Vendors that register with the TCF provide and maintain detailed information that, as a minimum, should be disclosed to users to meet their transparency requirements under the GDPR. This includes their identity, the link to their privacy policies, the duration of the cookies they may rely on, whether they use non-cookie methods for accessing users’ devices (e.g. mobile identifiers), the data processing purposes they pursue and associated legal bases, retention periods and categories of data collected and processed.
TCF seeks to incorporate all commonly pursued purposes and categories of data processed in the online space through harmonised terminologies. Vendors should map the processing activities they already carry out and types of data they already collect or process to these standard terminologies when they register. Once a Vendor is registered, all the information will be included in the “Global Vendor List” (GVL), a publicly available and machine-readable registry hosted by IAB Europe. The GVL serves as a central and up-to-date information repository available to Publishers and their CMP when they select Vendors they work with and then disclose information and provide choices to users about the third parties vendors they selected.
This is further complemented by dedicated minimum practical requirements for user interfaces that stem from guidelines of Data Protection Authorities and jurisprudence. The practical requirements for user interfaces aim to align with the “layered approach” recommended by the EDPB and define specific requirements for the first layer of the CMP UI (the “cookie banner”) and the secondary layers of the CMP UI (the subsequent pages of the UIs).
The TCF standard sets out an open-source binary format for CMPs to capture users’ choices in the form of a “TC String”. This common format enables CMPs to record users’ choices in an auditable, machine-readable string of 1 and 0 representing users’ privacy preferences.
The TCF provides possible mechanisms for Publishers and their CMPs to communicate users’ choices to vendors. For websites, for example, the TCF includes a specification for CMPs to develop their own proprietary APIs that rely on the same naming conventions (e.g. specific commands or functions that will have the same name). Similar naming conventions can be used in mobile applications.This enables Vendors to use the same code to retrieve TC Strings or part of TC Strings across multiple websites/apps that use the TCF - rather than develop different codes for each website/app.
Again, this is further complemented with minimum practical requirements for technical operations performed by Vendors to ensure users’ choices are respected - such as, not setting any cookie when users have refused or withdrawn consent, or not forwarding any personal data to another Vendor that failed to establish a legal basis for its processing.
Please also visit the TCF v2.2 Supporting Resources page to review the most relevant resources about TCF v2.2, including the latest: