis without an appropriate legal basis for these purposes.
  • This purpose is intended to enable processing activities such as:
    • Measure how many users engaged with content, for how long and what was the nature of that engagement (click, tap, hover, scroll etc.)
    • Determine how many unique users or devices content was served to
      • Measure the time when users saw content
      • Measure/ analyse the characteristics of the device content was served to (non-precise location, type of device, screen size, language of the device, operating system/browser, mobile carrier)
      • Measure user referrals
    • [with Feature 1] Measure content performance by matching and combining data obtained offline with the data obtained online
    • [with Feature 2] Measure content performance by linking different devices
    • [with Feature 3] Measure content performance by using an identifier obtained by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Measure content performance by processing precise geolocation previously stored or made available in the moment
    • [with opt-in for Special Feature 2] Measure content performance by using an identifier obtained by actively scanning device characteristics
  • This purpose does not cover processing activities such as:
    • apply panel-derived demographic information to the measurement data unless the user has also granted the appropriate legal basis for Purpose 9
    • improve individual profile or segment data for other purposes
Purpose 9
Understand audiences through statistics or combinations of data from different sources
Number
9
User-friendly text
Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents).
Illustration(s)
The owner of an online bookstore wants commercial reporting showing the proportion of visitors who consulted and left its site without buying, or consulted and bought the last celebrity autobiography of the month, as well as the average age and the male/female distribution of each category. Data relating to your navigation on its site and to your personal characteristics is then used and combined with other such data to produce these statistics.
An advertiser wants to better understand the type of audience interacting with its adverts. It calls upon a research institute to compare the characteristics of users who interacted with the ad with typical attributes of users of similar platforms, across different devices. This comparison reveals to the advertiser that its ad audience is mainly accessing the adverts through mobile devices and is likely in the 45-60 age range.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis.
  • This purpose is intended to enable processing activities such as:
    • Provide aggregate reporting to advertisers, publishers or their representatives about the unique reach of online services and/or the audiences of their ads, through panel-based and similarly derived insights (e.g. to model demographic attributes of audience segments):
      • Website/Apps KPIs across ads and contents
      • usually panel-derived:
      • Age
      • Gender
      • interests / affinity / in-market categories: what else are users interested in
    • Create market research aggregate reporting (e.g. Syndicated data from JICs, Ad Audience certifications, etc.)
    • [with Feature 1] This purpose serves to match offline obtained data (panel data) to online obtained data (through Purpose 7 or 8)
    • [with Feature 2] Apply market research to generate audience insights by linking different devices
    • [with Feature 3] Use identifiers generated by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Use precise geolocation data to apply market research data in order to generate audience insights
    • [with opt-in for Special Feature 2] Use identifiers generated by actively scanning device characteristics to apply market research data in order to generate audience data
  • This purpose does not cover processing activities such as:
    • improve individual profile or segment data for other purposes
    • report about the audiences using methods covered in Purposes 7 and 8
    • apply measurement data to the panel-derived demographic information unless the user has also granted the appropriate legal basis for Purpose 7 and/or 8
Purpose 10
Develop and improve services
Number
10
User-friendly text
Information about your activity on this service, such as your interaction with ads or content, can be very helpful to improve products and services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers.
Illustration(s)
A technology platform working with a social media provider notices a growth in mobile app users, and sees based on their profiles that many of them are connecting through mobile connections. It uses a new technology to deliver ads that are formatted for mobile devices and that are low-bandwidth, to improve their performance.
An advertiser is looking for a way to display ads on a new type of consumer device. It collects information regarding the way users interact with this new kind of device to determine whether it can build a new mechanism for displaying advertising on this type of device.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • When combining information collected under this purpose with other information previously collected, the latter must have been collected with an appropriate legal basis.
  • This purpose is intended to enable processing activities such as:
    • product improvement or new product development
    • creation of new models and algorithms through machine learning
    • [with Feature 1] Develop and improve products by matching and combining data obtained offline with the data obtained online
    • [with Feature 2] Develop and improve products by linking different devices
    • [with Feature 3] Develop and improve products by using an identifier obtained by receiving and using automatically sent device characteristics
    • [with opt-in for Special Feature 1] Develop and improve products by processing precise geolocation previously stored or made available in the moment
    • [with opt-in for Special Feature 2] Develop and improve products by using an identifier obtained by actively scanning device characteristics
  • This purpose does not cover processing activities such as:
    • improve individual profile or segment data for other purposes (or e.g. creating a new identity graph)
Purpose 11
Use limited data to select content
Number
11
User-friendly text
Content presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you).
Illustration(s)
A travel magazine has published an article on its website about the new online courses proposed by a language school, to improve travelling experiences abroad. The school’s blog posts are inserted directly at the bottom of the page, and selected on the basis of your non-precise location (for instance, blog posts explaining the course curriculum for different languages than the language of the country you are situated in). A sports news mobile app has started a new section of articles covering the most recent football games. Each article includes videos hosted by a separate streaming platform showcasing the highlights of each match. If you fast-forward a video, this information may be used to select a shorter video to play next.
Vendor guidance
  • Allowable Lawful Bases: Consent, Legitimate Interests
  • Content refers to elements of the service (e.g. products for an e-commerce service; articles and videos for a media company) and not advertising as such. Selecting advertising content, such as paid cross-site content promotion and native advertising is not included in Purpose 11, but the corresponding ad-related Purpose 2.
  • This purpose is intended to enable processing activities such as:
    • Selection and delivery of content based on real-time data (e.g. information about the page content or content embedded within the page, app type, non-precise geolocation data etc.)
    • Real time data, as referenced above, may be used for positive or negative targeting e.g. to select content adapted to the online context or prevent an content from serving in an unsuitable (brand-unsafe) context
    • Control the frequency of content shown to a user
    • Sequence the order in which content are shown to a user
    • Note: This purpose allows processing of non-precise geolocation data to select and deliver content. However, processing precise geolocation data for this purpose requires the user’s opt-in to Special Feature 1 in addition to having obtained consent or met requirements for processing under a legitimate interest for this Purpose.
    • [with Feature 1] Combine data obtained offline with data available in the moment, about the user, to select content.
    • [with Feature 2] Link different devices in order to select content
    • [with Feature 3] Identify a device by receiving and using automatically sent device characteristics in order to select content in the moment
    • [with opt-in for Special Feature 1] Use precise geolocation data to select and deliver content in the moment, without storing it
    • [with opt-in for Special Feature 2] Identify a device by actively scanning device characteristics in order to select content in the moment
  • This purpose does not cover processing activities such as:
    • Create a content profile about a user (including a user’s prior activity, interests, visits to sites or apps, location, or demographic information) without having obtained consent for Purpose 5
    • Use a content profile to select future content about a user (including a user’s prior activity, interests, visits to sites or apps, location, or demographic information) without having obtained consent for Purpose 6

B. Special Purposes

Special Purpose 1
Ensure security, prevent and detect fraud, and fix errors
Number
1
User-friendly text
Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you, the publisher or the advertiser may encounter in the delivery of content and ads and in your interaction with them.
Illustration(s)
An advertising intermediary delivers ads from various advertisers to its network of partnering websites. It notices a large increase in clicks on ads relating to one advertiser, and uses data regarding the source of the clicks to determine that 80% of the clicks come from bots rather than humans.
Vendor guidance
  • Special Purpose: No right-to-object to processing under legitimate interests via the Framework.
  • Allowable Lawful Bases: Legitimate Interests
  • This purpose is to be used by 3rd parties operating on digital property, and it does not affect publishers’ ability to run fraud checks outside of the TCF and independently.
  • This purpose is intended to enable processing activities such as:
    • Monitoring, preventing ex and post ante:
      • General Invalid Traffic Detection and Blocking
      • Sophisticated Invalid Traffic Detection and Blocking
        • Automated Browsing, Dedicated Device
        • Automated Browsing, Non-Dedicated Device
        • Incentivized Human Activity
        • Manipulated Human activity
        • Falsified Measurement Events
        • Domain Misrepresentation
        • Hidden Ads
        • Advertising Spam
    • Process of identifying product errors - making products work (not improving them)
    • Ensuring operability of the system/platform
Special Purpose 2
Deliver and present advertising and content
Number
2
User-friendly text
Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device.
Illustration(s)
Clicking on a link in an article might normally send you to another page or part of the article. To achieve this, 1°) your browser sends a request to a server linked to the website, 2°) the server answers back (“here is the article you asked for”), using technical information automatically included in the request sent by your device, to properly display the information / images that are part of the article you asked for. Technically, such exchange of information is necessary to deliver the content that appears on your screen.
Vendor guidance
  • Special Purpose: No right-to-object to processing under legitimate interests via the Framework.
  • Allowable Lawful Bases: Legitimate Interests
  • This purpose covers both ads and content
  • This purpose is intended to enable processing activities such as:
    • Receiving and responding to ad or content requests
    • Delivering of ad-files or content files to an IP address
    • Using information received automatically to deliver compatible ads or content, such as:
      • User Agent type
      • Supported language
      • Connection type
      • Size and type of the ad or content requested 
    • Respond to a user’s interaction with ad or content by sending the user to a landing page
    • Logging that an ad was delivered, without recording any personal data about the user
    • Logging that content was delivered, without recording any personal data about the user

C. Features

Feature 1
Match and combine data from other data sources
Number
1
User-friendly text
Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey), in support of the purposes explained in this notice.
Vendor guidance
  • Data from various sources refers to data originating from other services than the digital property on which legal bases are obtained and managed (e.g. activity on other digital properties or services, loyalty cards, in-store purchase histories, data obtained from events or direct emailing campaigns).
  • This feature is intended to enable means of processing such as:
    • Combine and match data originating from various sources for one or more Purposes or Special Purposes, for which you have established appropriate legal bases
  • Data previously or separately collected and combined under this feature must have been collected with an appropriate legal basis.
Feature 2
Link different devices
Number
2
User-friendly text
In support of the purposes explained in this notice, your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).
Vendor guidance
  • This feature is intended to enable means of processing such as:
    • Establish (deterministically or probabilistically) that two or more devices belong to the same user or household for one or more Purposes or Special Purposes, for which you have established appropriate legal bases
    • [with opt-in for Special Feature 2] link different devices by using an identifier obtained by actively scanning device characteristics
Feature 3
Identify devices based on information transmitted automatically
Number
3
User-friendly text
Your device might be distinguished from other devices based on information it automatically sends when accessing the Internet (for instance, the IP address of your Internet connection or the type of browser you are using) in support of the purposes exposed in this notice.
Vendor guidance
  • This feature is intended to enable means of processing such as:
    • Create an identifier using data collected automatically from a device for specific characteristics, e.g. IP address, user-agent string
    • Use such an identifier to attempt to re-identify a device
  • This feature does not allow the creation and use of an identifier based on data collected actively retrieved from the device via JavaScript or API (e.g. installed font or screen resolution). This operation is separately covered by Special Feature 2.
  • Use of this data for security or fraud prevention is separately covered by Special Purpose 1 and does not require separate declaration of this feature.

D. Special Features

Special Feature 1
Use precise geolocation data
Number
1
User-friendly text
With your acceptance, your precise location (within a radius of less than 500 metres) may be used in support of the purposes explained in this notice.
Vendor guidance
  • Users must opt IN to this feature before vendors may use it.
  • This special feature is intended to enable means of processing such as:
    • Use geolocation data with an accuracy of up to 500 metres and/or latitude and longitude data with more than two decimals for one or more Purposes or Special Purposes, for which you have established appropriate legal bases
  • Any uses of precise geolocation for security & fraud fall under that purpose and do NOT require this feature.
  • The use of the special feature will depend on the purpose for which precise geolocation data is used in support of (e.g. precise geolocation data can be used only in the moment to select an ad in the context of Purpose 4 - Selection of personalised ads).
Special Feature 2
Actively scan device characteristics for identification
Number
2
User-friendly text
With your acceptance, certain characteristics specific to your device might be requested and used to distinguish it from other devices (such as the installed fonts or plugins, the resolution of your screen) in support of the purposes explained in this notice.
Vendor guidance
  • Special feature: Users must opt IN to this feature before vendors may use it.
  • This special feature is intended to enable means of processing such as:
    • Collect data about a user’s browser or device to create an identifier and distinguish the user from other users across visits, using a combination of information accessed via JavaScript or APIs such as time zone, system fonts, screen resolution, and installed plugins
  • This feature does not cover the creation and use of an identifier based on data collected automatically received from the device (IP addresses, user agent string or other information not actively retrieved from the device. This operation is separately covered by Feature 3.
  • Any uses of active device characteristic scanning for security & fraud fall under that purpose and do NOT require this feature.

E. Stacks

Stacks may be used to substitute Initial Layer information about two or more Purposes and/or Special Features (also see Appendix B). Stacks may be used on a secondary layer allowing users to make consent choices or object to the processing of their personal data with respect to each stack, so long as granular and specific controls with respect to each Purpose and/or Special Feature are provided elsewhere in additional layers for users who are interested in it in accordance with Appendix B (C) and (D) and without prejudice to the derogation laid down in Appendix B (C) (h).

Purposes must not be included in more than one Stack, and must not be presented as part of a Stack and outside of Stacks at the same time. Conversely, any Stacks used must not include the same Purpose more than once, nor include Purposes presented separately from Stacks.

Stack 1
Precise geolocation data, and identification through device scanning
Number
1
Description
Precise geolocation and information about device characteristics can be used.
Special Features included
  • Special Feature 1: Use precise geolocation data
  • Special Feature 2: Actively scan device characteristics for identification
Stack 2
Advertising based on limited data and advertising measurement
Number
2
Description
Advertising can be presented based on limited data. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 7: Measure advertising performance
Stack 3
Personalised advertising
Number
3
Description
Advertising can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
Stack 4
Advertising based on limited data, advertising measurement, and audience research
Number
4
Description
Advertising based on limited data, advertising measurement, and understanding of the audiences
Purposes included
  • Purpose2: Uselimited data to select advertising
  • Purpose7: Measure advertising performance
Stack 5
Advertising based on limited data, advertising measurement, and audience research
Number
5
Description
Advertising can be presented based on limited data. Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 7: Measure advertising performance
Stack 6
Selection of personalised advertising and advertising measurement
Number
6
Description
Advertising can be personalised based on your profile. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
Stack 7
Selection of personalised advertising, advertising measurement, and audience research
Number
7
Description
Advertising can be personalised based on your profile. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
Stack 8
Personalised advertising and advertising measurement
Number
8
Description
Advertising can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
Stack 9
Personalised advertising, advertising measurement, and audience research
Number
9
Description
Advertising can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance 
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
Stack 10
Personalised advertising
Number
10
Description
Advertising can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising.
Purposes included
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
Stack 11
Personalised content
Number
11
Description
Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content.
Purposes included
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
Stack 12
Selection of personalised content and content measurement
Number
12
Description
Content can be personalised based on your profile. Content performance can be measured.
Purposes included
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 11: Use limited data to select content
Stack 13
Selection of personalised content, content measurement and audience research
Number
13
Description
Selection of personalised content, content measurement and audience research
Purposes included
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 14
Personalised content and content measurement
Number
14
Description
Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Content performance can be measured.
Purposes included
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Measure content performance
  • Purpose 8: Measure content performance
  • Purpose 11: Use limited data to select content
Stack 15
Personalised content, content measurement and audience research
Number
15
Description
Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 16
Personalised content, content measurement, audience research, and services development
Number
16
Description
Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources 
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 17
Advertising and content measurement, and audience research
Number
17
Description
Advertising and content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
Stack 18
Advertising and content measurement
Number
18
Description
Advertising and content performance can be measured.
Purposes included
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
Stack 19
Advertising measurement and audience research
Number
19
Description
Advertising can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 7: Measure advertising performance 
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
Stack 20
Advertising and content measurement, audience research, and services development
Number
20
Description
Advertising and content performance can be measured. Your activity on this service can help develop and improve products and services. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
Stack 21
Content measurement, audience research, and services development
Number
21
Description
Content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
Stack 22
Content measurement, audience research, and services development
Number
22
Description
Content performance can be measured. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 8: Measure content performance
  • Purpose 10: Develop and improve services
Stack 23
Selection of personalised advertising and content, advertising and content measurement
Number
23
Description
Advertising and content can be personalised based on your profile. Advertising and content performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 11: Use limited data to select content
Stack 24
Selection of personalised advertising and content, advertising and content measurement, and audience research
Number
24
Description
Advertising and content can be personalised based on your profile. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Data can be used to build or improve user experience, systems, and software.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 25
Personalised advertising and content, advertising and content measurement
Number
25
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising or content. Advertising and content performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 11: Use limited data to select content
Stack 26
Personalised advertising and content, advertising and content measurement, and audience research
Number
26
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising or content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 27
Personalised advertising and content profile
Number
27
Description
Your activity on this service can be used to build or improve a profile about you for personalised advertising or content.
Purposes included
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 5: Create profiles to personalise content
Stack 28
Selection of personalised advertising and content
Number
28
Description
Advertising and content can be personalised based on your profile.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 6: Use profiles to select personalised content
  • Purpose 11: Use limited data to select content
Stack 29
Advertising based on limited data, advertising and content measurement, and audience research
Number
29
Description
Advertising can be presented based on limited data. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
Stack 30
Selection of personalised advertising, personalised content, advertising and content measurement, and audience research
Number
30
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising or content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 31
Selection of personalised advertising, personalised content, advertising and content measurement, audience research, and services development
Number
31
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 32
Advertising based on limited data, personalised content, advertising and content measurement, and audience research
Number
32
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 33
Advertising based on limited data, personalised content, advertising and content measurement, audience research, and services development
Number
33
Description
Advertising can be presented based on limited data. Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 34
Advertising based on limited data, personalised content, content measurement, and audience research
Number
34
Description
Advertising can be presented based on limited data. Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 11: Use limited data to select content
Stack 35
Advertising based on limited data, personalised content, content measurement, audience research and services development
Number
35
Description
Advertising can be presented based on limited data. Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 36
Advertising based on limited data, personalised content, and advertising measurement
Number
36
Description
Advertising can be presented based on limited data. Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising performance can be measured.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 11: Use limited data to select content
Stack 37
Advertising based on limited data, personalised content, advertising measurement, and services development
Number
37
Description
Advertising can be presented based on limited data. Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content. Advertising performance can be measured. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 5: Create profiles to personalise content
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance 
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 38
Personalised advertising, advertising measurement, and services development
Number
38
Description
Advertising can be personalised based on your profile.Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising performance can be measured. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
  • Purpose 10: Develop and improve services
Stack 39
Personalised advertising, advertising measurement, audience research and services development
Number
39
Description
Advertising can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
Stack 40
Personalised advertising, advertising and content measurement, audience research and services development
Number
40
Description
Advertising can be personalised based on your profile.Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
Stack 41
Personalised advertising, selection of personalised content, advertising and content measurement, audience research and services development
Number
41
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services
  • Purpose 11: Use limited data to select content
Stack 42
Personalised advertising and content, advertising and content measurement, audience research and services development
Number
42
Description
Advertising and content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised advertising and content. Advertising and content performance can be measured. Reports can be generated based on your activity and those of others. Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 3: Create profiles for personalised advertising
  • Purpose 4: Use profiles to select personalised advertising
  • Purpose 5: Create profiles to personalise content 
  • Purpose 6: Use profiles to select personalised content
  • Purpose 7: Measure advertising performance
  • Purpose 8: Measure content performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services 
  • Purpose 11: Use limited data to select content
Stack 43
Content based on limited data and content measurement
Number
43
Description
Content can be selected based on limited data. Content performance can be measured.
Purposes included
  • Purpose 8: Measure content performance
  • Purpose 11: Use limited data to select content
Stack 44
Personalised content
Number
44
Description
Content can be personalised based on your profile. Your activity on this service can be used to build or improve a profile about you for personalised content.
Purposes included
  • Purpose 5: Create a personalised content profile
  • Purpose 6: Use profiles to select personalised content
  • Purpose 11: Use limited data to select content
Stack 45
Advertising based on limited data, advertising measurement, audience research and services development
Number
45
Description
Advertising can be presented based on limited data. Advertising performance can be measured. Reports can be generated based on your activity and those of others.Your activity on this service can help develop and improve products and services.
Purposes included
  • Purpose 2: Use limited data to select advertising
  • Purpose 7: Measure advertising performance
  • Purpose 9: Understand audiences through statistics or combinations of data from different sources
  • Purpose 10: Develop and improve services

F. Example Stack Combinations

Example Stack Combination 1

  • Purpose 1: Store and/or access information on a device
  • Special Feature 1: Use precise geolocation data
  • Stack 3: Personalised advertising
    • Purpose 2: Use limited data to select advertising
    • Purpose 3: Create profiles for personalised advertising
    • Purpose 4: Use profiles to select personalised advertising
  • Stack 11: Personalised content
    • Purpose 5: Create a personalised content profile
    • Purpose 6: Use profiles to select personalised content
  • Stack 17: Advertising and content measurement, and audience research
    • Purpose 7: Measure advertising performance
    • Purpose 8: Measure content performance
    • Purpose 9: Understand audiences through statistics or combinations of data from different sources
    • Purpose 10: Develop and improve services

Example Stack Combination 2

  • Purpose 1: Store and/or access information on a device
  • Special Feature 1: Use precise geolocation data
  • Stack 8: Personalised advertising and advertising measurement
    • Purpose 2: Use limited data to select advertising
    • Purpose 3: Create profiles for personalised advertising
    • Purpose 4: Use profiles to select personalised advertising
    • Purpose 7: Measure advertising performance
  • Stack 14: Personalised content, and content measurement
    • Purpose 5: Create profiles to personalise content
    • Purpose 6: Use profiles to select personalised content
    • Purpose 8: Measure content performance
    • Purpose 9: Understand audiences through statistics or combinations of data from different sources
    • Purpose 10: Develop and improve services

Example Stack Combination 3 (Advertisers)

  • Purpose 1: Store and/or access information on a device
  • Special Feature 1: Use precise geolocation data
  • Stack 3: Personalised advertising
    • Purpose 2: Use limited data to select advertising
    • Purpose 3: Create profiles for personalised advertising
    • Purpose 4: Use profiles to select personalised advertising
  • Stack 19: Advertising measurement and audience research
    • Purpose 7: Measure advertising performance
    • Purpose 9: Understand audiences through statistics or combinations of data from different sources
    • Purpose 10: Develop and improve services

Example Stack Combination 4

  • Purpose 1: Store and/or access information on a device
  • Special Feature 1: Use precise geolocation data
  • Stack 2: Advertising based on limited data and advertising measurement
    • Purpose 2
    • Purpose 7
  • Stack 3: Personalised advertising
    • Purpose 3: Create profiles for personalised advertising
    • Purpose 4: Use profiles to select personalised advertising
  •  Stack 15: Advertising measurement and audience research
      • Purpose 5
      • Purpose 6
      • Purpose 8
      • Purpose 9
      • Purpose 11
  • Purpose 10: Develop and improve services

G. Categories of data

1
IP addresses
Number
1
User-friendly text
Your IP address is a number assigned by your Internet Service Provider to any Internet connection. It is not always specific to your device and is not always a stable identifier. It is used to route information on the Internet and display online content (including ads) on your connected device.
Vendor guidance
A Vendor’s servers may receive users’ public IP addresses to route traffic across the internet, e.g. to deliver an ad through http requests. Vendors should declare this category of data even if they process the IP address on the fly without storing it.
2
Device characteristics
Number
2
User-friendly text
Technical characteristics about the device you are using that are not unique to you, such as the language, the time zone or the operating system.
Vendor guidance
A Vendor may process characteristics about the device, language, timezone, the operating system, software and applications related to the device.
3
Device identifiers
Number
3
User-friendly text
A device identifier is a unique string of characters assigned to your device or browser by means of a cookie or other storage technologies. It may be created or accessed to recognise your device e.g. across web pages from the same site or across multiple sites or apps.
Vendor guidance
A Vendor may write and access unique identifiers on users’ devices, such as identifiers managed/created by the Vendor or publisher, the Vendor’s partners or identifiers provided by operating systems (such as IDFAs, IDFVs or GAIDs).
4
Probabilistic identifiers
Number
3
User-friendly text
A probabilistic identifier can be created by combining characteristics associated with your device (the type of browser or operating system used) and the IP address of the Internet connection. If you give your agreement, additional characteristics (e.g. the installed font or screen resolution) can also be combined to improve precision of the probabilistic identifier. Such an identifier is considered "probabilistic" because several devices can share the same characteristics and Internet connection. It may be used to recognise your device across e.g. web pages from the same site or across multiple sites or apps.
Vendor guidance
A Vendor may create identifiers using data collected automatically from devices for specific characteristics, e.g. IP address, user-agent string Vendors creating this type of identifiers should declare Feature 3 (Receive and use automatically-sent device characteristics for identification). A Vendor may also create identifiers using data collected via actively scanning a device for specific characteristics, e.g. installed fonts or screen resolution. Vendors creating this type of identifiers should declare Special Feature 2, to which users must opt-in.
5
Authentication-derived identifiers
Number
5
User-friendly text
Where an identifier is created on the basis of authentication data, such as contact details associated with online accounts you have created on websites or apps (e.g. e-mail address, phone number) or customer identifiers (e.g. identifier provided by your telecom operator), that identifier may be used to recognise you across websites, apps and devices when you are logged-in with the same contact details.
Vendor guidance
A Vendor may create identifiers based on users’ authentication information (e.g. their email addresses or phone number). Examples of such identifiers include identifiers derived from users’ email addresses or phone numbers through hash function (SHA-256, MD5, SHA-1…) and other non-reversible forms of encryption, and unique identifiers mapped with users’ authentication information.
6
Browsing and interaction data
Number
6
User-friendly text
Your online activity such as the websites you visit, apps you are using, the content you search for on this service, or your interactions with content or ads, such as the number of times you have seen a specific content or ad or whether you clicked on it.
Vendor guidance
A Vendor may process information such as accessed web pages, viewed contents, interactions with a website, apps, or an ad, and researches done by the user.
7
User-provided data
Number
7
User-friendly text
The information you may have provided by way of declaration via a form (e.g. feedback, a comment) or when creating an account (e.g. your age, your occupation).
Vendor guidance
A Vendor may process users’ declarative information communicated by way of declaration via a form or when creating an account, such as the age range or the occupation
8
Non-precise location data
Number
8
User-friendly text
An approximation of your location, expressed as an area with a radius of at least 500 metres. Your approximate location can be deduced from e.g. the IP address of your connection.
Vendor guidance
A Vendor may process geographic location with latitude and longitude coordinates with two or fewer decimals and/or within an area of a circle with a radius of at least 500 metres.
9
Precise location data
Number
8
User-friendly text
Your precise location within a radius of less than 500 metres based on your GPS coordinates. It may be used only with your acceptance.
Vendor guidance
A Vendor may process geographic location with latitude and longitude coordinates beyond two decimals and/or within an area of a circle with a radius of less than 500 metres.
10
Users’ profiles
Number
10
User-friendly text
Certain characteristics (e.g. your possible interests, your purchase intentions, your consumer profile) may be inferred or modelled from your previous online activity (e.g. the content you viewed or the service you used, your time spent on various online content and services) or the information you have provided (e.g. your age, your occupation).
Vendor guidance
A Vendor may process information regarding the fact that a user is assigned (by the Vendor or otherwise) to a user interest group(s)/cohort(s) that share common characteristics such as demographic characteristics, preferences, interest or purchase intent.
11
Privacy choices
Number
11
User-friendly text
Your preferences regarding the processing of your data, based on the information you have received.
Vendor guidance
A Vendor may process users’ signals or part of it as defined by the Policies or Specifications sent by a CMP, usually on behalf of a Publisher, to Vendors that includes, amongst others, information about the transparency, consent, and/or objection status of a Vendor and/or Purpose, the opt-in status of a Special Feature, and Publisher restrictions.

Appendix B: User Interface Requirements

A. Scope

a. This Appendix applies to any party deploying a user interface in connection with the Framework (“Framework UI”). Typically this is the first party in the interaction with the user, such as a Publisher operating its own private CMP, or relying on the services of a commercial CMP. Both the Publisher and the CMP are responsible to ensure that these requirements are met. Appendix B should be read in conjunction with Chapter II (Policies for CMPs), Chapter IV (Policies for Publishers), and Chapter V (Policies for Interacting with Users).

b. A Publisher and/or CMP is responsible for determining when the Framework UI will be shown in accord with the Framework Policies and the Specifications, consistent with legal requirements to support the transparent and lawful storing and/or accessing of information on user devices and/or processing of users’ personal data by Vendors. The Framework UI may be used to support the Publisher’s own transparent and lawful storing and/or accessing of information on user devices and/or processing of users’ personal data.

c. The Framework Policies and the Specifications establish minimum requirements for language, design, and other elements in the Framework UI. These minimum requirements are intended to align with legal requirements of EU privacy and data protection law. In the event of a conflict between applicable EU law and Appendix B, the law prevails. Unless stated otherwise, nothing in Appendix B is intended to prevent the creation of Framework UIs that go beyond these minimum requirements.

B. General Rules and Requirements for Framework UIs

a. When providing transparency and/or consent choices to users, the Framework UI may make use of a so-called layered approach that provides key information immediately in an Initial Layer and makes more detailed information available elsewhere in additional layers for those users who are interested in it. Appendix B provides minimum requirements for certain layers, in particular the Initial Layer, where the Framework UI makes use of a layered approach.

b. When providing transparency about Purposes and Features, the Framework UI must do so only on the basis of the standard Purpose, Special Purpose, Feature, and Special Feature names and definitions of Appendix A as they are published on the Global Vendor List or using Stacks in accordance with the Policies and Specifications. UIs must make available the standard user-friendly text, and where applicable the standard illustrations, for each Purpose, Special Purpose, Feature, Special Feature and Category of data of Appendix A.

c. Where the Framework UI uses a language other than English, the Framework UI must do so only on the basis of official translations of the standard Purpose, Special Purpose, Feature, Special Feature and Category of data names and definitions of Appendix A as they are published on the Global Vendor List.

d. When providing transparency about Vendors, the Framework UI must do so only on the basis of the information provided, and declarations made by Vendors as they are published on the Global Vendor List.

e. For the avoidance of doubt, Framework UIs may be used to also provide transparency, and request consent, for purposes and/or vendors, that are not covered by the Framework. However, users must not be misled to believe that any non-Framework purpose and/or vendor are part of the Framework or subject to its Policies. If the Framework UI includes non-Framework purposes and/or vendors the Framework UI must make it possible for users to distinguish between Vendors registered with the Framework, and Purposes defined by the Framework, and those who are not.

f. The Framework UI must inform users that their Vendor choices are limited to Purposes and Special Features and that it does not enable them to object to disclosed Vendors processing personal data for Special Purposes and that Special Features may be used for Special Purpose 1 (Ensure security, prevent and detect fraud, and fix errors ) regardless of the user’s choice about Special Features.

C. Specific Requirements for Framework UIs in Connection with Requesting a User’s Consent

a. When providing transparency about Purposes, Features and Vendors in connection with requesting a user’s consent for the same, the Framework UI’s must be displayed prominently and separately from other information, such as the general terms and conditions or the privacy policy, in a modal or banner that covers all or substantially all of the content of the website or app.

b. When making use of a so-called layered approach, the Initial Layer of the Framework UI providing transparency and requesting a user’s consent:

I. Must include information about the fact that information is stored on and/or accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data);

II. Must include information about the fact that personal data is processed, and the nature of the personal data processed (e.g. unique identifiers, browsing data);

III. Must include information about the fact that third party Vendors will be storing and/or accessing information from the user’s device and processing their personal data, the number of third party Vendors (which may also include Vendors not participating in the Framework); and a link to the list of named third parties;

IV. Must include the list of the distinct and separate Purposes for which the Vendors are processing data, using at least the standardised names and/or Stack names as defined in Appendix A;

V. Must include information about the Special Features used by the Vendors when processing data;

VI. Should include information about the consequences (if any) of consenting or not consenting (including withdrawing consent);

VII. Must include information about the scope of the consent choice, i.e. service-specific consent, or group-specific consent. If group-specific consent, a link with information about the group;

VIII. Must include information about the fact that the user can withdraw their consent at any time, and how to resurface the Framework UI in order to do so;

IX. Should include information about the fact that some Vendors (if any) are not requesting consent, but processing the user’s data on the basis of their legitimate interest; the fact that the user has a right to object to such processing; and a link to the relevant layer of the Framework UI dealing with processing on the basis of legitimate interests where more information can be found;

X. Must include a call to action for the user to express their consent (for example “Accept”, “Okay”, “Approve”, etc.);

XI. Must include a call to action for the user to customise their choices (for example “Advanced Settings”, “Customise Choices”, etc.).

d. When making use of a so-called layered approach, a secondary layer must be provided that allows the user to: 

I. Review:

      • the list of named Vendors and a link to each Vendor’s privacy policy,
      • their Purposes, Special Purposes, associated Legal Bases and corresponding retention period,
      • their Features and Special Features and
      • the categories of data collected and processed

II. Review the list of Purposes, Special Purposes, Features, and Special Features including their standard name, their full standard user-friendly text and where applicable their illustrations, as defined in Appendix A, the number of Vendors seeking consent for each of the Purposes (which may also include Vendors not participating in the Framework), and have a way to see those Vendors ;

III. Make granular and specific consent choices with respect to each Vendor, and, separately, each Purpose for which the Publisher chooses to obtain consent on behalf of or more Vendors;

IV. Make granular and specific opt-in choices with respect to each Special Feature for which the Publisher chooses to obtain opt-ins on behalf of one or more Vendors;

V. Where applicable and not disclosed in a 1st layer, view information about the fact that some Vendors (if any) are not requesting consent, but processing the user’s data on the basis of their legitimate interest; the fact that the user has a right to object to such processing; and a link to the relevant layer of the Framework UI dealing with processing on the basis of legitimate interests where more information could be found and the right to object exercised;

VI. Where not disclosed in a 1st layer, view information about the consequences (if any) of consenting or not consenting (including withdrawing consent);

VII. Where applicable, review Vendors’ maximum device storage duration and whether Vendors refresh such duration (by stating, for example, that “duration may expire [n] months/days from your last interaction with the property”, where [n] represents the maximum duration for which the Vendor considers the user consent as valid) as well as, where applicable, review any additional purpose specific storage and access information provided by a Vendor in accordance with the Specifications.

e. When a user accesses a layer, which will be a secondary layer when using a layered approach, allowing them to make granular and specific consent choices with respect to each Purpose, under Policy C(c)(III), and/or to make granular and specific opt-in choices with respect to each Special Feature under Policy C(c)(IV) the default choice must be “no consent”, “no opt-in” or “off”.

f. If a UI displays Vendors who are not registered with IAB Europe for participation in the Framework, the UI must make it possible for users to distinguish between Vendors registered with the Framework, and those who are not. The UI must not mislead others as to the Framework participation of any of the Vendors who are not registered with the MO.

g. A user must be able to resurface the Framework UI from an easily accessible link or call to action, such as a floating icon or a footer link available on each webpage of the Publisher’s website, or from the top-level settings of the Publisher’s app as to allow them to withdraw their consent as easily as it was to give it. If a call to action for the user to express their consent for all Purposes and Vendors was provided in the Initial Layer of the Framework UIs used to request the user’s consent (for example “Consent to all”), an equivalent call to action for the user to withdraw their consent for all Purposes and Vendors must be provided in the Framework UI that the user resurfaces (for example “Withdraw consent to all”).

h. Calls to action in a Framework UI must not be invisible, illegible, or appear disabled. While calls to action do not need to be identical, to ensure they are clearly visible, they must have matching text treatment (font, font size, font style) and, for the text of each, a minimum contrast ratio of 5 to 1. To the extent that an Initial Layer has more than two calls to action, this policy only applies to the two primary calls to action.

i. By way of derogation from Appendix B, Policies C(c)(iii) and (iv) and C(d), a Publisher shall not be required to allow a user to make granular and specific consent or opt-in choices if the Publisher implements a way for the user to access its content without consenting through other means, for example by offering paid access that does not require consenting to any Purposes. For the avoidance of doubt, all other Policies remain applicable.

D. Specific Requirements for Framework UIs in Connection with Legitimate Interests

a. When providing transparency about Purposes, Special Purposes, Features, Special Features, and Vendors in connection with a legitimate interest for the same, transparency must be provided at least through an easily accessible link to the relevant layer of the Framework UI dealing with processing on the basis of legitimate interests.

b. When providing transparency about Purposes, Special Purposes, Features, Special Features, and Vendors in connection with both requesting a user’s consent for the same and a legitimate interest, Policy C(a) applies, and the easily accessible link to the relevant layer of the Framework UI dealing with processing on the basis of legitimate interests required under Policy D(a) must be included in the Initial Layer of the Framework UI presented in line with Policy C(a).

c. When providing transparency about Purposes, Special Purposes, Features, Special Features and Vendors in connection with a legitimate interest for the same, a single secondary layer must be provided that allows the user to:

I. see information about the fact that personal data is processed, and the nature of the personal data processed (e.g. unique identifiers, browsing data);

II. see information about the scope of the legitimate interest processing and scope of any objection to such processing, i.e. service-specific scope, or group-specific scope. If group-specific scope, a link with information about the group.

III. access controls within the Framework UI to object to processing of their personal data on the basis of a legitimate interest;

IV. review the list of Purposes and Special Purposes including their standard name and their full standard user-friendly text and where applicable their illustrations, as defined in Appendix A, the number of Vendors processing their data for each of the Purposes on the basis of legitimate interest (which may also include Vendors not participating in the Framework), and have a way to see those Vendors. V. exercise their right to object with respect to processing under a legitimate interest for each Vendor, and, separately, each Purpose for which the Publisher chooses to help establish Vendors transparency;

VI. review:

  • the list of named Vendors and a link to each Vendor’s privacy policy,
  • their Purposes, Special Purposes, associated Legal Bases (and a link to each Vendor’s explanation of its legitimate interest(s) at stake) and corresponding retention period,
  • their Features, Special Features and
  • the categories of data collected and processed.

Version History and Changelog

  • Version 2018-04-10.1 – Initial Framework Policies.
  • Version 2018-04-25.2 – Added Purpose and Feature Definitions to Appendix A, and UI/UX Guidelines and Requirements to Appendix B.
  • Version 2018-10-02.2a – Removed a provision stating CMPs must only work with Vendors registered with the MO. Clarified conditions for providing services to Vendors not registered with the MO.
  • Version 2019-08-21.3 – Framework Policies for Version 2.0. Major changes have been made to the Policies, including Appendix A, and Appendix B.
  • Version 2020-04-06.3a – Added Stacks 38-42. Removed requirement to disclose Special Purposes and Feature in initial UI layer.
  • Version 2020-06-30.3.1 – Added CTA prominence requirement in Appendix B, Policy C and storage duration disclosure requirements in Policy 16(2bis) and Appendix B, Policy C(c)(I).
  • Version 2020-08-24.3.2 – Removed non-essential 1st layer requirements and updated 2nd layer requirements in Appendix B, Policy C. Added Appendix B, Policy C(h) introducing a derogation from Appendix B, Policy C(c)(iii), (iv) and (d) on not providing granular choices in certain situations.
  • Version 2020-11-18.3.2a – Updated Vendor guidance for Purpose 1 to clarify it must be declared in conjunction with another Purpose, Feature, Special Purpose and/or Special Feature except where processors register for Purpose 1. Added new policy 13(7) to clarify that Vendors should verify signals have been obtained using API.
  • Version 2021-02-17.3.2b – Updated Preamble point (ii) to clarify that the Framework is applicable for UK GDPR and PECR.
  • Version 2021-04-19.3.3 – Removed prohibition for Vendors to refresh maximum storage duration (Policy 16(2bis)). Updated UI duration disclosure requirements (new Appendix B, Policy C(c)(vii).
  • Version 2021-06-22.3.4 – Removed global scope policies, added policies on forwarding TCF signals to URL-based services (new Policies 14(6) and 22(8)).
  • Version 2022-06-20.3.5 – Update to indicate the mandatory nature of the provision of a devicestorage.json file by vendors (Chapter III: Policies for Vendors / Policy 16 2bis; Appendix B: User Interface Requirements / C(c)(vii))
  • Version 2023-05-15.4.0 – Framework Policies for Version 2.2. Major changes have been made to the Policies, including Appendix A, and Appendix B.
  • Version 2023-05-15.4.0.a – Clarified conditions for using Stacks and added Stacks 44 and 45. Added example of stack combination. Improvement of user-friendly text for Purpose 6.
IAB Europe
Rond-Point Robert
Schuman 11
1040 Brussels
Belgium
Sign up for our newsletter
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram