Understanding the Transparency & Consent Framework v2.2 

  Dated: 05 October 2023 Important note: The Implementation deadline of TCF v2. has been moved from September 30th 2023 to […]
Bookmark This Page (0)
Please login to bookmarkClose

 

Dated: 05 October 2023

Important note: The Implementation deadline of TCF v2. has been moved from September 30th 2023 to November 20th 2023. More information here.

In order to respond to the changes and needs of the market, while continuing to help players in the online ecosystem comply with certain requirements of the ePrivacy Directive and the General Data Protection Regulation (“GDPR”), the Transparency and Consent Framework (“TCF”, “Framework”) needs to be updated on a regular basis. In particular, constant evolutions in case law as well as in guidelines of Data Protection Authorities (DPAs) place ever higher demands on market participants in terms of data protection requirements. The TCF instances have therefore drawn inspiration from them to bring new iterations to the Framework. In addition, some changes are related to the Action Plan submitted to and validated by the Belgian Data Protection Authority (more information here).

IAB Europe, in partnership with IAB Tech Lab, is committed to continuous improvement and development of the Framework through industry collaboration to meet the needs of users and regulators. The iterations brought by the TCF v2.2 aim to bring further standardisation of the information and choices that should be provided to users over the processing of their personal data, and to how these choices should be captured, communicated and respected.

TCF v2.2 will be launched mid-May and TCF participants will have until the end of Q3 2023 to make the necessary changes to their respective implementations. All iterations have been developed to avoid breaking changes to the existing v2.1 Technical Specifications and facilitate their adoption in a timely manner by CMPs and Vendors.

To help the market anticipate these upcoming changes, this article provides an overview of the different amendments to the TCF Policies and Technical Specifications. In the run up to the launch of TCF v2.2, IAB Europe is hosting a series of webinars to offer full support and guidance to CMPs, Vendors and Publishers. Recording of previous webinars can be found at the end of this blogpost.  

 

1) Removal of the Legitimate Interest Legal Basis for Advertising & Content Personalisation 

The current version of the TCF Policies allows the use of legitimate interest or consent to carry out data processing operations for Purposes 3 (Create a personalised ads profile), 4 (Select personalised ads), 5 (Create a personalised content profile) and 6 (Select personalised content). The TCF Policies will be amended to remove “legitimate interest” as an acceptable legal basis for these Purposes. As a consequence, within the scope of the TCF, Vendors will only be able to select consent as an acceptable legal basis for these Purposes at registration level. 

 

2) Improvements to the Information Currently Provided to Users in CMP UIs

  • New user-facing standard texts

The Purpose names and descriptions will change. CMPs will be required to present improved user-friendly descriptions, replacing the current user-friendly text as well as the (currently) mandatory legal text. CMPs will also be required to make available illustrations based on real-use cases, which aim to explain to users how TCF Participants’ data processing operations relate to the Purposes.

  • Introduction of new Features of processing to further explain possible means of processing 

In order to improve transparency over the means of processing used by Vendors in support of the TCF purposes, Vendors will be able to declare additional features at registration level. 

3) Standardisation of the Additional Information About Vendors Provided to Users in the Secondary Layers of CMP UIs

To provide greater transparency, Vendors will now be required to provide additional information about their data processing operation at registration level - so that this information can in turn be disclosed by CMP to end-users in secondary layers UIs.

  • Standardisation of the categories of data collected and processed by Vendors 

The new TCF Policies will include a standard taxonomy of categories of data, from which a Vendor can select from at registration level. The Policies will include a new UI requirement for CMPs to disclose for each Vendor the categories of data collected and processed.  

  • Standardisation of Vendors’ data retention periods 

Vendors will be able to declare, at the time of registration, how long (in days) they keep data for each declared purpose. Accordingly, the new TCF Policies will include a new UI requirement for CMPs to disclose for each Vendor how long they keep data to achieve each declared purpose.

  • Legitimate interests at stake

Vendors will be required to declare what their legitimate interests at stake are, by providing at the registration level a dedicated URL where with this information can be found (e.g. a bookmark of their existing privacy policy). The amendment to the Policies will require CMPs to make this information available to users through the secondary layers of their UI. 

  • Possibility to direct users to Vendors’ privacy documentation in multiple languages

Vendors will be able to declare during registration differentiated URLs to their privacy policy or legitimate interest statement for each TCF-supported language, where available. Publishers and their CMPs will have the option as a result to direct users to Vendors’ privacy documentation in the relevant language to improve transparency for users. 

4) Greater Transparency for Users About the Number of Vendors

CMPs will be required to disclose on the first layer of the CMP UI the number of third-party Vendors that are seeking consent or pursue data processing purposes on the basis of their legitimate interests. The TCF Policies do not impose any specific maximum number of Vendors, but Publishers are strongly encouraged to ensure that they only work with Vendors that are (most) relevant to them. The TCF Policies will include a warning that an unjustifiably large number of Vendors may impact users’ ability to make informed choices and increase Publisher and Vendor legal risk. 

To assist Publishers in the process of selecting the Vendors for which they establish transparency & consent, an additional Vendor Information List has been published (“B2B GVL”). It contains information that can make it easier for a Publisher to determine which Vendors are relevant for it. Information contained in the B2B GVL can be used by Publishers to, for example, avoid requesting user’s consent for Vendors that operate in technical environments and jurisdictions that are not relevant to their online services, as well as generally better understand each TCF Vendor’s scope of operations and whether it transfers data outside of the EEA. 

5) More Specific Requirements to Facilitate Users’ Withdrawal of their Consent

Publishers and their CMPs will be required to ensure that users can re-access the CMP UI easily to manage their choices (e.g. from a floating icon or a footer link available on each webpage, or from the top-level setting of the app).

If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and vendors in one click (such as “Consent to all”), an equivalent call to action should be provided when users re-access the CMP UI to withdraw consent to all purposes and vendors in one click (such as “Withdraw consent to all”). 

Additionally, the TCF Technical Specifications will mandate Vendors (rather than only recommending) to use event listeners to ensure that any changes to TC Strings are proactively communicated to them and other Vendors. In the web environment, Vendors with access to Javascript will be required to register an event listener function (addEventListener) instead of using the getTCData command of the TCF API. In the app environment, Vendors must listen to IABTCF_* key updates to retrieve TC Strings from NSUserDefaults (iOS) or SharedPreferences (Android). 

6) Enhanced TCF Compliance Programmes

Since 2019, IAB Europe has developed Compliance Programmes to verify compliance of TCF Participants with the Policies and Technical Specifications. These programmes will be expanded, with new auditing mechanisms and differentiated enforcement procedures. 

All auditing mechanisms and verifications susceptible to be performed in the context of the TCF Compliance Programme will be described and published in a public Control Catalogue, to help TCF participants in assessing and reviewing the compliance of their TCF implementations. In addition to the Control Catalogue, IAB Europe will release a new version of the CMP Validator Chrome Extension that will be publicly available.

IAB Europe will increase the volume of proactive auditing of CMPs and Vendors that will be randomly selected each month, and will also act upon reports of non-compliance from the market or from end-users by making available a dedicated form to submit a complaint.

Vendors and CMPs will be subject to differentiated procedure according to the nature of the non-compliance. In particular, any tampering with or falsification of TC String will result in immediate suspension from the Framework for a minimum of four weeks, and will be notified publicly. 

7) Reminder: Revocation of the consensu.org Subdomains 

Support for Global-scope was deprecated in June 2021 due to negligible use by Publishers (less than 0,5%) and compliance considerations. The deprecation required CMPs to delete all existing euconsent-v2 cookies associated with the consensu.org domain. IAB Europe will now remove all consensu.org subdomain delegations to CMPs’ nameservers (which had previously been provided upon registration). As a result, CMPs will no longer be able to host their scripts on their consensu.org subdomain, and this in turn technically prevents them from setting and accessing cookies on the consensu.org domain.

CMPs currently hosting their scripts on their consensu.org subdomains will need to host them on a different domain. Their Publisher clients will need to redeploy a new script on their digital properties before July 10th (see notification here). 

How Should TCF Participants Prepare ?

  • Vendors will be required to review and update their TCF registration, by providing additional information about their data processing operations covered by their implementation of the Framework. Moreover, they will be required to verify that they have properly implemented the use of the event listeners to retrieve users’ choices in real-time, where applicable. 
  • CMPs will need to read a new version of the Global Vendor List that contains additional information about Vendors, in order to build improved CMP UIs. They will be required to ensure that all the new disclosures are implemented in their live installations. CMPs should also make sure that users can easily withdraw consent when they resurface the CMP UI. 
  • Publishers are strongly encouraged to review the subset of Vendors for which they establish transparency and consent, notably by using the information provided in the B2B GVL. They also need to ensure that the CMP deployed on their properties can be easily resurfaced by users (e.g. at the bottom of webpages, through floating icons). 

 

Changes to the TCF Technical Specifications

The changes to the TCF technical specifications are open for public comment until May 12th, 2023 and can be found here. Comments may be submitted via email to transparencyframework@iabtechlab.com. The technical changes included in TCF v2.2 are also outlined in IAB Tech Lab's blog post here.

Support Workshops for TCF Participants

Hosted in 1 hour-long webinar formats, TCF experts went through everything that is needed to fully implement TCF v2.2. All webinars featured Q&A sessions and have been recorded.

 

[Video Recordings]

Session 1: Overview of the main differences between the TCF policies 3.5 & 4.0

An overview of the main differences in policies between v2.1 & v2.2. This session is for all TCF stakeholders. Watch the recording here. 

 

Session 2: Overview of the changes to the TCF technical specifications between v2.1 & v2.2

An overview of the changes to the TCF technical specifications between v2.1 & v2.2. This session is to help CMPs and Vendors navigate the different technical resources. Watch the recording here. 

 

Vendors

Webinar recording to give an overview of the changes for Vendors implementing the TCF can be watched here and the presentation deck can be downloaded here

 

CMPs

Webinar recording to give an overview of the changes for CMPs implementing the TCF can be watched here and the presentation deck can be downloaded here

 

Publishers

Webinar recording to give an overview of the changes for Publishers implementing the TCF can be watched here and the presentation deck can be downloaded here.

 

 


Twitter Facebook Email Linkedin

Assine a nossa newsletter

"*" indicates required fields

Nome*
Privacy*
This field is for validation purposes and should be left unchanged.
phone linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram