TCF 2.0 FAQ - Publishers, GDPR & IAB's New Transparency and Consent Framework

Recent updates and related FAQs:

• TCF 2.2 FAQ: IAB has updated the TCF with key changes necessary to meet EU regulations.
• Global Privacy Platform: IAB has launched the GPP to provide a framework that can manage US privacy requirements on a national level. 
•  CCPA and CPRA FAQ
• Google requires publishers to use a Google-approved CMP.

TCF 2.0 FAQ - Table of Contents:

• When was the deadline to implement TCF 2.0?
• What is the Transparency Consent Framework (TCF)?
• What is the Interactive Advertising Bureau (IAB) Europe?
• Why was GDPR revised to TCF 2.0?
• Who contributed to the revision of TCF 2.0?
• What are the features of TCF 2.0?
• What are the three legal basis for data processing under TCF 2.0?
• What changes in TCF 2.0 benefit users?
• What changes in TCF 2.0 benefit publishers?
• What changes in TCF 2.0 benefit vendors?
• What is the Global Vendor List (GVL)?
• How should publishers prepare for TCF 2.0?
• What are the TCF 2.0 Purposes?
• What are the TCF Special Purposes?
• What is a CMP?
• What is legitimate interest?
• What is a TCF consent string?
• What are TCF Stacks?
• What are the scopes of a consent string?

Looking for a Google-approved, GDPR and GPP compliant CMP?

Let's talk. Request a demo today:

When was the deadline to implement TCF 2.0?

TCF 1.1 will no longer be supported after June 2020. TCF 2.0 is not backward compatible, and publishers need to take action to remain in compliance with GDPR requirements.

Google now fully supports TCF v2.0.

To integrate with the IAB TCF v2.0 a publisher must implement a TCF v2.0 registered CMP on their site or app. The CMP creates and sends the TC (Transparency & Consent) string. Then, Google’s ad tags and SDKs consume the TC string they receive from the CMP.

What is the Transparency Consent Framework (TCF)?

The IAB Transparency and Consent Framework is the Interactive Advertising Bureau's solution to help publishers with GDPR compliance. The framework provides guidelines to tell visitors what data is being collected, how they and their vendors plan to use it, which vendors are using it, and how users can give or withhold consent. The framework helps publishers and tech vendors comply with the EU’s GDPR and ePrivacy Directive requirements.

TCF provides technical specifications and policies to help companies that use cookies or other tracking technologies, maintain user profiles, conduct ad or content measurement, or deliver ads or content over the internet.

What is the Interactive Advertising Bureau (IAB) Europe?

IAB Europe is an industry organization that develops industry standards, conducts research, and provides legal support for the online advertising industry. IAB Europe is a coalition of 27 national IABs across Europe, and over 500 companies.

IAB Europe is the Managing Organization for the Transparency and Consent Framework and worked in coordination with the IAB Tech Lab and TCF Steering Group to develop the specifications and policies.

Interested in the relationship between Visitor Consent and CMP rates?
Check out: Publisher CPM Rates Higher for Visitors Providing Consent

Why was GDPR revised to TCF 2.0?

Publishers had many concerns with TCF 1.1, and felt it was too biased toward ad tech vendors. Based on industry feedback, there was a need for increased publisher control over which purposes vendors can use to justify the basis for their data processing activities.

There were gaps and grey areas in TCF 1.1 that needed to be clarified, and opportunities to improve comprehension and transparency for end users. Technical and Policy changes made in TCF 2.0 also reflect almost two years of additional collaboration and clarifications made between IAB Europe and EU regulators.

Who contributed to the revision of TCF 2.0?

TCF stakeholders include publishers, technology providers, and advertising and media agencies, including 10 National IABs, and 55 organizations. IAB Europe is the Managing Organisation of the TCF; they established a TCF Steering Group for coordination and communication and worked with the IAB Tech Lab for technical specifications

Features of TCF 2.0

IAB Europe claims the changes in TCF 2.0 provide users and publishers with more Transparency, Choice, Accountability, Control, and Compliance.

TCF 2.0 has added language for publisher restrictions, better right-to-object options, use of consent strings, expansion of and addressing legitimate interests legal basis, and expanded the number of purposes declarations for data processing.

What are the three legal bases for data processing under TCF 2.0?

1. Consent - the data owner has given consent for data to be processed
2. Legitimate Interest - There is an overriding purpose or need for processing the data. (i.e. fraud prevention).
3. Flexible - A combination of both consent and legitimate interest to allow vendors to operate in different markets under different legal basis.

What changes in TCF 2.0 benefit users?

• Users can make more granular choices on how their data is processed
• Improvements to present users with a better comprehension of their options
• The “right to object” directly through a TCF Consent Management Platform (CMP)
• More control over how vendors use their data.

What changes in TCF 2.0 benefit publishers?

• Publishers can specify “publisher restrictions” to restrict how vendors process personal data per-vendor and per-legal basis..
• Better handling of processing on the basis of legitimate interests
• Publishers can provide more transparency to users about how their personal data will be processed

What changes in TCF 2.0 benefit vendors?

• Use of consent strings and checksum validation to improve transparency and compliance between publishers and vendors
• Data processing purposes was expanded to 10, plus two Special Purposes, to allow more flexibility for vendors and granular choices by data subjects.

What is the Global Vendor List (GVL)?

A registry of vendors enabled for participation in the TCF. Applications to be a part of the GVL is open to all vendors used on a publisher’s site including Sell Side Platforms (SSPs), Demand Side Platforms (DSPs), ad servers and data management platforms.
IAB Europe GVL approval ensures that vendors will be able to work with publishers under GDPR rules. They also post their global TCF 2.0 CMP list.

How should publishers prepare for TCF 2.0?

• Publishers must choose a Consent Management Platform (CMP) that is registered with the IAB. If you created your own CMP you must register it. Unregistered CMP will no longer be acceptable in TCF 2.0, by the end of June 2020.
• Communicate with your vendors on your implementation timeline. TCF 2.0 is not “backwards compatible”, which means that TCF 1.0 will not automatically update to TCF 2.0. If your vendors are using TCF 1.0, while you implemented TCF 2.0, you could potentially “cut off” these vendors. Publishers should be communicating with their demand partners to verify that their most critical vendors are ready.
• Determine which purposes of data processing you will allow, and for what reasons (legitimate interest, consent, flexible).

What are the TCF 2.0 Purposes?

1. Purpose 1 = Store and/or access information on a device
2. Purpose 2 = Select basic ads
3. Purpose 3 = create a personalized ad profile
4. Purpose 4 = Select personalized ads
5. Purpose 5 = Create a personalized content profile
6. Purpose 6 = Select personalized content
7. Purpose 7 = Measure ad performance
8. Purpose 8 = Measure content performance
9. Purpose 9 = Apply market research to generate audience insights
10. Purpose 10 = Develop and improve products

What are the TCF Special Purposes?

1. Special Purpose 1 = Ensure security, prevent fraud, and debug
2. Special Purpose 2 = Technically deliver ads or content

What is a CMP?

A Consent Management Platform (CMP) is a mechanism for online publishers to request, receive, and store visitors’ consent to use and store personal data. It also provides a list of vendors that collect user data, and for what purpose. The CMP helps publishers automate the process to more seamlessly comply with privacy regulations such as GDPR or CCPA.

See also: FAQ for Privacy Consent Management

What is legitimate interest?

Legitimate interest is a legal basis for using personal data without obtaining consent. A legitimate interest is based on an overriding benefit to a particular company or society as a whole, and intended to give controllers flexibility for situations where there is no undue impact on data subjects.

Under GDPR, companies must balance legitimate interests with the interests or fundamental rights and freedoms of the data subject, and show that its interest is favored in such a balancing test.

What is a TCF consent string?

A consent string, also referred to as a “daisybit” or TC string, is a series of compressed binary numbers added to an ad bid request and flows through the advertising ecosystem per OpenRTB specification. The consent string is generated by the publishers CMP, and identifies who the vendor is, whether they have consent to process user data or not, and for what purposes the data can be used.

When a vendor registers for the Global Vendor List, IAB Europe will issue them an ID which is dropped into the consent string.

What are TCF Stacks?

Stacks are preset bundles that make it easier for data subjects to give or withhold consent to several related data processing purposes at once.

What are the scopes of a consent string?

A TC string can be set up with either a global or service-specific scope. If the scope is global, then the cookie vendors rely on is stored on a 3rd party domain that vendors can rely on across websites, and it would not contain publisher restrictions or a publisher TC segment. If the scope is service-specific, the TC string would only be used by the site or app upon which it is running. Server-specific strings may contain publisher restrictions, a publisher TC segment, as well as an allowed-vendors segment.

Looking for a Google-approved, GDPR, and GPP-compliant CMP?

Admiral Consent is the first blocker-aware CMP and one of the few available designed under the IAB's Transparency and Consent Framework that can manage both IAB and non-IAB vendors alike.  Additionally, Admiral is an easy install as part of Admiral's Visitor Relationship Management (VRM) platform, tying together key data points and insights across the visitor journey.

• One CMP to handle both IAB and non-IAB vendors
• Single tag installation, with built-in blocker monitoring
• Configurable messaging and consent types to maximize transparency and conversion
• Targeting and segmentation including location-based and site-specific traffic
• Reporting to help monitor conversion tracking and GDPR revenue impacts
• Cross-platform support including mobile web
• Flexible pricing options with real live experts to speed network rollouts

Request a demo of Admiral Consent Management today.