Articles
Privacy 101
TCF v2.2 and consent banners: how many vendors should you declare?
Privacy 101
new

TCF v2.2 and consent banners: how many vendors should you declare?

Published  

11/20/2023

by 

Frank Ducret

6
min read

Published  

November 20, 2023

by 

Frank Ducret

10 min read
Summary

With the recent changes to the Transparency and Consent Framework (TCF) and its latest 2.2 iteration, conversations surrounding the ideal number of vendors organizations should declare are once again taking the front stage.

 

How many vendors should you declare in your CMP? Should it equal the number of active vendors? Why declare active vendors on your website? Why does it even matter in the first place?

 

This article provides context and introduces how organizations can address these questions.

Additional reading: To provide transparency and insights to TCF participating organizations, and on the occasion of the TCF v2.2 compliance deadline, we put together a study of our observations on the framework's impact and its adoption so far.



To download the study, click on the image (no e-mail or form required):

Image showing Didomi's whitepaper on TCF v2.2, with the word “Whitepaper" and the title "TCF v2.2: what we've learned so far" along with a "Download" button.

Why does managing your vendor list matter?

We’ve covered how to reduce your vendor list in the past, but it’s important to remember why managing your vendor list matters in the first place. 

 

Ultimately, it comes down to three main reasons:

 

  • Complying with global regulations and industry standards 
  • Optimizing monetization best practices
  • Providing the best possible experience to users
  • Improving your SEO performance

 

Today, over 150 territories have enacted comprehensive data protection laws, from Europe to Japan, India, Brazil, South Korea, and the patchwork of laws in the United States.

 

Many of these regulations require organizations to transparently inform their users about the processing applied to their personal data, including which third parties may process it following their consent.

 

In the EU, IAB Europe’s Transparency and Consent Framework (TCF) v2.2, the leading AdTech framework, now requires organizations to display the number of these vendors in the first layer of the consent banner (more on that below).

 

In addition to compliance concerns, managing the vendor list is important to improve monetization and operative practices and determine whether vendors provide real value to an organization. Further down in the article, we introduce our proposed active vendors vs declared vendors ratio to help publishers optimize their vendor practices.

 

Finally, the last and most often overlooked reason for managing vendors is user experience and how you can relate it to privacy.

 

Consumers are increasingly skeptical about data collection practices; only a third of online users feel their data is being used responsibly

TCF v2.2: changes to the framework and their impact on your organization

Earlier this year, IAB Europe introduced the latest version of its Transparency and Consent Framework (TCF), which all participants are expected to comply with by November 20, 2023.

 

The update to the framework introduces new measures to increase transparency and promote Privacy UX best practices among participating organizations, exemplified by three main changes:

 

  • Simplification of user-facing texts, making consent banners easier to understand
  • Restriction of legitimate interest for several purposes
  • Display of the number of vendors on the first layer of the CMP

 

Essentially, on the first layer of the consent banner, users should now have access to clear, easy-to-digest text about data collection, including the number of vendors to whom they grant rights to process personal data. This represents a massive change in favor of transparency, displaying critical information front-and-center, whereas it was previously often buried under much legal information. 

 

mockup of a consent banner with a zoomed in circle on the section of the text mentioning "100 partners" in bright colors

 

Additionally, in the second layer of the CMP, organizations now are required to: 

 

  • Share legitimate interest for each vendor where applicable 
  • Communicate on the categories of data collected by vendors
  • Provide data retention period in the vendor description 
  • Direct users towards vendors’ privacy policies in their language of choice 

 

To read more about the Transparency and Consent Framework and its latest changes, head to our dedicated guide:

 

{{learn-everything-you-need-to-know-about-the-tcf-v22}}

How many vendors should you declare? Introducing the privacy balance ratio 

Now that we’ve established why the vendor list matters and gone over the changes of the TCF v2.2, particularly regarding the first layer of the CMP, the natural follow-up question is: what is the ideal number of vendors you should declare on your consent banner?

 

Unfortunately, there is no one-size-fits-all answer or magic number of vendors.  

 

Depending on the nature of your organization, digital ecosystem, reliance on advertising channels, and business model, the number of vendors you need to run your business will vary a lot.

 

However, we truly believe that increased transparency will have a number of positive benefits, ranging from a better understanding of the vendors you’re dealing with and their behavior (trackers, third-party, etc) and their contribution to your business.

 

To figure out the perfect number, we introduce the notion of a vendor Balance Ratio (BR) based on the number of declared vendors (displayed in the consent banner) against the number of active vendors.

 

Image of a calculation, explaining that the Vendors Balance Ratio or "BR" is equal to the number of declared vendors divided by the number of active vendors

 

In a perfect world, the ratio should be equal to 1. In practice, it often varies depending on your configuration, with implications on your business model, risks, and benefits

Vendors Balance Ratio > 2

The number of declared vendors is at least twice that of active vendors over a given period.

 

  • Business model: Organizations that derive a critical part of their revenue from audience monetization, specifically with an open set-up such as header bidding.
  • Risks and benefits: This setup presents a high risk of value control loss. It can result in data leakage at scale, high levels of piggybacking, and latency. The ratio reflects a lack of control over the organization's value chain, putting it at high compliance risk. 

Vendors Balance Ratio > 1.5 < 2

The number of declared vendors exceeds the number of active ones over a given period by a coefficient of between 1.5 and 2.

 

  • Business model: Organizations that generate significant revenue from exploiting personal data (advertising, data trading, etc.).
  • Risks and benefits: The risk is relatively low while providing real control over the organization’s digital ecosystem. Specifically, it allows organizations to address seasonal peaks without re-collecting consent from users.

Vendors Balance Ratio < 1

The number of declared vendors is less than the number of active vendors over a given period. 

 

  • Business model: Not a typical business model, and most likely an anomaly to be corrected. The ratio demonstrates either acute (possibly overzealous) privacy practices or a misunderstanding when dealing with vendors on the organization’s part.
  • Risks and benefits: There is no particular risk limitation, given that tracers might be dropped in monetization environments and queries carried out regardless. This translates to a clear loss of monetization, with the loading of requests resulting in a latency in page loading that won’t be compensated for by revenue.

 How Didomi can help with managing your vendor ecosystem

Mockup of a computer running Didomi's Advanced Compliance Monitoring module, highlighting the trust index which runs from Very low to Very high, with inbetween the various levels low, medium, and high.

 

In conclusion, the number of vendors an organization should declare highly depends on its business model, objectives, and the tradeoff it’s willing to make between monetization, compliance, and Privacy UX best practices.

 

The vendor's Balance Ratio is one of the indicators we’re proposing to help organizations build world-class privacy governance practices. Various filters can be applied, ranging from the vendor's country and its categories to other potential risk factors.

 

Didomi’s Advanced Compliance Monitoring (ACM) is the most advanced scanning solution of its kind in the industry, helping organizations stay on top of vendor and tracker activity. It is composed of three main elements with distinct purposes, serving the same compliance goal:

 

  • Compliance scenarios, supporting legal and privacy teams in performing compliance audits by automatically identifying trackers dropped without consent and despite refusal, and issuing a Compliance Report to take corrective measures.
  • Custom frequency, helping Product Owners and DPOs by providing daily frequency to monitor closely and frequently the compliance breaches and impacts of corrective actions.
  • CMP Vendor Sync, assisting project managers in keeping their vendor list up to date by automatically identifying and configuring new active vendors, adding them to the CMP, and republishing the consent banner.

 

To learn more about Advanced Compliance Monitoring and how it could help with your vendor challenges or to discuss your compliance challenges in general, get in touch with our team:

 

{{talk-to-an-expert}}