The IAB Europe Transparency and Consent Framework (TCF) was created to help companies that serve, measure and manage digital and personalised advertising content comply with certain obligations of the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) when processing personal data or accessing and/or storing information on a user’s device. It consists of Technical Specifications and Policies that assist all companies in the digital advertising supply chain to meet transparency and user choice requirements.
The TCF v2.0 has been developed by IAB Europe in collaboration with organisations and professionals in the digital ecosystem, including publishers, advertisers, media agencies and technology providers. Stakeholders feedback has been sought most notably from the publisher community to drive the capital improvements introduced in v2.0. TCF v2.0 provides enhanced functionalities and flexibility allowing it to adapt to stakeholders’ legal requirements, user experience considerations and business interests.
Following on from part 1, the second part of this blog series seeks to dispel some of the myths around what the TCF Policies and Technical Specifications actually require...
Myth: TCF Policies and Technical Specifications require re-consent every time there is a change to the Global Vendor List (GVL)
Not true. Whenever the user interface is surfaced to the user, for example for first-time interactions and updating choices, the TCF v2.0 Policies require that the latest version of the GVL is used. The TCF v2.0 Policies do not mandate that users must review and update their choices every time the GVL is updated. However, users’ transparency and consent strings (TC Strings) should not be updated without re-surfacing the user interface. It is entirely at the discretion of the CMP and/or publisher to determine whether changes in the GVL, compared to a previous version used to set user choices, warrant re-surfacing the user interface. The Policies only require to remind users of their right to withdraw consent and/or the right to object to processing at least every 13 months.
Myth: Publishers cannot establish a legal basis for a limited set of vendors and/or purposes
Not true. TCF v2.0 gives greater control and flexibility to publishers by introducing “publisher restrictions”that communicate publisher choices in the Framework. This functionality allows them to determine the legal bases and purposes for which personal data is processed by vendors on their properties on a per-vendor basis. For example, Publishers can, in line with their own business and legal considerations, specify custom requirements, such as allowing only consent to be used as a legal basis on their properties or choosing to “whitelist” a limited set of vendors for a given purpose.
Myth: Publishers cannot establish legal bases for their own purposes
Not true. TCF v2.0 Policies allow a publisher to manage or store, or instruct its CMP to do so, its own legal bases for a set of personal data processing purposes, including for purposes that are not supported by the Framework. The “Publisher TC segment” in the transparency and consent string (TC String) represents publisher purposes transparency and consent signals, that can be used by the publisher and/or to ensure smooth transmission of the publisher’s legal bases to its data processors.
Myth: Participants cannot work with third parties not registered in the Framework
Not true. Publishers can, or instruct their CMP to do so,provide transparency and request consent for purposes and/or third parties that are not covered by the Framework. TCF v2.0 Policies do, however, require that users can clearly distinguish in the UI as to which vendors are registered with the Framework and purposes defined by the Framework and those that are not.
We hope we’ve managed to dispel any myths you may have had! For further (fact based ) information on TCF v2.0 Policies, Technical Specifications, Implementation Guidelines, FAQs and more, Please visit https://stg-iabeurope-iabeuropeold.kinsta.cloud/tcf-2-0/
Filip Sedefov, Director, Legal at IAB Europe (email@example.com)
Ninon Vagner, Privacy & Compliance Manager at IAB Europe (firstname.lastname@example.org).