TCF: Transparency and Consent Framework

👋🏻 This document talks about TCF (the Transparency and Consent Framework), a set of standards for online advertising that ensures compliance with the RGPD. It offers more transparency and choice to consumers by increasing consent collection and attribution options for publishers.

Background to the introduction of TCF

The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, has changed the landscape of data privacy in Europe. The RGPD was designed to harmonize data protection laws across Europe, offering individuals greater control and transparency over their personal data while raising standards for companies to achieve lawful processing of personal information.

In anticipation of the RGPD coming into force, IAB Europe launched a collaborative effort in February 2017 with the aim of providing, maintaining and improving an industry standard, the TCF (Transparency and Consent Framework), to meet the needs of users, industry and regulators.

The TCF (Transparency and Consent Framework) is a set of standards and guidelines designed to ensure RGPD compliance in online advertising. It expands consent collection and attribution options for publishers and aims to provide greater transparency and choice for consumers. Updates include increased granularity of data processing purposes, the right to object, better support for legitimate interests, granular controls for publishers, and a flexible legal basis for providers.

The main aim is to ensure better protection of users' privacy, while making it easier for companies to comply with data protection regulations.

History of TCF

TCF V1.1: The first version of TCF

TCF v1.1 marked a pioneering step forward as the first framework of its kind. Because of its novelty, the focus was primarily on AdTech providers, with limited consideration for publishers.

This first version is considered the benchmark for digital advertising suppliers. It is based on 3 main components:

• TCF Policy: Policies apply to publishers, advertisers, suppliers, consent management platforms (CMPs) and other participants. Adhere to the policies to maintain your membership in the initiative. View the TCF policy document here.

• TCF Terms and Conditions : Important terms and conditions such as registration requirements, the registration process, your obligations, membership payment, your rights and responsibilities, etc. Access the document here.

• Transparency and format of the chain of consent with the global list of suppliers : 0 and 1 information to transmit user consent to data-collecting parties. Read our dedicated blog on chain of consent.

• Consent management platform API: API used to identify consent status.

TCF V2.0: The update designed to meet publishers' and consumers' needs

ℹ️ The TCF steering group, IAB Europe, has announced the implementation of TCF V2.0 on June 30, 2020. This date has now been extended to August 30, 2020.

Why was TCF updated?TCF v1 was the first framework of its kind. Because it was new, the focus was primarily on advertising technology providers, and publishers were not included. In an increasingly digital world, publishers, suppliers, advertisers, media agencies and data protection authorities all need to be consulted to improve the framework. TCF v2.0 aims to offer consumers choice and transparency, while continuing to gather feedback to stimulate innovation and offer greater control to publishers.

What's new in IAB TCF 2.0?IAB TCF 2.0 is the result of ongoing consultations with users and a broad base of stakeholders. The new version introduces the "right to object" to the legal basis of "legitimate processing" for data processing. IAB TCF 2.0 has been designed to offer improved transparency and choice to consumers, while providing greater control to publishers. This is achieved by incorporating the following changes:

• Improved granularity of purposes: The purposes of data processing have been extensively revised to provide additional granularity. Individual purposes have been further subdivided, bringing the total number of purposes from five to ten. Two Special Purposes have also been added. The Characteristics have also been increased to five, two of which are designated as Special Characteristics requiring authorization.

• Right to object: Users will be able to communicate their right to object to processing on the basis of Legitimate Interest directly to Consent Management Platforms (CMP). Objections will be forwarded by the CMP to the suppliers according to the purposes.

• More comprehensive support for legitimate interests: Suppliers will be more responsible for knowing whether their legal basis for "legitimate interest" has been recognized. The supplier will receive an explicit signal that it has been recognized.

• Granular controls: New, more granular controls give editors greater control over the data processing purposes authorized per supplier. Editors can create different rules for each supplier or group of suppliers.

• Policy enforcement: Greater empowerment of framework users in the enforcement of policies, terms and conditions, and technical specifications.

• Flexible legal bases for suppliers: Suppliers can register a flexible, default legal basis to take account of regional legal differences.

The latest update of TCF : TCF v2.2

IAB Europe has unveiled the Transparency and Consent Framework 2.2 to continue helping stakeholders in the online ecosystem meet the specific requirements of the e-Privacy Directive and the UK RGPD. Having been approved by the TCF Working Group, these revisions aim to further standardize the information and options to be presented to users regarding the processing of their personal data, as well as the methods for capturing, communicating and respecting it.

Given the constant evolution of jurisprudence and directives from data protection authorities, market players are faced with increased data protection requirements. TCF 2.2 introduces significant changes to better meet the expectations of regulators and the needs of users.

ℹ️ By September 30, 2023, CMPs and Suppliers are required to implement the new policies and specifications.
It should be noted, however, that the CMP Framework user interfaces will not require re-validation. IAB Europe has also released a Chrome extension of the CMP Validator, encompassing all TCF v2.2 requirements, to support CMPs in their development efforts.

Why was an updated version of the TCF necessary?

Criticism of TCF v1 and the resulting ADP decision on IAB (still under appeal) (still subject to appeal) served as the catalyst for TCF v2.2. This new version of TCF better addresses stakeholders' concerns.

Previous reviews have highlighted three areas for improvement:

1. Legitimate interest as legal basis

⚠️ Prior to TCF version 2.2, companies could collect and use personal data for personalization purposes on the basis of legitimate interest, without needing users' explicit consent.

2. Insufficient information on advertising partners

3. Difficulty obtaining informed consent with the technical jargon used

ℹ️ To check whether your site complies with TCF v2.2 guidelines, you can use an audit extension developed by the IAB : link

TCF V2.2 resolves many of the concerns expressed in previous versions.

Elimination of legitimate interest  

Legitimate interest is no longer a basis for these purposes:

• Purpose 3: Creation of profiles for the purpose of delivering personalized advertising

• Purpose 4: Use of profiles to select personalized advertisements

• Purpose 5: Creation of profiles to personalize content

• Purpose 6: Use of profiles to select personalized content

ℹ️ To find out more about the purposes of data collection: lien

User consent is required for these purposes.

More information on Vendors

• Obligation to display the number of Vendors

It is now mandatory to display the number of Vendors on the first layer of the consent banner.

☝🏻 TCF does not set a specific limit for suppliers, but care must be taken with the number of suppliers. An excessively high number of suppliers listed will result in a warning, as it will prevent users from making an informed decision.

• Obligation to provide additional information on Vendors

• Explanation of the legitimate interests at stake: explain the legitimate interests for data processing.

• Data retention period by purpose: indicate the data retention period for each purpose.

• Redirect to Vendor data policy documentation or specific details.

• Categories of data collected and/or already held: TCF v2.2 standardizes the taxonomy of data categories.

Introduction of a new purpose (purpose 11)

Purpose 11 of TCF version 2.2 allows websites to collect limited user data to deliver non-advertising content. The data collected may include information on page content, geolocation and browsing history.

👉🏻 For example, an e-commerce site may use purpose 11 to display products similar to those consulted by the user.

ℹ️ Purpose 11 is subject to restrictions: the data collected must be limited to what is necessary to select and distribute the content, and must not be used for profiling or marketing purposes.

Clearer definitions and descriptions in the CMP

Users now benefit from clearer information: the legal jargon previously used is to be replaced by user-friendly descriptions backed up by examples of real-life use cases.

Companies need to ensure that their CMP user interface is easily accessible to users, so that they can modify their consent and preferences.

Specific requirements to facilitate withdrawal of consent

TCF 2.2 emphasizes the importance of user control by requiring publishers and CMPs to allow users to review the CMP interface and easily withdraw their consent.

When users revisit the CMP interface to withdraw their consent, they should be able to do so with a single click, using an option equivalent to the one offered when first requesting consent, such as "Refuse all".

Delete order getTCData

TCF 2.2 also includes technical updates, such as the removal of the getTCData and the obligation for suppliers to use event receivers to obtain the TC channel.

Next steps for TCF v2.2 compliance

• Provide a way for users to easily access the CMP and withdraw their consent, in whole or in part, at any time. This can be achieved by adding a link at the bottom of web pages or by using floating icons.

• It is necessary to update the text of consent banners and pop-ups, and to review the way consent is obtained and stored.

• Check the supplier's privacy policy and make sure they use version TCF 2.2 of the supplier list.

• Change CMP if it does not comply with TCF v2.2 standards.