What is TCF v 2.2 – What publishers need to know

What Is the Transparency and Consent Framework (TCF)?

The Transparency and Consent Framework (TCF) is a global standard that regulates website and mobile app data processing. It helps organizations achieve compliance with the General Data Protection Regulation (GDPR) while providing transparency to consumers about how their personal data is being used.

The TCF was first developed by the Interactive Advertising Bureau (IAB) of Europe in 2018. Since then, the TCF has been adopted by hundreds of companies around the world, including some of the largest tech companies. The TCF is not just for GDPR compliance; it also provides a way for advertisers and website owners to clearly communicate with consumers about their data usage policies and how they use personal data on their websites or apps. Consistent standards across the board establish a level playing field for all companies operating in the digital advertising space.

What is TCF v 2.2 ? – What publishers need to know

Why the TCF Exists

The TCF was made necessary by evolving concerns in the world of data sharing. As technology has advanced over the years, so have the ways in which online platforms can use individuals’ personal information. It prompted the European Union to introduce the first comprehensive law on the matter, the General Data Protection Regulation (GDPR), in 2018. Not long after followed the likes of other prominent pieces of legislation that, despite being designed to protect a specific region, can apply to entities from around the globe.

At the core of data privacy laws like the GDPR is an expectation for businesses to practice transparency in their data handling activities. Europe’s law in particular establishes the need for consent (for example cookie consent) – wherein an individual must consciously agree to their personal data being used for non-essential purposes.

The most recognizable real-world example of this is the cookie banner many websites display upon a user’s first visit. It is meant to inform people about their rights and provide them with an easy means of opting into or out of data sharing.

But as anyone who’s ever been online knows, not every cookie banner or privacy notice is made equal. Some are straightforward with simple ‘agree’ and ‘disagree’ buttons, while others make rejecting the use of third-party scripts a more complicated endeavor. There’s even a history of websites purposefully designing banners to mislead users into providing consent. That doesn’t sit well with the governing authorities who designed these laws, which is why they’ve implemented measures like the Transparency and Consent Framework to standardize how rules are followed.

The Evolution of the TCF

Like all laws, policies, and regulations, the Transparency and Consent Framework has evolved with the greater data privacy landscape it polices. The TCF has seen multiple changes by way of expectations, penalties, and disclosure requirements over the years, each introduced in an effort to bolster internet users’ privacy amidst increasing risk.

TCF v1.1

The TCF got its start on April 25th, 2018, when IAB Europe launched the first version of the framework after several months of extensive consultation with industry stakeholders. v1.1 was simple, but a first of its kind, effectively establishing a baseline for further iterations down the road. It focused heavily on AdTech vendors – such as demand-side platforms (DSPs) – outlining the collection, disclosure, and use of user data. Publishers were more or less spared from stringent rules, although still expected to follow GDPR principles whenever applicable.

TCF v2.0

Just a little more than one year down the line in August 2019, regulators officially adopted TCF v2.0. It stood to enhance v1.1 with updated standards and new rights for consumers. They would now be able to directly grant or withhold consent to publishers, control how specific pieces of information are used, and have more insight into websites’ data handling practices overall. The most important change made was for publishers, who, with the help of new tech functionalities, were empowered to implement granular rules over which of their vendors processed user information and for what purposes.

TCF v2.1

v2.1 was a smaller blip in the TCF’s journey, but remains extremely important to the framework we know today. An amendment of the previous version, this update thought to bring IAB policy in line with a recent ruling by the Court of Justice of the European Union (CJEU). That decision – involving a case against online gaming platform Planet49 – set a new precedent for what constituted valid consent under GDPR law. Websites would no longer be allowed to pre-tick boxes on their cookie banners and instead need actionable consent from users in order to store information on them. They were also required to further disclose their means of data storage and access, as well as indicate the maximum duration for which they keep personal information in their systems.

TCF v2.2

This brings us to the latest – although certainly not the last – version of the TCF. Announced by the IAB on May 16th, 2023, v2.2 was created to address gaps left unfilled by v2.1. As we’ll cover in this article, the newest framework specifically focuses on three areas of improvement brought to light during consultations with stakeholders and has been enlivened by public comment, which was received all the way up until May 12th, 2023. Vendors were required to complete a TCF Compliance Assessment form and submit it through the Global Vendor List registration portal by July 31st, 2023. Cookie Management Platforms (CMPs) and vendors have a little bit longer to get on board, with an implementation deadline of November 20th, 2023.

What TCF v2.2 Brings to the Table

v2.2 is the most comprehensive Transparency and Consent Framework to date, making several changes and introducing completely new standards to prior versions. As mentioned before, these focus on three key areas: legitimate interest as a legal basis for data processing; vendor information; and reasonable consent. See a comprehensive breakdown of the ways they’ve been updated below.

Removal of ‘Legitimate Interest’

In the context of data privacy law, ‘legitimate interest’ refers to the legal justification for processing or using personal data. It is used when a controller (the entity responsible for the processing of the data) has identified a legitimate interest in using personal information to deliver services, improve customer experience, or make decisions that will benefit their business.

Under the GDPR, legitimate interest is one of six legal bases for processing personal data and can be used in certain circumstances to justify the use of this information without explicit consent from individuals.

With TCF 2.0, vendors had the option to rely on either consent or legitimate interest as a legal basis for processing purposes two and up. The latest version of the framework removes legitimate interest’s applicability from purposes three, four, five, and six, essentially mandating consent for any of the following circumstances.

• Purpose #3: Creating profiles for personalized and targeted advertising.
• Purpose #4: Using profiles to serve personalized advertisements.
• Purpose #5: Creating profiles to personalize content.
• Purpose #6: Using profiles to serve personalized content.

Storing and/or accessing information on a device (Purpose #1), selecting basic ads (Purpose #2), measuring ad performance (Purpose #7), using market research to generate audience insights (Purpose #8), developing products (Purpose #9), and ensuring security (Purpose #10) are all still permitted under legitimate interest so long as they are properly disclosed per TCF v2.2 rules.

User-Friendly Definitions

It goes without saying that the average person knows little to nothing about data privacy law. Yet at the same time, they care about it, and increasingly so as stories of malpractice continue to dominate news headlines around the world. In an effort to empower everyday individuals with the context they need to make informed decisions online, the IAB added requirements for user-friendliness in its TCF v2.2 guidelines. A consent manager like CookieFirst should now outline data collection purposes and features in plain language alongside standard illustrations that demonstrate each purpose.

The goal of this guideline is twofold: to make data privacy more accessible and to encourage vendors to explain the real-world implications of their data collection activities in a way that end-users can understand.

Additional Vendor Information

TCF 2.2 requires companies to go further with regard to the information they provide users about their data processing practices. It needs to be at the forefront of a website’s cookie banner and disclose exactly how many individual third-party vendors are present on the site. This way, users can easily see who is collecting data from them and make more informed decisions about their actions.
The ‘second layer’ of the website’s CMP banner should include additional details about:

Legitimate Interests Involved

If applicable, vendors must disclose the legitimate interests that allow them to process data. This includes the type of interest in question such as targeted advertising or user analytics and why it is a legal basis for processing data.

The Categories of Personal Data Collected

Personal data can be categorized on bases such as:

• Race
• Ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership status
• Genetic datace
• Biometric data
• Sexual orientation
• vendor must state which of these categories, if any, they are collecting from a user and how that will be used

Retention Periods for Each Purpose

The vendor must also state how long they will retain individuals’ data for each of the above-outlined purposes, including the maximum retention period. This may be anywhere from a few days to several years.

Data Policy Redirect Link

As if the two upfront layers of mandatory disclosures weren’t enough, website cookie banners must give users the option to click through and read the site’s full data policy page, where they can find further details about how their data is being used and managed.

New Purpose

Up until now, vendors and publishers have had the ability to process data for any of the 10 purposes outlined in the previous section. This latest version of the TCF introduces another: using data to select content. It effectively applies to the selection and delivery of non-advertising content, such as news articles or video clips. Contextual content that uses non-precise geolocation data or information about a page’s content is also covered under this purpose, although the creation and use of profiles to serve that content is not.

The ultimate goal of Purpose #11 is to strike a happy balance between internet users’ concerns over data privacy and their desire for relevant content. Vendors can still serve up personalized content, but only in a way that is compliant with the General Data Protection Regulation (GDPR).

Consent Withdrawal

Consent withdrawal isn’t a new concept in data privacy law. In fact, it’s mandated by many regulations out there today. There remains a concern, however, about how simple – or difficult – websites make the process for visitors. While the GDPR already states that consent should be as easy to revoke as it is to give, many banners fail in this respect.

Dark patterns are a big concern – those designs and techniques that are used to manipulate users into doing something they wouldn’t otherwise do. These can make it difficult for people to withdraw their consent, or even understand what the process is.

Another issue is that many websites don’t offer proper guidance on consent withdrawal. This means that users can be left in the dark about how to revoke their consent, and they may not even have the option available if it’s not clearly advertised.

One of the biggest issues tackled by v2.2 is button inconsistency, where sites make accepting cookie use a one-click affair compared to a multi-step one for rejection. According to the new policy, all options given to site visitors must be equally straightforward. ‘Allow All’ opt-in buttons should be accompanied by matching ‘Reject All’ options.
Sites are also expected to make it easy for users to resurface the cookie banner and change their data-sharing preferences should they choose to do so. It’s hoped that by standardizing the way consent is collected, users will feel more in control of their data and have a greater understanding of the process.

If you would like to know more about cookies, read our article: What are cookies ?

A Field Guide to Transitioning to TCF v2.2

To say that version 2.2 of the Transparency and Consent Framework is huge would be an understatement. This is one of if not the most comprehensive revisions to the policy yet, paired with a tight timeline for vendors and publishers alike. To help make the transition process a bit easier, we’ve put together this quick review of the next steps everyone should be ready to complete before November 20th:

Review vendors

Reviewing vendors is a good practice to follow regardless, but in the lead-up to this new policy, it’s an absolute necessity.

Publishers must ensure that any and all vendors they work with are compliant with updated TCF v2.2 requirements. This means checking to see if they have registered on the IAB Europe’s registered TCF v2.2 vendors list, and that all of their services align with what is expected under the policy.

Publishers should also review their own vendor list to make sure that the vendors they are working with are necessary. It’s important to reduce your vendor list and ensure that each partner adds value; if a certain partner’s services aren’t used, then it’s best to remove them from the list.

Review CMP

Cookie Management Platforms will play a big role in transitioning websites to the modern version of the TCF. The new UI rules we explained earlier start with these tools, so it is important to confirm that whichever one a site uses can be adapted to meet them.

Primary among these requirements is a streamlined user experience and clear disclosures. CMP UI text and pop-up workflows need to meet the IAB’s standards for clarity and transparency, as well as properly disclose the number of vendors a site is working with.

Link integration will also be essential to fulfilling the TCF’s newly mandated standard of privacy policy redirects. CMPs should be asked to provide their users with link(s) to vendors’ privacy documentation in the language of their services.

Conduct Internal Checks

Lastly, business owners and site operators can benefit from conducting internal audits of their own sites and services, to ensure that their compliance with the new framework is sound. This review should focus on making sure all cookie banners are up-to-date, as well as confirming that existing consent mechanisms are in alignment with v2.2’s expectations for consent management. It’s wise to establish a team, or at the very least, a designated individual, to oversee this process and ensure it is completed in a timely manner.

Things to Keep In Mind as TCF v2.2 Rolls Out

In addition to the above-mentioned steps, there are a few other factors to keep in mind as the IAB releases its updated standard.

Don’t forget to consider:

Vendor Quantity and Quality

The new TCF policy does not limit the maximum number of vendors a publisher can work with. There are no objective criteria, either, as regulators seem to recognize the very case-by-case nature of these relationships between industries. But with that being said, many experts are encouraging website owners to use increased scrutiny when working with vendors. The more that are in a given dynamic, the greater the risk is for users’ ability to make an informed choice to be infringed upon.

Accessibility

Whether it’s with respect to the GDPR, CPRA, or any other data privacy law, making sure all of a website’s data privacy tools are accessible and understandable by users is paramount.
Companies would be wise to shop around for a comprehensive CMP that allows them to not only edit the language and aesthetics of their privacy notice but also its granular controls and actions.

Looking for an All-In-One Solution? CookieFirst Is the Answer.

In the ever-expanding world of data privacy compliance, having an all-in-one solution to help stick to the rules can be a real game changer. That’s why so many website owners are turning to CookieFirst.

CookieFirst is a comprehensive consent management platform that helps websites meet their data privacy obligations in accordance with the GDPR, CPRA, and other global regulations.

Our robust offering of tools and features makes it easy to customize a data privacy strategy that meets both the needs of visitors and regulators alike.

From the IAB’s Transparency and Consent Framework to the countless laws emerging across American states, our product is a one-stop shop for all of your compliance needs. Get started today!