Navigating the GDPR and ad tech world can feel like a rollercoaster ride, but hang in there! Whether you’re new to the IAB’s Transparency and Consent Framework or eager to learn about TCF 2.0, we’re here to unravel the mysteries for you.
When GDPR burst onto the scene, it shook the ad tech industry to its core. Publishers and ad tech companies found themselves grappling with a slew of new responsibilities. For example, they had to ask users for consent to track them, provide detailed information about data collection, and ensure data security. And that’s just the tip of the GDPR iceberg!
Implementing these changes in practice proved to be a major challenge.
Enter the Transparency and Consent Framework, which was introduced alongside GDPR. The IAB Tech Lab created this framework to help publishers and the ad tech industry comply with the new regulations. It established a GDPR-compliant standard mechanism for requesting, storing, and sharing user consent throughout the ad tech supply chain.
Table of Contents
What Is TCF?
The Transparency and Consent Framework is an initiative the Interactive Advertising Bureau took to standardize the process of gaining user consent for collecting and using personal data. The IAB has collaborated with publishers, advertisers, and other parties in the ad tech industry for the initiative.
With the help of TCF, the publishers can inform their visitors about what kind of user data is being collected, which parties are accessing the data, and how the publisher and the partners would be using it.
It gives a common language to all the parties in the ad tech ecosystem so that everyone can understand the state of the visitor’s consent and deliver relevant ads and content accordingly.
The main components of the framework are:
- TCF Policy: The policies apply to publishers, advertisers, vendors, Consent Management Platforms (CMPs), and all the other participants involved with the framework. The participants must abide by the policies to maintain their membership in the initiative. You can find the TCF policy document here.
- TCF Terms & Conditions: All the important terms and conditions like the requirements for registration, the process of registration, your obligations, membership payment terms, your rights and liabilities in the framework, etc. You can access this document here.
- Transparency and Consent String with Global Vendor List Format: Information in the form of 0’s and 1’s to convey the user’s consent to the parties involved in data collection. Read our dedicated blog, consent string.
- The Consent Management Platform API: The API that’ll be used to identify consent status.
The framework is open-source and non-commercial; hence, all the technical specifications for its implementation can be found on Github.
Participants in TCF
Three types of players are involved in the TCF: Vendors, Publishers, and CMPs.
Vendors: It includes all the third parties working with the publisher to deliver the content to the user that either involves the collection of personal data or the access to the user’s device for setting up cookies.
Publishers: It includes all the publishers in the TCF that monetize their content with third-party advertisers.
CMPs: Consent management platforms can read or set the status of the user’s consent for the vendors working with the publishers.
How Does TCF Work?
In the Transparency and Consent Framework, the IAB maintains the Global Vendor List, which includes approved vendors that have agreed to work within the TCF. Publishers must select vendors from this list when operating under the TCF. The process involves the following steps:
- Using a Consent Management Platform (CMP), the publisher selects partner vendors from the Global Vendor List.
- When users visit the publisher’s site, they are prompted to choose which vendors they can share their data with.
- Once the user has made their selections, the publisher can share the user’s data with the chosen vendors.
Remember that only vendors from the Global Vendor List can receive user preferences in TCF format. CMPs cannot send TCF standard signals to non-IAB vendors.
User consent is communicated via a binary consent string listing the purposes and vendors with which users have agreed to share their data. This binary information is compressed and sent to vendors with bid and ad requests.
How Does TCF Help Publishers?
For publishers, TCF provided much help in complying with the GDPR and other privacy laws. It clarified how the system should work to serve relevant ads while respecting the user’s privacy.
The publishers also became more transparent to their audience. They had more control over how the data from their audience will be used. Even the publisher’s audience could control the use of its data.
But, as the first version of the Transparency and Consent Framework was launched, it was not only frowned upon by the Information Commissioner’s Office (ICO), but the publishers disliked it too. The ICO believed that the industry’s implementations for GDPR were not good enough, whereas publishers complained that the framework is biased towards ad tech vendors. So what’s the solution? A revamped TCF Version 2.0!
Why TCF 2.0?
As we mentioned above, the solutions provided by the initial version of TCF were not satisfactory for ICO and publishers. Here are some of the issues raised by the ICO:
- Special category data
- Non-special category data
- Data supply chain
- Data protection impact assessments
Special Category Data: The special category data was processed directly or by inference in the bidding process. The special category data involves sensitive information such as the user’s racial or ethnic origin.
Processing such data is prohibited unless the subject gives explicit consent. The TCF did not have measures to acquire explicit consent for collecting such data.
Non-Special Category Data: Many TCF participants used legitimate interests to set cookies. ‘Legitimate Interest’ is one of the six 6 legal bases in GDPR that allow personal data processing.
Also, the bid requests for non-special category data do not require explicit consent. Based on these rules, many vendors and other participants collected and processed data without the user’s consent.
But there is another European privacy law called Privacy and Electronic Communications Regulations (PECR), which says:
“(1) … a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
So, to follow PECR, consent has to be sought for non-special category data as well because the publishers and vendors are storing information in users’ devices in the form of cookies. In this way, the question arises whether Legitimate Interest should be a legal basis for data collection and processing.
Data Supply Chain: Multiple bidders receive the user’s data during the bidding process, but ultimately that data is used only by the auction winner. No one can ensure that the data received by these other parties will not be processed outside after the bidding.
The industry relies only on contractual controls for the safety of this data. But contracts are not enough. The data supply chain requires technical and organizational controls to prevent misusing data.
Data Protection Impact Assessments (DPIAs): DPIAs are the tools used to identify and minimize the risk in data protection. The ICO has given a list of circumstances that require DPIAs in Article 35 of the GDPR.
This list includes examples such as large-scale profiling, invisible processing, geolocation tracking, use of personal data of children, etc.
In such circumstances, the organizations involved in the RTB are legally bound to perform DPIAs. The ICO says that not all participants in the industry are fulfilling the DPIA requirements.
The publishers complained that the GDPR puts a lot of liability on them for handling the user data, but the TCF doesn’t provide enough control to abide.
“The IAB solution envisions that publishers will get global consent for the entire ecosystem, store it in a cookie [and] share it with a third-party consent server,……….the use of aggregated cookie data and consent across sites and apps “doesn’t meet the letter or spirit of the GDPR, and it could expose publishers to liability.”
What’s New with TCF 2.0?
TCF 2.0 has brought more to the industry,
Here is how TCF 2.0 has contributed to each of the factors mentioned above:
Choice: The purposes for data collection have been increased from 5 to 10 to help the users make an informed choice while allowing vendors to process their data.
The publishers can also present the purposes in stacks so that the users who are not looking for too much granularity can provide or withhold their consent for similar purposes.
Transparency: Now, more specific purposes are under ‘Legitimate Interest’ so that the vendors can precisely select the legal basis for data processing.
Since the vendors will receive an explicit signal when their ‘legitimate interest legal basis is acknowledged, they will be more accountable.
The publisher also has more granular control over what kind of data the vendors can access. The user can now practice the right to object, something impossible with the earlier version of TCF.
Control: With TCF 2.0, publishers can restrict the purposes for which the ad tech vendors collect their users’ data on a per-vendor basis. In this way, publishers have more control over their audiences.
Compliance: With an increased investment by IAB Europe and its resources, the framework users will receive better support for GDPR compliance.
TCF 2.0 and Google’s requirements
Google will serve personalized or non-personalized ads only when consent for some purposes is given. But first, let us see what are the available purposes under TCF 2.0.
Purpose 1: Store and/or access information on a device
Purpose 2: Select basic ads
Purpose 3: Create a personalized ad profile
Purpose 4: Select personalized ads
Purpose 5: Create a personalized content profile
Purpose 6: Select personalized content
Purpose 7: Measure ad performance
Purpose 8: Measure content performance
Purpose 9: Apply market research to generate audience insights
Purpose 10: Develop and improve products
Special Purpose 1: Ensure security, prevent fraud, and debug
Special Purpose 2: Technically deliver ads or content
Google has given all the criteria that need to be fulfilled to serve personalized ads. Google will serve personalized ads when the user grants consent for Purposes 1, 3, and 4, which are:
- Purpose 1: Store and/or access information on a device
- Purpose 3: Create a personalized ads profile
- Purpose 4: Select personalized ads
Additionally, “Legitimate Interest” should be established for Google for Purposes 2, 7, 9, and 10, which are:
- Purpose 2: Select basic ads
- Purpose 7: Measure ad performance
- Purpose 9: Apply market research to generate audience insights
- Purpose 10: Develop and improve products
When the above criteria are not met, Google will serve non-personalized ads only when the consent for Purpose 1 is met and “Legitimate Interest” for Purpose 2, 7, 9, and 10 is established.
Ads will not be served if neither of the above requirements is met.
What Publishers Need to Do About TCF 2.0?
All publishers using third-party CMP vendors do not have much to worry about. The CMPs will do most of the heavy lifting concerning the implementation process. Publishers only need to ensure that all the vendors they work with are TCF 2.0 compliant. To determine whether your third-party CMP provider is TCF 2.0 compliant, you can look into the CMP list provided by IAB Europe.
For publishers who are managing consent in-house, IAB Europe has gathered all the required resources on its site. Such publishers need to register as a CMP in the TCF. We recommend going through the webinars conducted by IAB for complete guidance on the transformation from version 1 to version 2.
The TCF v1.1 was depleted on August 15. Its consent strings will be invalid after 30th September 2020. All publishers should make sure that they are following the new framework.
Check whether your CMP has adopted the new framework, contact your SSPs, and check whether they receive the new consent signals properly from your site. Any publisher not updating the new system should be ready to witness a huge fall in revenue. Keep in mind that TCF 2.0 is not backward compatible.
What is TCF Consent?
TCF Consent, or Transparency and Consent Framework Consent, is an industry-standard mechanism developed by the Interactive Advertising Bureau (IAB) to help publishers and ad tech companies obtain, store, and share user consent in compliance with GDPR and other privacy regulations.
The TCF aims to create a standardized approach for requesting and managing user consent across the entire ad tech supply chain, ensuring that user data is collected, processed, and shared transparent and privacy-compliant.
What is TCFv2 compliant?
TCFv2 compliant refers to the adherence to the updated version (2.0) of the Transparency and Consent Framework (TCF) by publishers, advertisers, vendors, and Consent Management Platforms (CMPs).
TCF 2.0 builds upon the original framework by providing greater choice, transparency, and user control and more granular control for publishers.
It indicates that a company has adopted the required measures for TCF 2.0, ensuring the proper handling of user consent and data privacy in line with the updated framework.