TCF 2.2 compliance: a quick guide for CMPs
Welcome back to the fourth part of our detailed series “Mastering CMP and IAB TCF: A Developer’s Guide”. Previous part is available here: Designing a cookie consent modal certified by TCF IAB
This guide is designed to help developers navigate through the changes and requirements introduced with the new version of the framework.
What is TCF?
The Transparency and Consent Framework is a set of guidelines and standards developed by IAB Europe to help publishers, advertisers, and Consent Management Providers (CMPs) ensure user privacy and compliance with data protection regulations like GDPR.
Why a new version – TCF 2.2?
The release of TCF 2.2 marks an evolution of the framework, aiming to enhance user transparency, simplify user interfaces, and standardize information about vendors. This update ensures the framework remains in step with evolving data protection regulations and user expectations for privacy and control.
The journey towards full integration and compliance with TCF 2.2 is marked by several key dates:
– May 16, 2023: TCF v2.2 was released, setting in motion the transition to the new standards.
– June 30, 2023: Vendors were required to have updated their registrations to align with the new version.
– July 10, 2023: CMPs must stop hosting scripts on subdomains of consensu.org.
– September 30, 2023: This was the initial deadline for supporting v2.2 and deprecating v2.1.
– November 20, 2023: IAB Europe granted an extension, providing additional time for publishers to implement TCF 2.2.
Utilizing the new Global Vendor List (GVL)
The GVL is central to TCF 2.2, and the new version can be accessed at https://vendor-list.consensu.org/v3/vendor-list.json. This list is essential for CMPs to build user-facing disclosures, and it is updated weekly. It is required to store a local copy of the file.
Consent modal compatible with TCF 2.2
Creating a consent modal that aligns with TCF 2.2 involves simplifying user interfaces, ensuring clarity in data processing communication, and providing straightforward options for consent management.
The modal should facilitate transparency by disclosing the number of third-party vendors and their data processing purposes. It must also offer user-friendly descriptions and visual aids to help users make informed decisions.
Enhanced transparency in vendor disclosure
Transparency is key in building trust with users, and the new TCF 2.2 standards reflect this by requiring CMPs to provide clearer disclosures regarding third-party vendors.
Disclosure of the number of vendors
Initial UI layer:
– CMPs must now disclose the total number of third-party vendors that are seeking consent or pursuing data processing on the basis of legitimate interests.
– Example disclosure: “We and our [number] partners store and/or access information on your device for personalized ads and content […]”
Secondary UI layer:
– This layer requires a breakdown of the number of vendors pursuing consent or legitimate interests for each specific purpose.
– The disclosed numbers should at minimum cover the TCF vendors for which the publisher is establishing transparency and consent. It may also include non-TCF vendors.
Practical implementation for commercial CMPs:
Enhancements in user-facing texts
Renaming TCF purposes & features:
– The framework introduces new names for the TCF purposes and features, making them more accessible and understandable for end-users.
Revamping legal texts:
– Previously used legal texts have been removed and replaced with more detailed and user-friendly descriptions. This change aims to make the information more digestible and relatable for users, aiding in their decision-making process.
Introducing illustrations:
– A new set of illustrations has been created and should be made accessible to users, particularly on the secondary layer of the CMP UI. These visuals serve to enhance user comprehension of the text, providing a clearer picture of the data processing activities and their implications.
Flexibility for publishers:
– The TCF policies now allow publishers to modify or supplement the standard illustrations, provided certain conditions are met. One such condition is the requirement to flag any such changes in the Transparency & Consent (TC) string, with the UseNonStandardStacks field being expanded and renamed to UseNonStandardTexts.
Accessing upgraded resources:
– The new version of the Global Vendor List (GVL), which reflects these upgrades, can be found at https://vendor-list.consensu.org/v3/vendor-list.json.
– Additionally, new translations of these resources will be made progressively available at https://vendor-list.consensu.org/v3/purposes-{language}.json.
Standardization and transparency in vendor information
Categories of data:
– The update introduces a standardized taxonomy for the categories of data collected and processed by vendors, comprising 11 distinct categories. These include “IP addresses”, “device identifiers”, and “browsing and interaction data”.
– CMPs are encouraged to utilize these standard names and provide corresponding user-friendly descriptions, ensuring uniformity and clarity across different platforms.
– The taxonomy and categories declared by each vendor are now integrated into the Global Vendor List (GVL), allowing for easy access and reference.
Data retention periods:
– Vendors are required to declare data retention periods on a per-purpose basis, quantified in days. For data retained for less than a day or only during a session, vendors should declare a retention period of 0.
– CMPs can further aid user comprehension by converting these retention periods into different time units, akin to their current practices with vendors’ maximum device storage durations.
– It’s important to note that this requirement does not apply to Purpose 1, as it does not constitute a data processing purpose on its own but is linked to the obligations of Article 5(3) of the ePrivacy Directive.
Legitimate interests:
– Vendors are now mandated to provide not just a link to their privacy policies, but also a dedicated link explaining their legitimate interests when pursuing certain purposes or special purposes based on this legal basis.
– CMPs can retrieve this URL from the GVL, using it to augment disclosures about the vendors.
Multilingual support for privacy documentation:
– In a significant move towards inclusivity, vendors can now declare URLs to their privacy documentation in multiple languages, with all these URLs being accessible through the GVL.
– This feature empowers CMPs to provide users with links to privacy documentation in the same language as the UI, enhancing user understanding and engagement.
Enhancing user control: withdrawal of consent
Easy re-access to CMP UI:
– Publishers and CMPs must take steps to guarantee that users can effortlessly revisit the CMP UI to review and modify their preferences. This can be facilitated through various means:
– A floating icon that remains visible
– A footer link present on every webpage
– A prominent setting at the top-level of the app
Balanced call-to-action options:
– In situations where the initial consent request offers a single-click option to approve all purposes and vendors, such as a “Consent to all” button, there should be a corresponding option allowing users to withdraw consent in a similar one-click manner, like a “Withdraw consent to all” button.
– This ensures that giving and retracting consent are equally accessible, maintaining the balance of user choice.
Changes in TCF API
Deprecation of getTCData command:
– The getTCData command in the CMP API has been deprecated. Consequently, CMPs are no longer mandated to support this command.
– This move aims to ensure that vendors consistently utilize the eventListener for retrieving the TC String.
Essential API commands:
Post this update, there are three mandatory API commands that CMPs must support:
1. ping: Checks the availability of the CMP.
2. addEventListener: Enables the subscription to TC events.
3. removeEventListener: Allows the removal of previously added event listeners.
Updates to the TCF compliance programs
Introduction of the Controls Catalogue:
– The “Controls Catalogue” bridges the TCF Policies and Technical Specifications with auditable components. This facilitates IAB Europe in the auditing of CMPs’ live installations, ensuring adherence to the established standards.
Launch of the updated CMP Validator:
– A new version of the “CMP Validator” Chrome extension has been made publicly accessible.
– CMPs can leverage this tool for self-assessment of their live installations, verifying compliance with the TCF standards through the Controls Catalogue and CMP Validator.
Re-validation not required for CMPs:
Who should comply with TCF 2.2?
The Transparency and Consent Framework (TCF) version 2.2, developed by IAB Europe, establishes a standardized protocol for publishers, advertisers, and Consent Management Providers (CMPs) to communicate user consent for data processing and targeted advertising. Here’s a breakdown of who should comply:
Publishers: Must integrate a compliant CMP to transparently handle user consents on their digital platforms.
Advertisers/Marketers: Should only utilize user data with proper consent, ensuring alignment with publishers and CMPs for transparent data usage.
CMPs: As facilitators of consent management, CMPs need to upgrade their solutions to fully comply with TCF 2.2, assisting publishers and advertisers in responsible data handling.
Ad tech vendors: Including DSPs, SSPs, and DMPs, these players must process user data in line with user consents and maintain transparency in their operations.
Data brokers/Third-party vendors: Must transparently align their data practices with TCF 2.2, ensuring proper user consents are in place for their activities.
Key takeaways
1. Enhanced transparency: TCF 2.2 ensures users have clear, concise information about vendors and data processing, enhancing transparency.
2. User-centric communication: The framework promotes plain language and visual aids to help users understand and make informed choices about data processing.
3. Vendor information standardization: A standardized taxonomy for data types collected and processed by vendors is introduced for consistency and clarity.
4. Clearer data practices: Vendors must declare data retention periods and explain their legitimate interests, providing users with comprehensive insights.
5. Multilingual support: Vendors can provide privacy documentation URLs in multiple languages, allowing access to information in users’ preferred language.
6. Simplified user interface: The CMP UI is streamlined, offering easy options for users to consent or withdraw from all purposes and vendors.
7. API command deprecation: The getTCData command is deprecated, optimizing the API command structure and encouraging the use of event listeners.
8. Compliance and auditing updates: Updated compliance programs and tools are available for CMPs to self-test and ensure adherence to TCF 2.2 standards.
9. Broad applicability: TCF 2.2’s guidelines apply to all entities in the digital advertising ecosystem, promoting a transparent and user-trustworthy environment.
If you find our content interesting and helpful you might check our web development outsourcing page and hire our professional team to work with you.
