To meet evolving data protection requirements and expectations, the Transparency & Consent Framework (TCF) Steering Group has approved updates to the Framework. The latest version, TCF 2.2, introduces significant changes aimed at better meeting regulatory expectations and user needs.
In this article, we provide an overview of the main policies and technical amendments, along with a detailed timeline to assist all stakeholders in implementing TCF 2.2.
The IAB’s Transparency and Consent Framework (TCF) has undergone significant updates and improvements from version 2.0 to version 2.2. These updates address feedback received on the previous version while aiming to meet the needs of all stakeholders in the digital advertising value chain. Let’s explore the key differences between TCF 2.0 and TCF 2.2:
👉 Legal Basis: In TCF 2.0, Vendors had the option to declare reliance on both consent and legitimate interest as the legal basis for purposes 2 to 10. However, in TCF 2.2, legitimate interest is no longer an acceptable legal basis for purposes 3, 4, 5, and 6. Therefore, for these purposes, Vendors can now only rely on consent.
👉 User-Friendly text: TCF 2.2 introduces improved names, descriptions, and explanations of purposes and features. Instead of complex legal language, users are provided with easy-to-understand explanations and real-life examples, making it simpler for them to understand the implications of their consent.
👉 New purpose 11: Purpose 11 (Use limited data to select content) is intended to cover processing activities such as the selection and delivery of non-advertising content based on real-time data (e.g., information about the page content or non-precise geolocation data), and controlling the frequency or order in which content is presented to a user. It does not cover the creation or use of profiles to select personalized content.
👉 Additional Vendor Information: In TCF 2.2, Vendors are required to provide additional details about how they process data. This information includes:
Users will have access to this information, helping them make more informed decisions about their data.
👉 Transparency of Vendor Numbers: Consent Management Platforms (CMPs) are now obligated to display the total number of Vendors seeking a legal basis on the first screen of their interfaces and the total number of Vendors for each purpose on the secondary layers. This transparency offers users a clear understanding of the entities involved in data processing.
❗ WARNING: Publishers should consider the number of Vendors they work with, and put in place a selection process (Publishers may use the Additional Vendor Information List to facilitate such selection). Providing transparency and helping to establish legal bases within the Framework for an unjustifiably large number of Vendors may impact users’ ability to make informed choices and increase Publisher and vendor legal risk.
Consequently, CMP shall allow the Publisher using its CMP to make choices with respect to each Vendor appearing on its sites or apps and may not impose a list of Vendors.
Note: The TCF Policies do not impose a maximum number of Vendors for which a Publisher establishes legal bases, as it depends on the nature of the services and content provided by the Publisher as well as its business model, and no objective criteria have been laid down by Data Protection Authorities in that respect.
👉 Specific Requirements to Facilitate Consent Withdrawal: TCF 2.2 emphasizes the importance of user control by requiring Publishers and CMPs to ensure that users can resurface the CMP interface (e.g. from a floating icon or a footer link available on each webpage etc.) and withdraw their consent easily. If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and Vendors in one click (such as “Accept all”), an equivalent call to action should be provided when users resurface the CMP interface as to withdraw consent to all purposes and Vendors in one click (such as “Reject all”).
No, the new TCF Policies do not require re-establishing legal bases and therefore do not require CMPs to resurface the interface. TCF v2.2 brings further standardization of the minimum information and choices that should be provided to users over the processing of their personal data. Publishers should review the information they provide in their CMPs interfaces in addition to the minimum standard information required under TCF v2.1, and make a case-by-case determination whether re-establishing legal bases is necessary taking into account their specific needs, the context in which they operate and their local Data Protection Authority’s requirements.
Apart from the policy amendments, TCF 2.2 also brings about technical specification updates:
These updates in TCF 2.2 aim to enhance user understanding, improve transparency, and provide clearer guidelines for Vendors, Publishers, and CMPs. The framework seeks to strike a balance between privacy protection and enabling targeted advertising in the evolving digital advertising landscape.
🔎 For more detailed information, take a look at the updated Technical Specifications and the official IAB FAQs, check out the IAB Tech Lab’s blog post.
⚠️ Please take note of the following deadlines for implementation:
30 June 2023: Vendors must update their GVL registration with the new required information, including any previously updated information. Use the updated GVL registration portal, which now includes new registration fields for TCF 2.2. If you cannot see your existing data in the portal, clear your cache or log in using a different browser.
10 July 2023 (Reminder): CMPs must host their scripts on a domain other than consensu.org subdomains, as specified in the notification.
31 July 2023: Vendors must complete a TCF Compliance Assessment form and submit it through the GVL registration portal as part of the updated TCF Compliance programs.
20 November 2023 (end of implementation period): Both CMPs and Vendors are required to implement the new policies and specifications by this date. Compliance will be verified by IAB Europe as part of their regular monitoring of live installations. CMPs can use the CMP Validator Chrome Extension, which includes all the requirements of TCF 2.2, to ensure compliance.
🚀 Stay tuned for exciting updates on what lies ahead!