The countdown is on: On August 15, 2020, the “Transparency and Consent Framework 2.0“(TCF 2.0) in force. Our guest author has briefly summarized what this means for companies and how they can best prepare for it.
If you want to understand the TCF, it is best to take a quick look at the current legal situation. Because at the latest since BGH judgment on cookie consent From May 28, 2020 it is clear: Anyone who wants to use user data for marketing purposes must obtain the active, informed consent of their users – since data collection without a corresponding legal basis is illegal according to the GDPR.
This is where the TCF comes into play, because the industry association Interactive Advertising Bureau (IAB) offers with the framework a cross-industry, technical standard for retrieving and transmitting the consent signals of a user between publishers and third-party providers who have joined the framework (such as Google, Criteo , Quantcast or Taboola) – and will therefore make it possible to do marketing via these channels in the future.
From TCF 1.0 to TCF 2.0 – a look back
The TCF 2.0 is already the second attempt by the IAB to establish a standard that enables publishers and advertisers to continue marketing even in times of the GDPR.
The IAB had already started the first attempt for this in April 2018, when it launched the TCF 1.0 as a reaction to the new privacy requirements of the GDPR that came into force at the time. However, because version 1.0 clearly favored the vendors in the opinion of the publishers, it was only accepted with reluctance in the industry. The revised version TCF 2.0 was presented in September 2019.
However, the principle has remained the same: If a vendor or third party has joined the framework (you can find all vendors on the Global Vendor List (GVL) of the IAB), he can only process data if the publisher has obtained legally valid consent for this via a Consent Management Platform (CMP).
The decisive point here: publishers must be able to “prove” the existence of this consent to the respective vendor. And not just somehow, but in the form of a so-called TC string, a coded string that can only be created by an IAB-certified Consent Management Platform (CMP) and made available to all parties.
The CMP takes on two tasks here: On the one hand, it serves as a tool to query user preferences in relation to consent to the use of their personal data via a privacy banner. On the other hand, it creates the TC string from this information – and thus serves as a link between all actors in the advertising value chain.
The TC string is stored on the user’s device, for example in localStorage, and possibly also in the form of a cookie on the consensu.org domain. Optionally, the TC string can also be stored on the servers of the respective CMP provider in order to comply with the documentation requirement.
TCF 1.0 vs TCF 2.0 – the differences
At first glance, not much changes – at least from the user’s point of view. The first layer of the privacy banner has remained largely the same. In the second layer, however, it looks different: Here is the TCF 2.0. Publishers have the opportunity to inform their users in detail about which third-party providers process their data, to what extent and for what purpose. Users can express their preferences here in a granular manner, i.e. for each third-party provider, and make individual settings in the form of an opt-in (e.g. by ticking the box).
Instead of simply asking for consent under the keyword “Marketing”, as was previously the case, users now have a much more granular and therefore much more transparent option to make individual privacy settings for each third party provider.
(Screenshot: Mischa Rürup)
(Screenshot: Mischa Rürup)
Were the TCF v1.1. five different data processing purposes were distinguished, these purposes have been expanded to ten in the TCF 2.0. This gives users detailed options to make informed decisions about how their data can be used.
In addition, the TCF 2.0 now has two additional uses which are purely for information purposes and which users cannot object to, for security reasons, among other things. Also new is the “Special Features” category, which includes features that require a separate opt-in, such as the use of geolocation data.
The good news: What might sound complicated at first glance, can be implemented in practice with the help of a CMP. As a rule, the “TCF 2.0” function is activated with a click in the CMP user interface. In the second step, the vendors with whom the respective publisher works are added to the IAB’s Global Vendor List (GVL) and, if necessary, with the already existing list of third-party providers compared.
The TCF 2.0 offers publishers more control and flexibility when integrating and collaborating with technology partners. Because you now have the option of restricting the purposes for which personal data is processed per provider.
What should companies do now?
Publishers who already have a TCF 1.1. If you are using compliant CMPs, you must ensure that you switch to TCF 2.0 in good time before August 15, since version 1.1. is no longer supported from this point in time.
Publishers who have either not yet implemented a CMP or have not implemented a TCF 2.0-compliant CMP should look for a CMP provider with IAB-TCF 2.0 certification as soon as possible. All CMP providers that support the TCF 2.0 are on the IAB Europe website listed. The IAB provides further information for publishers here.
What’s next?
One thing is certain: the IAB TCF 2.0 definitely has the potential to develop into the new industry standard. It remains to be seen whether it will establish itself in the long term. The advance of Google to integrate TCF 2.0 has definitely given the framework a real boost. Publishers who want to protect their advertising income should therefore be prepared for all eventualities. Because as soon as vendors or third-party providers who have joined the TCF 2.0 request proof of user consent in the form of a TC string, nothing works without an IAB-certified CMP.
Mischa Rürup is the founder and managing director of Usercentrics, a GDPR solution for enterprise customers and online marketing agencies. He has been on the German digital scene for over 15 years.
