Articles
Privacy 101
TCF v2.2: everything publishers need to know
Privacy 101
new

TCF v2.2: everything publishers need to know

Published  

9/1/2023

by 

Chitra Iyer

13
min read

Published  

September 1, 2023

by 

Chitra Iyer

10 min read
Summary

If you are an advertiser, a vendor, or a publisher in Europe, you already know that General Data Protection (GDPR) requirements, though pioneering and comprehensive, can be intimidating.

 

There are multiple points in the advertising value chain where lapses can occur. The still-evolving regulatory landscape adds to the challenge. To address these concerns and make compliance for all stakeholders as easy and streamlined as possible, the Interactive Advertising Bureau (IAB) Europe stepped up and created the Transparency and Consent Framework (TCF).

 

This year, the TCF evolved to its v2.2, and all participants are expected to comply by November 20, 2023.

 

For publishers, the owners of the digital properties where data is collected, compliance with TCF v2.2 is mandatory. Whether you are already entrenched with TCF or are still exploring your next move, this comprehensive guide to TCF v2.2 has you covered! 

 

June 2024 update: In response to the CJEU's reasoning, the Transparency & Consent Framework (TCF) Steering Group approved a new iteration of the IAB TCF Framework, incorporating three new amendments. Learn more in our help center documentation.

 

Summary

 

 

 

All about the Transparency and Consent Framework (TCF)

 

This section will help you get up to speed on all things TCF before diving into the TCF v2.2 changes that will most impact publishers. 

 

What is the Transparency and Consent Framework (TCF)? 

The TCF is a voluntary accountability tool created by the IAB to help all digital advertising and publishing stakeholders adhere to GDPR requirements and standardize user data collection and management. 

 

With the TCF, users can make informed consent choices based on transparent information about what data is being collected, for what purpose, by whom, and how it would be used. They can also control, manage, and change their consent and preferences anytime.

 

Why is the TCF needed?

Achieving GDPR goals such as data transparency and user control requires ad industry stakeholders (publishers, vendors, and CMPs) to standardize processes and technology around data management and how they interact with users and each other. 

 

The TCF has evolved as a global cross-industry accountability tool to do just that. It puts all stakeholders of the digital advertising value chain - publishers, advertisers, and third-party vendors - on the same page when it comes to serving ads based on user consent and preferences. 

 

While the TCF is a work in progress that continues to respond to the needs of various stakeholders, including regulators and DPAs of various EU nations, it is still the world’s only true global standard to make user consent as simple, transparent, and effective as possible in the digital advertising and media ecosystem. 

 

Who does the TCF impact?

With TCF in place, websites and apps can show ads to their visitors in a way that respects their privacy and follows the law. Aside from the users (consumers and  audiences) themselves, the three industry stakeholder groups that would benefit the most by participating in the TCF are:

 

Publishers: owners or operators of online content or services where personal data is collected and used by third-party companies (vendors) for digital advertising, audience measurement, or content personalization.

 

Vendors are third-party companies that do not ordinarily have direct access to publishers' end-users. They help brands and advertisers plan, execute, and measure ad campaigns. Vendors include ad servers, measurement providers, advertising agencies, DSPs, SSPs, and more.

Consent Management Platforms (CMP): software that helps publishers collect and manage user consent. CMPs are pivotal to the TCF process because they: 

 

  • Show users timely consent notices (e.g. cookie banners) to gather data
  • Capture user consent and preferences about personal data processing
  • Store the captured data in a compliant way
  • Distribute consent status to various systems and vendors to perform tasks and audits

 

An example of a typical TCF scenario


Didomi - TCF scenario EN


A publisher (on whose online property ads are placed and data is collected) will work with a Consent Management Platform (CMP - a tech platform) to ensure the transparent collection of consent from users on the publisher’s site. 


TCF-registered vendors will plan, execute, and measure ad campaigns for advertisers across multiple Publisher sites in accordance with agreed compliance requirements based on consent and preference data distributed by the CMP.

 

What are the expected outcomes of TCF implementation? 

There are 5 expected outcomes:


  • Enhanced Transparency: Users have a clearer understanding of how their data is being used. Publishers and vendors are required to provide standardized, transparent information about data collection and processing activities, giving users better insights.
  • Control: Users (audience) will be empowered to make better-informed choices regarding the processing of their personal data in connection with content consumption and ad exposure.
  • Compliance: Publishers, advertisers, and ad tech vendors can accelerate their compliance efforts in connection with collecting data and the delivery of digital advertising and measurement.
  • Accountability: All parties will be more accountable thanks to the due diligence record-keeping requirements of TCF.
  • Protection: TCF ensures the interests of all stakeholders are protected. Neither are users at risk of predatory practices, nor are participants (advertisers, vendors, or publishers) at risk of an inadvertent regulatory violation.
  • Scale: Successful implementation in Europe will set the foundation for industry associations in other countries to adapt the TCF to local regulations and context and make consent management a global standard for consumer privacy protection.

 

How does the TCF work?

The TCF is held up by 4 pillars: 

 

  1. Governing policies and specifications: Policies are a set of documents that define the scope, objectives, principles, requirements, and definitions of key terms in the TCF. Specifications are legal terms and conditions governing participant obligations, rights, liabilities, payment, and dispute resolution mechanisms.
  2. Consent Management Platforms (CMP): CMPs help publishers collect and manage user consent in compliance with the TCF. They display the appropriate consent notice (opt-in banners), and collect, store, and distribute the user’s consent and preference choices as needed.
  3. Transparency and Consent (TC) String: The ‘TC string’ contains data on the specific purposes, features, and vendors a user has consented to or objected to. The CMP stores the TC string in a cookie on the user’s device, and TCF-registered vendors can access the cookie to read the TC string. Alternatively, the CMP can pass the TC string as a URL parameter to TCF-registered vendors that cannot access cookies, such as in-video players or ad servers. 
  4. The Global Vendor List (GVL): Lists all the TCF-registered vendors who have met the requirements, such as declaring their data processing purposes, features, and legal bases. Only registered vendors included in the GVL can receive the consent status from the CMP to serve, manage, and measure ads.

 

TCF timeline: the path leading up to TCF v2.2 2023

 

Didomi - TCF timeline-1

 

Why was an updated version of TCF needed?

The critique of the TCF v1 and the consequent decision on IAB by the ADP (still subject to an appeal) acted as a catalyst for TCF v2.2. This new version of TCF better meets stakeholder concerns. 

 

Previous critiques called out three areas for improvement:

 

  • Legitimate interest as a legal basis for data processing is unjustified for certain purposes
  • Vendor information provided is insufficient or not user-friendly enough for informed consent
  • Users cannot reasonably give informed consent if the number of vendors is unreasonably high

What’s new for publishers in the TCF v2.2?

 

Didomi - TCFv2.2 checklist (EN)


 

The TCF v2.2 addresses multiple concerns raised in previous versions. The 5 changes that most impact publishers include:

  1. Removal of ‘legitimate interest’ as a legal basis for some purposes
  2. Addition of purpose 11 to enhance user content experience
  3. More descriptive names and explanations of purposes and Features to aid user understanding
  4. Standardization of additional information about vendors to improve transparency: 
    • Mandatory disclosure about the number of vendors in the first layer of the CMP 
    • Mandatory disclosure of additional Vendor information in the second layer of the CMP
  5. Specific requirements to facilitate users’ withdrawal of consent

 

Let’s take a detailed look at these 5 publisher-specific changes.

 

1. Removal of ‘legitimate interest’ as a legal basis to use personal data for 4 specific purposes

Previously, ‘legitimate interest’ could be cited as the legal basis for collecting and using data (without the user’s explicit consent) for certain purposes related to personalization.

 

In TCF v2.2, explicit user consent is the only legal basis for collecting personal data for personalization-related purposes. These are: 

 

  • Purpose 3: create profiles for personalized advertising
  • Purpose 4: use profiles to select personalized advertising
  • Purpose 5: create profiles to personalize content
  • Purpose 6: use profiles to select personalized content

 

Vendors updating their registrations to meet TCF v2.2 requirements will no longer be able to choose ‘legitimate interest’ as the legal basis for these four purposes.

 

Note: Vendors can continue to use ‘legitimate interest’ as a legal basis for purposes other than personalizing ads and content as long as they comply with the TCF v2.2 rules and specifications.

 

These can include purposes 2, 7, 8, 9, and 10, which are:


  • Purpose 2: Select basic ads
  • Purpose 7: Measure ad performance
  • Purpose 8: Apply market research to generate audience insights
  • Purpose 9: Develop and improve products
  • Purpose 10: Ensure security, prevent fraud, and debug

 

However, to do so, publishers must:

 

  • Disclose vendors' use of legitimate interest in their consent notice
  • Allow users to exercise their right to object to legitimate interest via their CMP
  • Honor the user’s objections by not passing their data to vendors who rely on legitimate interest
  • Use Publisher restrictions to request consent for vendors who have registered with flexible/ special purpose legal bases

 

As per the TCF v2.2 glossary, a ‘purpose’ is one of the 11 defined purposes for the processing of users' personal data by participants for which vendors have declared a Legal Basis in the GVL, and for which the user is given a choice, i.e. to consent or to object by a CMP.


Get the full list of purposes, features, and corresponding legal bases here

 

2. Addition of Purpose 11

This new purpose is also called “Use limited data to select content,” and it is the ‘content’ equivalent of purpose 2, which relates to basic ads. It covers the following processing activities for publishers:

 

  • The selection and delivery of non-advertising content based on real-time data, such as information about the page content or non-precise geolocation data
  • The control of the frequency or order in which content is presented to a user

 

Note: This purpose does not cover the creation or use of profiles to select personalized content, which is covered by purpose 4.

 

Purpose 11 is intended to allow publishers and vendors to provide users with relevant and diverse content that enhances their online experience, without relying on consent or legitimate interest as legal bases. 

 

3. More user-friendly definitions and descriptions for users in the CMP user interface (UI)

CMPs will replace the current text and mandatory legal text with improved user-friendly names and descriptions of purpose and features. CMPs must also provide end-users with standard illustrations to explain real use cases on a secondary layer of the UI. 

 

The standard illustrations provided can be modified and supplemented if the changes are flagged to vendors in the consent TC string.

 

4. Standardization of additional information about vendors

The TCF v2.2 expands and standardizes information about vendors to improve transparency and informed consent for users. CMPs must make the necessary changes to accommodate this additional information at the initial and secondary layers of the CMP.

 

Mandatory disclosure about the number of vendors in the first layer of CMP

Publishers must disclose the number of third-party Vendors seeking consent or pursuing data processing purposes on the basis of their legitimate interests.

 

While the TCF does not impose a specific limit on vendors, publishers should be mindful of the number of vendors they partner with. An unreasonably high number of vendors listed will invite a warning because it prevents users from making the most informed decision.

 

This information needs to be made available at the first layer of the CMP—i.e., it should be accessible before the user can give consent.

 

Additional mandatory disclosures about vendors in the second layer of the CMP:

The CMP UI must be updated to include new Vendor disclosures at the secondary layer:

 

  • An explanation of the legitimate interests at stake: legitimate interest can be used as a legal basis for vendors to process data for certain purposes. In TCF v2.2, vendors must explain these legitimate interests so that users can make more informed choices.
  • The retention periods on a per-purpose basis: Vendors will have to disclose, at the time of TCF registration, how long (in days) they will keep data to achieve each declared purpose
  • Option to redirect users to the Vendor’s data policy documentation or details on any of the above, in multiple languages, to improve transparency for users at a granular level
  • The categories of data collected and/or already held by Vendors: TCF v2.2 standardizes the taxonomy of data categories that a vendor can collect and hold, which need to be indicated by the Vendor at the time of registration with TCF

 

5. Specific requirements to facilitate users’ withdrawal of their consent

Publishers and their CMPs need to ensure that users can easily manage their consent and preference choices and opt out of any or all permissions at any time while using the site.

 

Users should be able to resurface the CMP at any point in their journey and easily find, manage, and modify their consent and preferences across websites and mobile apps.

Additional reading: To provide transparency and insights to TCF participating organizations, and on the occasion of the TCF v2.2 compliance deadline, we put together a study of our observations on the framework's impact and its adoption so far.

To download the study, click on the image (no e-mail or form required):

Image showing Didomi's whitepaper on TCF v2.2, with the word “Whitepaper" and the title "TCF v2.2: what we've learned so far" along with a "Download" button.

 

Next TCF v2.2 steps for publishers

 

To meet the TCF v2.2 deadline, publishers should consider these immediate next steps: 

 

1. Vendor reviews

  • Review vendor list. While no maximum limit for vendors has been mandated, the TCF v2.2 policy strongly encourages publishers to implement a Vendor selection process and review/ refine the subset of vendors based on the nature of their services, their business model, and their contribution to selling their ad inventories. Learn how to reduce your vendor list.
  • Check Vendor compliance with TCF v2.2 and registration on the GVL2.2 list
  • Check with Vendor-partners before using custom illustrations to ensure they are considered adequate and won’t result in vendors refusing to work with them

 

2. Review CMP capabilities

  • Review CMP UI text and pop-up workflows
  • Check how CMPs intend to build the additional disclosures about vendors on the first and secondary layers of the CMP UI
  • Check with CMPs if they will automatically compute this number for their publishers’ clients when they make a selection of a subset of Vendors
  • Ask CMPs to provide their users with link(s) to vendors’ privacy documentation in the language of their services (publishers may choose not to work with vendors that do not maintain privacy documentation in the language of their users)

 

3. Internal checks

  • Publishers should put in place a plan to ensure users can easily resurface the CMP (e.g. a link at the bottom of webpages, through floating icons) to withdraw consent in whole or part at any time
  • To avoid fines or penalties, check systems and processes for readiness and compliance and get legal and technical sign-off on the adequacy of all TCF v2.2 compliance measures on websites and mobile apps.

 

How Didomi can help with TCF v2.2 compliance

 

If you’re a Publisher and have either not yet implemented a Consent Management Platform (CMP), or are working with a CMP provider that is not planning to become certified, this new set of requirements is an opportunity for your business to take full advantage of the benefits of a CMP like Didomi.

 

Starting with Didomi is simple, whether it’s a first CMP implementation or you decide to migrate from a different solution. If you decide to do so, you will benefit from:

 

  • Our full compliance with Google Consent Mode as part of the Google CMP partner program
  • Multi Regulations coverage (GDPR, CPRA, Law 25, and more)
  • Complete support and onboarding from our customer-facing teams
  • An optimized user experience, including tailored consent banner personalization

 

To learn how we can help you get ready for the TCF v2.2, book a time with our team:

 

{{talk-to-an-expert}}

 

Frequently Asked Questions (FAQ)

 

What is the Transparency and Consent Framework (TCF)?

The Transparency and Consent Framework (TCF) is a voluntary accountability tool designed by IAB Europe to facilitate adherence to GDPR requirements and standardize user data collection and management in the digital advertising and publishing ecosystem. It enables users to make informed choices about data collection, usage, and preferences.

 

Who does the TCF impact, and what are the key stakeholders of the framework?

The TCF impacts publishers, vendors, and Consent Management Platforms (CMPs). Publishers own digital properties where data is collected, vendors execute ad campaigns, and CMPs facilitate consent collection. All stakeholders collaborate to provide transparent data practices and user control.


What changes does TCF v2.2 bring for publishers?

TCF v2.2 introduces several changes for publishers, such as removing 'legitimate interest' as a legal basis for specific purposes, adding Purpose 11 for content selection, improving definitions in the CMP user interface for legibility, standardizing vendor information, and including specific requirements for consent withdrawal.

 

How can Didomi help with TCF v2.2 compliance?

Didomi offers a comprehensive Consent Management Platform (CMP) that meets TCF requirements. It includes support for Google Consent Mode, multi-regulation coverage, personalized consent banners, and customer-facing support for seamless implementation and compliance.

 

What is the status of the legal proceedings between IAB Europe and the Belgian APD over the TCF?

As of 2024, the legal proceedings are still ongoing. Head to our article on the topic for a full breakdown of the situation.