Are you a vendor and want to know how to implement the TCF? Check Out Our Latest Blog Post Below!
The TCF consists of Policies and Technical Specifications that assist all companies in the digital advertising supply chain to meet transparency and user choice requirements related to data processing. It has been designed to standardise the collection and transmission of user choice and transparency so that the digital advertising supply chain can align with GDPR requirements.
In this blog post, IAB Europe’s Privacy and Compliance Manager, Ninon Vagner, explains how vendors can successfully register and implement the TCF.
Where do I start? You should register here for the TCF and attest compliance with the TCF Policies for the data processing purposes, legal basis and features for which you are acting as a data controller under the GDPR.
What purposes and features should I select? Deciding which purposes and features you will need to register for is dependent on your business and how your business intends to use the data collected on your digital property. Connect with your Data Protection Officer (DPO) and/or policy/legal team to determine the data purposes and match these to the data processing purposes covered in the vendor guidance in Appendix A of the TCF v2.0 Policies.
How do I establish a legal basis with users using the TCF ? The Global Vendor List (GVL) centralises participating vendors in one location, complete with an identification number and information about their purposes, features and legal basis. Consent Management Providers (CMPs) provide user interfaces on digital properties that disclose to users the vendors’ purposes, features and legal basis from the information stored in the GVL. Users interact with CMPs to set their choice of purpose and choice of vendor. These choices are saved in theTransparency & Consent String (TC String), which is then accessible to vendors registered in the TCF.
How do I receive users’ choices ?
Every Consent Management Platform (CMP) installed by a publisher provides a standard API which allows you to access all the user’s choices. For more information, see the CMP API spec here.
If you do not directly interact with the publisher and its CMP you can receive TC strings from other vendors you interact with. In this instance you need to support “parsing” of the TC String - a v2.0 TC string encoder/decoder can be found here.
For openRTB, the OpenRTB GDPR Advisory should be used to pass the TC String. For any non-standard integration, you should clarify with the vendors you work with on how the TC String is passed. Have a look at the TCF v2.0 Implementation Guidelines for more information.
How should I read TCF Signals ? To verify if you have consent or legitimate interest for a purpose, you should check :
Verify if your vendor ID has been restricted for the given purpose : a publisher can restrict vendors for a given purpose, and/or apply consent or legitimate interest overrides. If you have registered that purpose with a flexible legal basis then you can not use the default legal basis if a publisher restriction has been applied.
A signal set to 1 indicates a positive signal. For purpose 1, you should also verify PurposeOneTreatment and the PublisherCC in the core string to check whether the purpose 1 wasn’t disclosed to users when the legal jurisdiction the publisher is under does not require it.
A signal set to 1 indicates a positive signal.
Have a look at the TCF v2.0 Transparency & Consent String with Global Vendor & CMP List Formats for more information.
Should I update my technologies ? The TCF v2.0 Policies requires you to update your software for use by publisher and vendor partners, such as scripts and tags that result in personal data processing or the storing and/or accessing of information on user devices. You are required to verify the signals communicated by the TC Strings prior to storing and/or accessing information on users' devices or processing personal data
What should I do prior to passing personal data to other vendors ? The TCF v2.0 Policies requires that you verify - by reading the TC String - that the receiving vendor has a legal basis for the processing of the personal data. If you receive personal data without a legal basis for the processing of that data, you must cease processing the personal data and must not transmit the personal data to any other parties, even if those parties have a legal basis.
How can I ensure successful implementation of TCF ? You should communicate to publishers and vendors you work with your purposes, legal bases and features. Indicate the purposes you registered with a flexible legal basis, and explain your legal basis requirements for each of your products or services. It will enable publishers you work with to adapt the CMP they use accordingly, and vendors you work with to ensure proper interoperability.
What support and guidance materials are available? To support vendors implementing TCF v2.0, we have prepared marketing materials and collaterals to provide a clear overview of the framework, its mechanism, and what it entails for all stakeholders involved. From videos to handy guides, you will find everything you need below to get more familiar with TCF v2.0 and its latest updates. You can access all materials here.
Top materials we recommend:
Next Steps.. Visit https://stg-iabeurope-iabeuropeold.kinsta.cloud/join-the-tcf/ and register to join hundreds of vendors who are already a part of TCF v2.0. The widespread adoption of TCF v2.0 includes many of the largest Vendors and CMPs in programmatic advertising, including Google, Adobe, Axel Springer, Criteo, GroupM, Integral Ad Science, Mediamath, Oracle, OneTrust, The Ozone Project, The Rubicon Project, The Trade Desk, Quantcast, and Xandr, amongst many others. The full list of companies currently registered for TCF v2.0 can be found here.