TCF v2.2 - Implementation FAQs

General

1. What are the main differences between TCF 2.1 & 2.2?

Yes, although the TCF Policies do not require that CMPs provide a call to action for users to refuse consent from the first layer of their UIs, nothing in the TCF Policies is intended to prevent going beyond these minimum requirements. As with any other design requirements that are not specified by the TCF policies, publishers should ensure they are fully aware of their local Data Protection Authority’s requirements and act accordingly.

2. Can the initial layer of the CMP UI provide a “reject all” button?

Yes, the TCF Policies do not request all user interfaces (UI) to take the form of a popup overlay. This is only required in connection with requesting users’ consent, in which case the UI needs to be displayed prominently and separately from other information. When making use of a so-called layered approach, publishers and their CMPs may choose to provide transparency
and the right to object relating to Purposes or Special Purposes pursued by Vendors on the basis of their legitimate interests in a separate webpage, such as in their privacy policies, so long as users are provided with an easily accessible link to it from the UI that is used to request their consent.

Because such an approach can impact a commercial CMP’s ability to assume responsibility for compliance with the TCF Policies, publishers may be required to register a private CMP and use a commercial CMP’s offering in association with their private CMP ID in line with Chapter II: Policies for CMPs (7)(2).

FAQs for CMPs

3. Where can I find the TCF translations?

The TCF official translations have been published at https://register.consensu.org/Translation. IAB Europe is now in the process of updating them progressively according to local market feedback. If you have any feedback on a translation, you can provide suggestions at framework@iabeurope.eu.

4. How should the total number of Vendors be added to the CMP UI?

The Initial Layer of the Framework UI has to disclose the number of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s), in order to better inform users about the number of entities susceptible to processing their personal data.

This number should at a minimum represent the number of TCF Vendors for which the publisher establishes transparency & consent, but may include the number of non-TCF Vendors. It is up to the publishers to decide whether they want to include non-TCF Vendors when providing this number. Publishers should consider when making such a determination how to best manage user expectations regarding the number of data controllers for which it establishes legal bases.

The Secondary Layer of the Framework UI has to disclose the numbers of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s) for each purpose. These numbers may also include the number of non-TCF Vendors for which the publisher establishes transparency & consent using the TCF purposes nomenclatures.

5. How should CMPs disclose Vendors’ retention periods and categories of data?

CMPs should disclose the new information on a per-Vendor basis, using the information published in the GVL.

The categories of data collected and processed by Vendors has been standardised through a dedicated taxonomy. CMPs should use the standard names provided by the TCF Policy and make available the corresponding user-friendly descriptions.

To facilitate users’ understanding, CMPs may convert retention periods provided by Vendors in days into a different time unit (e.g. in months), the same way they may currently do so with Vendors’ maximum device storage durations.

6. What is the StdRetention field in the GVL for TCF 2.2?

The StdRetention field in the GVL is added and computed when a Vendor has declared the same retention period for several purposes and/or special purposes for optimisation of the GVL length. As a result the entry for purposes and/or special purposes with that most common retention period, i.e. the period which is declared for the most purposes and/or special purposes, will be omitted from the purposes and specialPurposes fields in the dataRetention object.

For example, if a Vendor has declared the following retention periods:

Purpose 2: 30
Purpose 3: 30
Purpose 4: 30
Purpose 7: 180
Special Purpose 2: 360

The corresponding dataRetention object in the Vendors’ entry in the GVL will be:

"dataRetention": {
"stdRetention": 30,
"purposes": {
"7": 180,
},
"specialPurposes": {
"2": 360
}
}

7. How should CMPs use the multiple URLs that Vendors may provide to access their privacy documentations in different languages?

TCF v2.2 enables Vendors to declare URLs to their privacy policies and legitimate interest(s) at stake explanation on a per-language basis. This enables CMPs to provide users with link(s) to Vendors’ privacy documentations in the same language as the one used in their Framework UIs (which for example corresponds to the language of the publisher’s digital property or the language of the user’s browser).

Where Vendors have not declared URLs to their privacy documentations in the language used in the Framework UIs, CMPs may choose to provide links to the Vendors’ documentation in a different language, or Publishers may choose not to work with Vendors that do not maintain privacy documentations in the language of their users.

8. How should CMPs disclose the storage and access information relating to the CMP’s recording of Signals (TC String), including the maximum device storage duration where applicable?

CMPs should at a minimum disclose on the secondary layer of their UIs how the TC String is stored and for how long if it is stored on the user's device. Such an explanation can include for example "the choices you make regarding the purposes and entities listed in this notice are saved in a cookie named [n] for a maximum duration of [x] months”.

FAQs for Publishers

9. How should Publishers select the Vendors for which they establish legal bases? Is there a maximum number ?

Since March 2022, Vendors registering to the TCF are required to provide additional information that is not intended for user disclosures but can be used by Publishers for determining which Vendors they wish to establish transparency and consent for on their digital properties.

The additional information cover the following detail:

Full legal entity address ;
Business-to-business contact details ;
Territorial scope - the EU/EEA/EFTA/UK jurisdictions where the vendor operates in the context of its TCF registration. Note that this is different from the place of establishment ;
Environment – environment(s) where the vendor operates such as web, mobile apps, CTV apps ;
Type of service – Vendor’s type of service(s) such as SSP, DSP, DMP ;
International transfer – indication if the vendor transfers data outside EU/EEA ; when applicable, indication if the data transfers are covered by an EU adequacy decision.

This additional information is available here and can be used by Publishers to, for example, avoid requesting user’s consent for Vendors that operate in technical environments and jurisdictions that are not relevant to their online services, as well as generally better understand each TCF Vendor’s scope of operations and whether it transfers data outside of the EEA.

Publishers can also work with their CMPs and Vendor-partners to better understand which Vendors are active on their digital properties (e.g. contribute to the selling of their ad inventories) to supplement their selection process.

The TCF Policies does not impose a maximum number of Vendors for which a Publisher establishes legal bases, as it depends on the nature of the services and content provided by the Publisher as well as its business model, and no objective criteria have been laid down by Data Protection Authorities in that respect.

10. Does the TCF Policies requirement in relation to withdrawal of consent affect pay-or-consent installations

Publishers and their CMPs will be required to ensure that users can re-access the CMP UI easily to manage their choices (e.g. from a floating icon or a footer link available on each webpage, from the top-level setting of the app etc.)

If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and vendors in one click (such as “Consent to all”), an equivalent call to action should be provided when users resurface the CMP UI as to withdraw consent to all purposes and vendors in one click (such as “Withdraw consent to all”).

When the publisher implements a way for the user to access its content without consenting through other means, for example by offering paid access, users who previously provided consent should still be provided with the possibility to easily withdraw consent at any time and access the content through other means (for example the paid access). Although the TCF policies accommodate such implementations, publishers should ensure they are fully aware of their local Data Protection Authority’s requirements when leveraging pay-or-consent installations.

11. Can the information and choices provided to users in connection with establishing legitimate interests be embedded in a webpage instead of a popup overlay?

12. How often should I remind users of their choices?

Data Protection Authorities have issued different guidelines and recommendations on the appropriate duration - which varies between 6 months to 24 months. The TCF v2.2 Policies take into account these discrepancies and require publishers to remind users of their choices according to the requirements laid down by publishers’ local regulator(s).

To help TCF participants in their implementation, the below table provides the best practice recommendations that have been provided so far by certain national regulators (last updated March 2024):

Country

Best Practice Recommendation

Reference

SUBJECTBelgium

DATE6 Months

LINKCheck-list cookies

SUBJECTCzech Republic

DATE6 Months

LINKQ&A on data processing on the Internet

SUBJECTFrance

DATE6 Months

LINKRecommendations on cookies and other trackers

SUBJECTIreland

DATE6 Months

LINKGuidance note on cookies and other tracking technologies

SUBJECTItaly

DATE6 Months

LINKGuidance note on the use of cookies and other tracking tools

SUBJECTLuxembourg

DATE12 Months

LINKRequirements applicable to cookies

SUBJECTSpain

DATE24 Months

LINKGuidance on the use of cookies

FAQs for Vendors

13. Has support for legitimate interest as a legal basis been removed from TCF v2.2?

Vendors should provide a link to a webpage that describes the legitimate interests they pursue when they rely on such a legal basis for at least one purpose. This can be a part of their privacy policy, accessed through a bookmark on that webpage. User-facing information about Vendors’ legitimate interest at stake should not be confused with Vendors’ Legitimate Interest Assessments (LIAs) - whose record can be kept internally to demonstrate compliance if required.

15. Should Vendors update the information provided in their Legitimate Interest Claim URL when they declare Special Purpose 3?

Vendors that intend to declare Special Purpose 3 (“Save and communicate privacy choices”) are advised to review concomitantly the user-facing information about their legitimate interests at stake, in order to make sure that it includes a description of the legitimate interest relied upon when pursuing Special Purpose 3.
As a reminder, the Legitimate Interest Claim URL is a link to a webpage that describes the legitimate interests they pursue when they rely on such a legal basis for at least one purpose. This can be a part of their privacy policy, accessed through a bookmark on that webpage

16. How can Vendors self-check their live installations?

In order to self-check their live installations Vendors can use the Controls Catalogue available here. The Controls Catalog maps requirements of the Policies to auditable elements to help participants in assessing and reviewing the compliance of their practical implementations. It includes the audit checks IAB Europe performs when auditing TCF participants - and corresponding enforcement procedure for each.

17. Why do Vendors need to provide a list of digital properties where they operate?

When completing their Vendor Compliance Form, Vendors should provide a non-exhaustive lists of digital properties where their technologies are susceptible to be deployed (e.g. websites where their tags or pixels are present, mobile or CTV apps where their SDK is integrated - depending on the environment(s) they support). This is to facilitate the auditing by IAB Europe of Vendors’ live installations deployed on publishers’ properties.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_pk_id.1.be1c	1 year 27 days	Matomo Analytics
_pk_ses.1.be1c	30 minutes	Matomo Analytics
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.

Who we are

Team members

Board members

Committees & task forces

Framework & code of conduct

Transparency & consent framework

Policy, regulation & advocacy

Industry services

TCF v2.2 - Implementation FAQs

General

FAQs for CMPs

FAQs for Publishers

FAQs for Vendors

Features

Legal

Sign up for our newsletter