Dated: 24 June 2023
Important Note: The Implementation deadline of TCF v2.have been moved from September 30th 2023 to November 20th 2023. More information here
In order to respond to the changes and needs of the market, while continuing to help players in the online ecosystem comply with certain requirements of the ePrivacy Directive and the General Data Protection Regulation (“GDPR”), the Transparency and Consent Framework (“TCF”, “Framework”) needs to be updated on a regular basis. In particular, constant evolutions in case law as well as in guidelines of Data Protection Authorities (DPAs) place ever higher demands on market participants in terms of data protection requirements. The TCF instances have therefore drawn inspiration from them to bring new iterations to the Framework. In addition, some changes are related to the Action Plan submitted to and validated by the Belgian Data Protection Authority (more information here).
IAB Europe, in partnership with IAB Tech Lab, is committed to continuous improvement and development of the Framework through industry collaboration to meet the needs of users and regulators. The iterations brought by the TCF v2.2 aim to bring further standardisation of the information and choices that should be provided to users over the processing of their personal data, and to how these choices should be captured, communicated and respected.
TCF v2.2 will be launched mid-May and TCF participants will have until the end of Q3 2023 to make the necessary changes to their respective implementations. All iterations have been developed to avoid breaking changes to the existing v2.1 Technical Specifications and facilitate their adoption in a timely manner by CMPs and Vendors.
To help the market anticipate these upcoming changes, this article provides an overview of the different amendments to the TCF Policies and Technical Specifications. In the run up to the launch of TCF v2.2, IAB Europe is hosting a series of webinars to offer full support and guidance to CMPs, Vendors and Publishers. Recording of previous webinars can be found at the end of this blogpost.
1) Removal of the Legitimate Interest Legal Basis for Advertising & Content Personalisation
The current version of the TCF Policies allows the use of legitimate interest or consent to carry out data processing operations for Purposes 3 (Create a personalised ads profile), 4 (Select personalised ads), 5 (Create a personalised content profile) and 6 (Select personalised content). The TCF Policies will be amended to remove “legitimate interest” as an acceptable legal basis for these Purposes. As a consequence, within the scope of the TCF, Vendors will only be able to select consent as an acceptable legal basis for these Purposes at registration level.
2) Improvements to the Information Currently Provided to Users in CMP UIs
The Purpose names and descriptions will change. CMPs will be required to present improved user-friendly descriptions, replacing the current user-friendly text as well as the (currently) mandatory legal text. CMPs will also be required to make available illustrations based on real-use cases, which aim to explain to users how TCF Participants’ data processing operations relate to the Purposes.
In order to improve transparency over the means of processing used by Vendors in support of the TCF purposes, Vendors will be able to declare additional features at registration level.
3) Standardisation of the Additional Information About Vendors Provided to Users in the Secondary Layers of CMP UIs
To provide greater transparency, Vendors will now be required to provide additional information about their data processing operation at registration level - so that this information can in turn be disclosed by CMP to end-users in secondary layers UIs.
The new TCF Policies will include a standard taxonomy of categories of data, from which a Vendor can select from at registration level. The Policies will include a new UI requirement for CMPs to disclose for each Vendor the categories of data collected and processed.
Vendors will be able to declare, at the time of registration, how long (in days) they keep data for each declared purpose. Accordingly, the new TCF Policies will include a new UI requirement for CMPs to disclose for each Vendor how long they keep data to achieve each declared purpose.
4) Greater Transparency for Users About the Number of Vendors
CMPs will be required to disclose on the first layer of the CMP UI the number of third-party Vendors that are seeking consent or pursue data processing purposes on the basis of their legitimate interests. The TCF Policies do not impose any specific maximum number of Vendors, but Publishers are strongly encouraged to ensure that they only work with Vendors that are (most) relevant to them. The TCF Policies will include a warning that an unjustifiably large number of Vendors may impact users’ ability to make informed choices and increase Publisher and Vendor legal risk.
To assist Publishers in the process of selecting the Vendors for which they establish transparency & consent, an additional Vendor Information List has been published (“B2B GVL”). It contains information that can make it easier for a Publisher to determine which Vendors are relevant for it. Information contained in the B2B GVL can be used by Publishers to, for example, avoid requesting user’s consent for Vendors that operate in technical environments and jurisdictions that are not relevant to their online services, as well as generally better understand each TCF Vendor’s scope of operations and whether it transfers data outside of the EEA.
5) More Specific Requirements to Facilitate Users’ Withdrawal of their Consent
Publishers and their CMPs will be required to ensure that users can re-access the CMP UI easily to manage their choices (e.g. from a floating icon or a footer link available on each webpage, or from the top-level setting of the app).
If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and vendors in one click (such as “Consent to all”), an equivalent call to action should be provided when users re-access the CMP UI to withdraw consent to all purposes and vendors in one click (such as “Withdraw consent to all”).
6) Enhanced TCF Compliance Programmes
Since 2019, IAB Europe has developed Compliance Programmes to verify compliance of TCF Participants with the Policies and Technical Specifications. These programmes will be expanded, with new auditing mechanisms and differentiated enforcement procedures.
All auditing mechanisms and verifications susceptible to be performed in the context of the TCF Compliance Programme will be described and published in a public Control Catalogue, to help TCF participants in assessing and reviewing the compliance of their TCF implementations. In addition to the Control Catalogue, IAB Europe will release a new version of the CMP Validator Chrome Extension that will be publicly available.
IAB Europe will increase the volume of proactive auditing of CMPs and Vendors that will be randomly selected each month, and will also act upon reports of non-compliance from the market or from end-users by making available a dedicated form to submit a complaint.
Vendors and CMPs will be subject to differentiated procedure according to the nature of the non-compliance. In particular, any tampering with or falsification of TC String will result in immediate suspension from the Framework for a minimum of four weeks, and will be notified publicly.
7) Reminder: Revocation of the consensu.org Subdomains
Support for Global-scope was deprecated in June 2021 due to negligible use by Publishers (less than 0,5%) and compliance considerations. The deprecation required CMPs to delete all existing euconsent-v2 cookies associated with the consensu.org domain. IAB Europe will now remove all consensu.org subdomain delegations to CMPs’ nameservers (which had previously been provided upon registration). As a result, CMPs will no longer be able to host their scripts on their consensu.org subdomain, and this in turn technically prevents them from setting and accessing cookies on the consensu.org domain.
CMPs currently hosting their scripts on their consensu.org subdomains will need to host them on a different domain. Their Publisher clients will need to redeploy a new script on their digital properties before July 10th (see notification here).
How Should TCF Participants Prepare ?
Changes to the TCF Technical Specifications
The changes to the TCF technical specifications are open for public comment until May 12th, 2023 and can be found here. Comments may be submitted via email to firstname.lastname@example.org. The technical changes included in TCF v2.2 are also outlined in IAB Tech Lab's blog post here.
Support Workshops for TCF Participants
Hosted in 1 hour-long webinar formats, TCF experts went through everything that is needed to fully implement TCF v2.2. All webinars featured Q&A sessions and have been recorded.
Session 1: Overview of the main differences between the TCF policies 3.5 & 4.0
An overview of the main differences in policies between v2.1 & v2.2. This session is for all TCF stakeholders. Watch the recording here.
Session 2: Overview of the changes to the TCF technical specifications between v2.1 & v2.2
An overview of the changes to the TCF technical specifications between v2.1 & v2.2. This session is to help CMPs and Vendors navigate the different technical resources. Watch the recording here.