The GDPR turned the ad tech industry upside down. It placed a lot of responsibilities on the shoulders of publishers as well as other ad tech companies. For instance, it requires the publishers to ask users for consent to track them and the consent has to be respected. Even before asking for consent, the publisher has to provide a lot of information to the user (who is collecting the data, why is it being collected, etc). The data provided by the user has to be secured, and countless other similar requirements that had to be fulfilled to comply with the GDPR.
The theory of the law was just one aspect but the real problem was the practical implementations of the technology to fulfill the requirements. So the inception of the Transparency and Consent Framework took place with the release of GDPR itself. The IAB Tech Lab launched the framework to help the publishers and ad tech industry comply with the newly launched laws. It provided a GDPR compliant standard mechanism for requesting, storing, and sharing user consent in the ad tech supply chain.
Table of Contents:
- What is TCF?
- How does TCF Work?
- How did the TCF help publishers?
- Why TCF 2.0?
- What’s new with TCF 2.0?
- TCF 2.0 and Google’s requirements
- What do publishers need to do about TCF 2.0?
- What’s Next?
What is TCF?
The Transparency and Consent Framework is an initiative taken by the Interactive Advertising Bureau to standardize the process of gaining user consent for the collection and use of personal data. The IAB has collaborated with the publishers, advertisers, and other parties in the ad tech industry for the initiative.
With the help of TCF, the publishers can inform their visitors about what kind of user data is being collected, which are the parties that are accessing the data, and how the publisher and the partners would be using it. It gives a common language to all the parties in the ad tech ecosystem so that everyone can understand the state of the visitor’s consent and deliver relevant ads and content accordingly.
The main components of the framework are:
- TCF Policy: The policies that apply to publishers, advertisers, vendors, CMPs, and all the other participants involved with the framework. The participants have to abide by the policies to maintain their membership in the initiative. You can find the TCF policy document here.
- TCF Terms & Conditions: All the important terms and conditions like the requirements for registration, the process of registration, your obligations, membership payment terms, your rights and liabilities in the framework, etc. You can access this document here.
- Transparency and Consent String with Global Vendor List Format: Information in the form of 0’s and 1’s to convey the consent of the user to the parties involved in data collection. Read our dedicated blog Consent String here.
- The Consent Management Platform API: The API that’ll be used to identify consent status.
The framework is open-source and non-commercial and hence all the technical specifications for its implementation can be found on Github.
Participants in TCF
There are three types of players involved in the TCF: Vendors, Publishers, and CMPs.
Vendors: It includes all the third-parties working with the publisher for delivering the content to the user that either involves the collection of personal data or the access to the user’s device for setting up cookies.
Publishers: It includes all the publishers in the TCF that monetize their content with third-party advertisers.
CMPs: It includes the consent management platforms that can read or set the status of the user’s consent for the vendors working with the publishers.
How Does TCF Work?
The IAB maintains a list of vendors that have signed in and approved to work with the Transparency and Consent Framework. This list is called the Global Vendor List. Publishers can choose vendors only from this list to work under TCF. Here’s how the process looks like:
The publisher selects its partner vendors from the Global Vendor List with the help of a CMP. The user arrives on the publisher’s site. The user is asked to choose the vendors with whom the publisher can share the user-data. After the user has chosen the vendors, the publisher can share the user’s data with them.
Please remember that only the vendors from the Global Vendor List would be able to receive the user’s preferences in TCF format. It won’t be possible for your CMP to send TCF standard signals to non-IAB vendors.
The user’s consent is passed through a binary consent string that includes the purposes as well as the vendors that the user has consented to share the data with. The information in the binary form is compressed before it is sent with bid requests and ad requests to the vendors.
How TCF Helps Publishers?
For publishers, TCF provided a lot of help in complying with the GDPR as well as other privacy laws. It provided clarity on how the system should work so that relevant ads can be served while respecting the user’s privacy. The publishers also became more transparent to their audience. They had more control over how the data from their audience will be used. Even the audience of the publisher was able to control the use of its data.
But, as the first version of the Transparency and Consent Framework was launched, it was not only frowned upon by the Information Commissioner’s Office (ICO) but the publishers disliked it too. The ICO believed that the industry’s implementations for GDPR were not good enough whereas publishers complained that the framework is biased towards ad tech vendors. So what’s the solution? A revamped TCF Version 2.0!
Why TCF 2.0?
As we mentioned above, The solutions provided by the initial version of TCF were not satisfactory for ICO and publishers. Here are some of the issues raised by the ICO:
- Special Category Data
- Non-Special Category Data
- Data Supply Chain
- Data Protection Impact Assessments
– Special Category Data: The special category data was being processed either directly or by inference in the bidding process. The special category data involves sensitive information such as the user’s racial or ethnic origin. Processing such data is prohibited unless explicit consent is given by the subject. The TCF did not have measures to acquire explicit consent for collecting such data.
– Non-Special Category Data: Many TCF participants were relying on legitimate interests to set cookies. ‘Legitimate Interest’ is one of the six 6 legal bases in GDPR that allow personal data processing. Also, the bid requests for non-special category data do not require explicit consent. Based on these rules, many vendors and other participants were collecting and processing data without the user’s consent.
But there is another European privacy law called Privacy and Electronic Communications Regulations (PECR) which says:
“(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
So, to follow PECR, consent has to be sought for non-special category data as well because the publishers and vendors are storing information in users’ devices in the form of cookies. In this way, the question arises whether Legitimate Interest should be a legal basis for data collection and processing?
– Data Supply Chain: Multiple bidders receive the user’s data during the bidding process but ultimately that data is used only by the winner of the auction. No one can ensure that the data received by these other parties will not be processed outside after the bidding. The industry relies only on contractual controls for the safety of this data. But contracts are not enough, technical and organizational controls are required in the data supply chain to save the data from being misused.
– Data Protection Impact Assessments (DPIAs): DPIAs are the tools used to identify and minimize the risk in data protection. The ICO has given a list of circumstances that require DPIAs in Article 35 of the GDPR. This list includes examples such as large-scale profiling, invisible processing, geolocation tracking, use of personal data of children, etc. The organizations involved in the RTB in such circumstances are legally bound to perform DPIAs. The ICO says that not all participants in the industry are fulfilling the DPIA requirements.
The publishers complained that the GDPR puts a lot of liability on them for handling the user data, but the TCF doesn’t provide them enough control to abide.
“The IAB solution envisions that publishers will get global consent for the entire ecosystem, store it in a cookie [and] share it with a third-party consent server,……….the use of aggregated cookie data and consent across sites and apps “doesn’t meet the letter or spirit of the GDPR, and it could expose publishers to liability.”
– Jason Kint, CEO, Digital Content Next
What’s New with TCF 2.0?
TCF 2.0 has brought more to the industry,
Here is how TCF 2.0 has contributed to each of the factors mentioned above:
Choice: The purposes for data collection have been increased from 5 to 10 to help the users make an informed choice while allowing vendors to process their data. The publishers can also present the purposes in stacks so that the users who are not looking for too much granularity can provide or withhold their consent for similar purposes.
Transparency: Now there are more specific purposes under ‘Legitimate Interest’ so that the vendors can precisely select the legal basis for processing the data. Since the vendors will receive an explicit signal when their ‘legitimate interest’ legal basis is acknowledged, they will be more accountable. The publisher also has more granular control over what kind of data can the vendors access. The user can now practice the right to object, something which was not possible with the earlier version of TCF.
Control: With TCF 2.0, publishers can restrict the purposes for which the data of their users is being collected by the ad tech vendors on a per vendor basis. In this way, publishers have more control over their audiences.
Compliance: An increased investment by IAB Europe and its resources, the users of the framework will receive better support for the GDPR compliance.
TCF 2.0 and Google’s requirements
Google will serve personalized or non-personalized ads only when consent for some purposes is given. But first, let us see what are the available purposes under TCF 2.0.
Purpose 1: Store and/or access information on a device
Purpose 2: Select basic ads
Purpose 3: Create a personalized ad profile
Purpose 4: Select personalized ads
Purpose 5: Create a personalized content profile
Purpose 6: Select personalized content
Purpose 7: Measure ad performance
Purpose 8: Measure content performance
Purpose 9: Apply market research to generate audience insights
Purpose 10: Develop and improve products
Special Purpose 1: Ensure security, prevent fraud, and debug
Special Purpose 2: Technically deliver ads or content
Google has given all the criteria that need to be fulfilled for it to serve personalized ads. Google will serve personalized ads when the user grants consent for Purpose 1, 3, and 4; which are:
- Purpose 1: Store and/or access information on a device
- Purpose 3: Create a personalized ads profile
- Purpose 4: Select personalized ads
Additionally, “Legitimate Interest” should be established for Google for Purpose 2, 7, 9, and 10; which are:
- Purpose 2: Select basic ads
- Purpose 7: Measure ad performance
- Purpose 9: Apply market research to generate audience insights
- Purpose 10: Develop and improve products
When the above criteria are not met then Google will serve non-personalized ads only when the consent for Purpose 1 is met and “Legitimate Interest” for Purpose 2, 7, 9, and 10 is established.
Ads will not be served if neither of the above requirements is met.
What Publishers Need to Do About TCF 2.0?
All publishers using third-party CMP vendors do not have much to worry about. The CMP’s will do most of the heavy lifting concerning the implementation process. Publishers only need to make sure that all the vendors that they are working with are TCF 2.0 compliant. To find out whether your third-party CMP provider is TCF 2.0 compliant or not, you can look into the CMP list provided by IAB Europe.
For publishers who are managing consent in-house, the IAB Europe has gathered all the required resources on its site. Such publishers need to register as a CMP in the TCF. We recommend going through the webinars conducted by IAB for complete guidance on the transformation from version 1 to version 2.
Online Privacy laws are one of the raising concerns for the publishers. If you’re curious to know more about how you can deal with different upcoming and existing Privacy Laws, we have made a guide for you!
The TCF v1.1 was depleted on August 15. Its consent strings will be invalid after 30th September 2020. All publishers should make sure that they are following the new framework. Check whether your CMP has adopted the new framework, contact your SSPs, and check whether they are receiving the new consent signals properly from your site. Any publisher who is not updating to the new system should be ready to witness a huge fall in revenue. Keep in mind that TCF 2.0 is not backward compatible.