Interactive Advertising Bureau

TCF v2.2 - Implementation FAQs

General

Yes, although the TCF Policies do not require that CMPs provide a call to action for users to refuse consent from the first layer of their UIs, nothing in the TCF Policies is intended to prevent going beyond these minimum requirements. As with any other design requirements that are not specified by the TCF policies, publishers should ensure they are fully aware of their local Data Protection Authority’s requirements and act accordingly.
Yes, the TCF Policies do not request all user interfaces (UI) to take the form of a popup overlay. This is only required in connection with requesting users’ consent, in which case the UI needs to be displayed prominently and separately from other information. When making use of a so-called layered approach, publishers and their CMPs may choose to provide transparency
and the right to object relating to Purposes or Special Purposes pursued by Vendors on the basis of their legitimate interests in a separate webpage, such as in their privacy policies, so long as users are provided with an easily accessible link to it from the UI that is used to request their consent.

Because such an approach can impact a commercial CMP’s ability to assume responsibility for compliance with the TCF Policies, publishers may be required to register a private CMP and use a commercial CMP’s offering in association with their private CMP ID in line with Chapter II: Policies for CMPs (7)(2).

FAQs for CMPs

The TCF official translations have been published at https://register.consensu.org/Translation. IAB Europe is now in the process of updating them progressively according to local market feedback. If you have any feedback on a translation, you can provide suggestions at framework@iabeurope.eu.
The Initial Layer of the Framework UI has to disclose the number of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s), in order to better inform users about the number of entities susceptible to processing their personal data.

This number should at a minimum represent the number of TCF Vendors for which the publisher establishes transparency & consent, but may include the number of non-TCF Vendors. It is up to the publishers to decide whether they want to include non-TCF Vendors when providing this number. Publishers should consider when making such a determination how to best manage user expectations regarding the number of data controllers for which it establishes legal bases.

The Secondary Layer of the Framework UI has to disclose the numbers of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s) for each purpose. These numbers may also include the number of non-TCF Vendors for which the publisher establishes transparency & consent using the TCF purposes nomenclatures.
CMPs should disclose the new information on a per-Vendor basis, using the information published in the GVL.

The categories of data collected and processed by Vendors has been standardised through a dedicated taxonomy. CMPs should use the standard names provided by the TCF Policy and make available the corresponding user-friendly descriptions.

To facilitate users’ understanding, CMPs may convert retention periods provided by Vendors in days into a different time unit (e.g. in months), the same way they may currently do so with Vendors’ maximum device storage durations.
The StdRetention field in the GVL is added and computed when a Vendor has declared the same retention period for several purposes and/or special purposes for optimisation of the GVL length. As a result the entry for purposes and/or special purposes with that most common retention period, i.e. the period which is declared for the most purposes and/or special purposes, will be omitted from the purposes and specialPurposes fields in the dataRetention object.

For example, if a Vendor has declared the following retention periods:

Purpose 2: 30
Purpose 3: 30
Purpose 4: 30
Purpose 7: 180
Special Purpose 2: 360

The corresponding dataRetention object in the Vendors’ entry in the GVL will be:

"dataRetention": { 
    "stdRetention": 30, 
    "purposes": {
        "7": 180,
    },
    "specialPurposes": {
        "2": 360
    }
}

TCF v2.2 enables Vendors to declare URLs to their privacy policies and legitimate interest(s) at stake explanation on a per-language basis. This enables CMPs to provide users with link(s) to Vendors’ privacy documentations in the same language as the one used in their Framework UIs (which for example corresponds to the language of the publisher’s digital property or the language of the user’s browser).

Where Vendors have not declared URLs to their privacy documentations in the language used in the Framework UIs, CMPs may choose to provide links to the Vendors’ documentation in a different language, or Publishers may choose not to work with Vendors that do not maintain privacy documentations in the language of their users.
CMPs should at a minimum disclose on the secondary layer of their UIs how the TC String is stored and for how long if it is stored on the user's device. Such an explanation can include for example "the choices you make regarding the purposes and entities listed in this notice are saved in a cookie named [n] for a maximum duration of [x] months”.

FAQs for Publishers

Since March 2022, Vendors registering to the TCF are required to provide additional information that is not intended for user disclosures but can be used by Publishers for determining which Vendors they wish to establish transparency and consent for on their digital properties.

The additional information cover the following detail:

  • Full legal entity address ;
  • Business-to-business contact details ;
  • Territorial scope - the EU/EEA/EFTA/UK jurisdictions where the vendor operates in the context of its TCF registration. Note that this is different from the place of establishment ;
  • Environment – environment(s) where the vendor operates such as web, mobile apps, CTV apps ;
  • Type of service – Vendor’s type of service(s) such as SSP, DSP, DMP ;
  • International transfer – indication if the vendor transfers data outside EU/EEA ; when applicable, indication if the data transfers are covered by an EU adequacy decision.

This additional information is available here and can be used by Publishers to, for example, avoid requesting user’s consent for Vendors that operate in technical environments and jurisdictions that are not relevant to their online services, as well as generally better understand each TCF Vendor’s scope of operations and whether it transfers data outside of the EEA.

Publishers can also work with their CMPs and Vendor-partners to better understand which Vendors are active on their digital properties (e.g. contribute to the selling of their ad inventories) to supplement their selection process.

The TCF Policies does not impose a maximum number of Vendors for which a Publisher establishes legal bases, as it depends on the nature of the services and content provided by the Publisher as well as its business model, and no objective criteria have been laid down by Data Protection Authorities in that respect.

Publishers and their CMPs will be required to ensure that users can re-access the CMP UI easily to manage their choices (e.g. from a floating icon or a footer link available on each webpage, from the top-level setting of the app etc.)

If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and vendors in one click (such as “Consent to all”), an equivalent call to action should be provided when users resurface the CMP UI as to withdraw consent to all purposes and vendors in one click (such as “Withdraw consent to all”).

When the publisher implements a way for the user to access its content without consenting through other means, for example by offering paid access, users who previously provided consent should still be provided with the possibility to easily withdraw consent at any time and access the content through other means (for example the paid access). Although the TCF policies accommodate such implementations, publishers should ensure they are fully aware of their local Data Protection Authority’s requirements when leveraging pay-or-consent installations.

Yes, the TCF Policies do not request all user interfaces (UI) to take the form of a popup overlay. This is only required in connection with requesting users’ consent, in which case the UI needs to be displayed prominently and separately from other information. When making use of a so-called layered approach, publishers and their CMPs may choose to provide transparency
and the right to object relating to Purposes or Special Purposes pursued by Vendors on the basis of their legitimate interests in a separate webpage, such as in their privacy policies, so long as users are provided with an easily accessible link to it from the UI that is used to request their consent.

Because such an approach can impact a commercial CMP’s ability to assume responsibility for compliance with the TCF Policies, publishers may be required to register a private CMP and use a commercial CMP’s offering in association with their private CMP ID in line with Chapter II: Policies for CMPs (7)(2).
Data Protection Authorities have issued different guidelines and recommendations on the appropriate duration - which varies between 6 months to 24 months. The TCF v2.2 Policies take into account these discrepancies and require publishers to remind users of their choices according to the requirements laid down by publishers’ local regulator(s).

To help TCF participants in their implementation, the below table provides the best practice recommendations that have been provided so far by certain national regulators (last updated March 2024):

Country
Best Practice Recommendation
Reference
SUBJECTBelgium
DATE6 Months
SUBJECTCzech Republic
DATE6 Months
SUBJECTLuxembourg
DATE12 Months
SUBJECTSpain
DATE24 Months

FAQs for Vendors

Vendors should provide a link to a webpage that describes the legitimate interests they pursue when they rely on such a legal basis for at least one purpose. This can be a part of their privacy policy, accessed through a bookmark on that webpage. User-facing information about Vendors’ legitimate interest at stake should not be confused with Vendors’ Legitimate Interest Assessments (LIAs) - whose record can be kept internally to demonstrate compliance if required.
Vendors that intend to declare Special Purpose 3 (“Save and communicate privacy choices”) are advised to review concomitantly the user-facing information about their legitimate interests at stake, in order to make sure that it includes a description of the legitimate interest relied upon when pursuing Special Purpose 3.
As a reminder, the Legitimate Interest Claim URL is a link to a webpage that describes the legitimate interests they pursue when they rely on such a legal basis for at least one purpose. This can be a part of their privacy policy, accessed through a bookmark on that webpage

In order to self-check their live installations Vendors can use the Controls Catalogue available here. The Controls Catalog maps requirements of the Policies to auditable elements to help participants in assessing and reviewing the compliance of their practical implementations. It includes the audit checks IAB Europe performs when auditing TCF participants - and corresponding enforcement procedure for each.
When completing their Vendor Compliance Form, Vendors should provide a non-exhaustive lists of digital properties where their technologies are susceptible to be deployed (e.g. websites where their tags or pixels are present, mobile or CTV apps where their SDK is integrated - depending on the environment(s) they support). This is to facilitate the auditing by IAB Europe of Vendors’ live installations deployed on publishers’ properties.
IAB Europe
Rond-Point Robert
Schuman 11
1040 Brussels
Belgium
Sign up for our newsletter
chevron-down-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram