Europe’s General Data Protection Regulation (GDPR) has made life rather interesting, not to mention, difficult for all the players in the ad tech world. One thing’s for certain, the GDPR has put a lot of liability on publishers in terms of making them the most responsible party for obtaining consent and appropriately processing user data.
The regulations are so detailed that before even asking for consent, the publisher has to ensure they’ve provided the user with enough data to make an informed decision. Additionally, the data obtained must be secured and meet an endless amount of requirements to comply with the GDPR.
To help the publishers out, the IAB rolled out a specific framework. However, the initial framework has recently been reworked to take some of the weight off of publishers’ shoulders.
In this article, we’re going to talk about the updated version of the framework—TCF 2.0. So, read on to learn what’s changed and what publishers need to know.
What is TCF?
TCF stands for Transparency and Consent Framework. It’s an initiative put in place by the Interactive Advertising Bureau (IAB) to obtain user consent in the process of collecting and using their personal data. The TCF initiative works in collaboration with publishers, advertisers, and every other part involved in the ad tech industry to ensure total compliance.
TCF is what now enables publishers to inform their visitors about the type of data a website is collecting from them, which parties are accessing that data and how the publisher and partners will also be using the data. It’s usually the first thing to pop up on a website alerting of data or cookies and asking for your consent.
The information gathered lets everyone within the ad tech ecosystem know how the visitor of a website would like to proceed with access to their data to deliver more relevant ads. Once the framework pops up on a site, it’ll usually include the following information:
- The TCF policy, which applies to all parties involved that must comply.
- The TCF terms and conditions, which include requirements for registration, payment terms, rights and liabilities, and so on.
- A transparency and consent string, which comes in a global vendor list format that includes information (in binary) to demonstrate consent for all parties involved in the data collection.
- A consent management platform API, which is used to identify a visitor’s consent status
It should be noted that the entire framework is open-source and non-commercialized, which is why there’s a significant need for compliance and technical specifications in terms of its implementation. You can learn more about the technical specifications here.
How Does TCF Work?
The IAB is in charge of the list of vendors that have signed the framework policy agreement and are approved to work within the framework. This list is known as the Global Vendor List, and it’s where publishers can choose their vendors from.
Essentially, the publisher will select its vendors from the list, usually with the help of a consent management platform (CMP). Once the user arrives on the publisher’s site, they are prompted to choose from the list of vendors with who they’ll allow the publisher to share their data. Once the vendors are chosen, the publisher is free to share the user’s data with only the specified vendors.
From there, the user’s consent gets passed through the consent string which includes the purpose of collecting the data as well as the specified users from the list. This information is completely compressed before being sent through to bid and ad requests to said specified vendors.
How Does TCF Help Publishers?
As the TCF directly complies with GDPR mandates and other privacy laws, it provides a clear view of how the entire consent system should work. This enables relevant ads to be served while also respecting the user’s privacy preferences, which ultimately allows publishers to be more transparent with their audience.
Essentially, by giving the users more control over their own data, it gives publishers more control over how that data can be used.
Why TCF 2.0?
The initial version of the TCF framework was disliked by both publishers and the Information Commissioner’s Office (ICO). While the ICO felt that the GDPR implementations weren’t stringent enough, publishers felt that the framework was actually working against ad tech vendors.
The problems the ICO had involved the following:
- Data protection impact assessments (DPIAs), the tools designed to identify and minimize the risks involving data protection, were required to be utilized under a list of specific circumstances. This would include large-scale profiling, geolocation tracking, the use of children’s data, and so on. Not all parties were fulfilling these requirements via DPIAs.
- The data supply chain, which involves multiple bidders receiving users’ data during the bidding process, was unable to guarantee that the data wasn’t being used outside of the bidding events. There were only contractual agreements in place at this time rather than technical controls in place to ensure that data wasn’t being misused throughout the supply chain or after.
- Special category data was being processed directly and also interfering with the bidding process. The “special category” involves sensitive information such as a user’s ethnicity or race, and processing this type of data is largely prohibited without explicit consent from the user. Essentially, there were no measures or controls in place to acquire the consent needed to process this data.
- Non-special category data also didn’t require explicit consent from users, but for “legitimate interests.” Legitimate interests were used to automatically set cookies, allowing data to be collected and processed without user consent.
Additionally, publishers felt that the GDPR was putting too much liability on them for the collection and processing of user data without enough control or the proper technical tools to remain compliant within the TCF framework.
And so, TCF 2.0 was born.
What’s New With TCF 2.0?
In a nutshell, TCF 2.0 was rolled out more of the following:
The new TCF framework receives more support from the GDPR so it can remain compliant while also allowing publishers more control. That control involves the ability to restrict the purposes for data collection and use by ad tech vendors on a per vendor basis.
Additionally, “legitimate interests” were stacked with more specific purposes allowing vendors to specifically select the legal basis for which they would be processing user data. In the spirit of transparency, users can now also practice their right to reject access to certain information, which wasn’t a feature of the TCF 1.0.
Lastly, the TCF 2.0 also offers users more choices in terms of the vendors’ purpose for collecting their data. This allows users to give or withhold their consent for special interests as well.
What Do publishers need to do about TCF 2.0?
If you’re a vendor using a third-party CMP vendor, not much will change for you as the liability and responsibility for the implementation mostly falls on them. However, you’ll still need to make sure that all the vendors they’re working with are up to date and TCF 2.0 compliant.
The CMP list provided by IAB Europe can help you double-check whether your third-party CMP vendor is TVF 2.0 compliant.
If you’re managing user consent yourself or with an in-house team, you’ll need to ensure that you’re up to date and compliant with TCF 2.0. For example, you’ll need to register as a CMP within the TCF and make the transition from the 1.0 version to the 2.0 version. You can get a hold of the IAB required resources here.
By now, all publishers should be following the TCF 2.0 framework. Online privacy laws will only become more restrictive to protect the general public’s private information, so it’s important to remain compliant and ensure that any third-party vendors you work with are following through with the requirements laid out by the GDPR.