Sign in

TCF 2.0 FAQ - Publishers, GDPR & IAB's New Transparency and Consent Framework

When is the deadline to implement TCF 2.0?

TCF 1.1 will no longer be supported after June 2020. TCF 2.0 is not backwards compatible, and publishers need to take action to remain in compliance with GDPR requirements.

Google is set to adopt TCF 2.0 by April as well.

 

What is the Transparency Consent Framework (TCF)?

The IAB Transparency and Consent Framework is the Interactive Advertising Bureau's solution to help publishers with GDPR compliance. The framework provides guidelines to tell visitors what data is being collected, and how they and their vendors plan to use it, which vendors are using it, and how users can give or withhold consent.The framework helps publishers and tech vendors comply with the EU’s GDPRand ePrivacy Directive requirements.

TCF provides technical specifications and policies to help companies that use cookies or other tracking technologies, maintain user profiles, conduct ad or content measurement, or deliver ads or content over the internet.

 

What is the Interactive Advertising Bureau (IAB) Europe?

IAB Europe is an industry organization that develops industry standards, conducts research, and provides legal support for the online advertising industry. IAB Europe is a coalition of 27 national IABs across Europe, and over 500 companies.

IAB Europe is the Managing Organization for the Transparency and Consent Framework, and worked in coordination with the IAB Tech Lab and TCF Steering Group to develop the specifications and policies.

 

Why was GDPR revised to TCF 2.0?

Publishers had many concerns with TCF 1.1, and felt it was too biased toward ad tech vendors. Based on industry feedback, there was a need for increased publisher control over which purposes vendors can use to justify the basis for their data processing activities.

There were gaps and grey areas in TCF 1.1 that needed to be clarified, and opportunities to improve comprehension and transparency for end users. Technical and Policy changes made in TCF 2.0 also reflect almost two years of additional collaboration and clarifications made between IAB Europe and EU regulators.

 

Who contributed to the revision of TCF 2.0?

TCF stakeholders includes publishers, technology providers and advertising and media agencies, including 10 National IAB’s, and 55 organizations. IAB Europe is the Managing Organisation of the TCF; they established a TCF Steering Group for coordination and communication, and worked with the IAB Tech Lab for technical specifications

 

Features of TCF 2.0

IAB Europe claims the changes in TCF 2.0 provide users and publishers more Transparency, Choice, Accountability, Control and Compliance.

TCF 2.0 has added language for publisher restrictions, better right to object options, use of consent strings, expansion of and addressing legitimate interests legal basis, and expanded the number of purposes declarations for data processing.

 

What are the three legal bases for data processing under TCF 2.0?

  1. Consent - the data owner has given concent for data to be processed
  2. Legitimate Interest - there is an overriding purpose or need for processing the data. (i.e. fraud prevention).
  3. Flexible - A combination of both consent and legitimate interest to allow vendors to operate in different markets under different legal basis.

 

What changes in TCF 2.0 benefit users?

  • Users can make more granular choices on how their data is processed
  • Improvements to present users with better comprehension of their options
  • The “right to object” directly through a TCF Consent Management Platform (CMP)
  • More control over how vendors use their data.

What changes in TCF 2.0 benefit publishers?

  • Publishers can specify “publisher restrictions” to restrict how vendors process personal data per-vendor and per-legal basis..
  • Better handling of processing on the basis of legitimate interests
  • Publishers can provide more transparency to users about how their personal data will be processed

 

What changes in TCF 2.0 benefit vendors?

  • Use of consent strings and checksum validation to improve transparency and compliance between publishers and vendors
  • Data processing purposes was expanded to 10, plus two Special Purposes, to allow more flexibility for vendors and granular choices by data subjects.

 

What is the Global Vendor List (GVL)?

A registry of vendors enabled for participation in the TCF. Applications to be a part of the GVL is open to all vendors used on a publisher’s site including Sell Side Platforms (SSPs), Demand Side Platforms (DSPs), ad servers and data management platforms. GVL approval ensures that vendors will be able to work with publishers under GDPR rules.

 

How should publishers prepare for TCF 2.0?

  • Publishers must choose a Consent Management Platform (CMP) that is registered with the IAB. If you created your own CMP you must register it. Unregistered CMP will no longer be acceptable in TCF 2.0, by the end of June 2020.
  • Communicate with your vendors on your implementation timeline. TCF 2.0 is not “backwards compatible”, which means that TCF 1.0 will not automatically update to TCF 2.0. If your vendors are using TCF 1.0, while you implemented TCF 2.0, you could potentially “cut off” these vendors. Publishers should be communicating with their demand partners to verify that their most critical vendors are ready.
  • Determine which purposes of data processing you will allow, and for what reasons (legitimate interest, consent, flexible).

 

What are the TCF 2.0 Purposes?

  1. Purpose 1 = Store and/or access information on a device
  2. Purpose 2 = Select basic ads
  3. Purpose 3 = create a personalized ad profile
  4. Purpose 4 = Select personalized ads
  5. Purpose 5 = Create a personalized content profile
  6. Purpose 6 = Select personalized content
  7. Purpose 7 = Measure ad performance
  8. Purpose 8 = Measure content performance
  9. Purpose 9 = Apply market research to generate audience insights
  10. Purpose 10 = Develop and improve products

What are the TCF Special Purposes?

  1. Special Purpose 1 = Ensure security, prevent fraud, and debug
  2. Special Purpose 2 = Technically deliver ads or content

 

What is a CMP?

A Consent Management Platform (CMP) is a mechanism for online publishers to request, receive, and store visitors’ consent to use and store personal data. It also provides a list of vendors that collect user data, and for what purpose. The CMP helps publishers automate the process to more seamlessly comply with privacy regulations such as GDPR or CCPA.

 

What is legitimate interest?

Legitimate interest is a legal basis for using personal data without obtaining consent. A legitimate interest is based on an overriding benefit to a particular company or society as a whole, and intended to give controllers flexibility for situations where there is no undue impact on data subjects.

Under GDPR, companies must balance legitimate interests with the interests or fundamental rights and freedoms of the data subject, and show that its interest is favored in such a balancing test.

 

What is a TCF consent string?

A consent string, also referred to as a “daisybit” or TC string, is a series of compressed binary numbers added to an ad bid request and flows through the advertising ecosystem per OpenRTB specification. The consent string is generated by the publishers CMP, and identifies who the vendor is, whether they have consent to process user data or not, and for what purposes the data can be used.

When a vendor registers for the Global Vendor List, IAB Europe will issue them an ID which is dropped into the consent string.

 

What are TCF Stacks?

Stacks are preset bundles that make it easier for data subjects to give or withhold consent to several related data processing purposes at once.

 

What are the scopes of a consent string?

A TC string can be set up with either a global or service-specific scope. If the scope is global, then the cookie vendors rely on is stored on a 3rd party domain that vendors can rely on across websites, and it would not contain publisher restrictions or a publisher TC segment. If the scope is service-specific, the TC string would only be used by the site or app upon which it is running. Server-specific strings may contain publisher restrictions, a publisher TC segment, as well as an allowed-vendors segment.


Interested in Admiral's GDPR Consent Module or have additional questions regarding TCF 2.0 and GDPR compliance? Contact our Privacy Consent team.

How much revenue are you losing to adblockers?

Find out for free today!