IAB Europe has been operating Compliance programmes for CMPs and Vendors in order to protect the integrity of the Transparency and Consent Framework (“TCF”) and ensure that organisations who have signed up to the TCF comply with their commitments under the TCF Policies. 

Although the responsibility for correct implementation of the TCF, and ultimately compliance with the EU’s data protection framework, lies with the businesses that are subject to it, IAB Europe provides support and develops dedicated procedures to make sure the TCF is implemented properly. As managing organisation (MO) of the TCF, IAB Europe also imposes penalties in line with its prerogatives under the TCF Terms and Conditions to contractually sanction non-compliance.

As part of TCF v2.2, the TCF Compliance Programmes have been expanded and reinforced to identify and enforce against instances of non-compliant CMP and Vendor implementations, which reduce user protection and expose TCF participants to serious legal risks.

TCF CMP Compliance

The CMP Compliance programme comprises a pre-implementation validation stage and a post-implementation enforcement stage - whereby IAB Europe monitors live CMP implementations for compliance with the TCF Policies. The CMP enforcement process can result in the suspension of the participating CMP from the Framework for non-resolved breaches of TCF Policies. 

Pre-implementation validation

After registering to TCF, CMPs need to complete a validation process before they can be attributed a CMP ID and added to the CMP List. This includes verification by IAB Europe of the User Interfaces and technical operation of the CMPs for each environment (web, mobile or CTV).

Monitoring of live installations

IAB Europe regularly monitors CMPs’ live installations and also investigates reports of non-compliance from end-users or TCF participants.

Where a CMP’s live installation is found to be tampering with TC Strings, the following process applies:

• CMP receives a formal suspension notice via email; 
• CMP is immediately suspended from the CMP list for a minimum of 4 weeks and until the issue is resolved;
• IAB Europe will issue a public notification of non-compliance, including facts and reasoning;
• If this is the fourth time within a twelve month period that the CMP has been found tampering with TC Strings, it will be notified and permanently suspended from the CMP list.

Where a CMP’s live installation is found  in breach of the TCF Policies (except in cases of TC String tampering), the following process applies:

• CMP receives a formal suspension warning via email;
• CMP is given 10 business days to remedy the issues;
• If, following the expiration of the delay, the issues have not been resolved, the CMP will receive a suspension notice via email and will be suspended from the CMP list until the issues have been remedied;
• If this is the fourth time within a twelve month period that the CMP has been found in breach of the TCF Policies, it will be notified via email and suspended from the CMP list with immediate effect for a minimum of 2 weeks and until all issues are resolved.

TCF Vendor compliance 

The Vendor Compliance programme comprises a pre-implementation validation stage and a post-implementation enforcement stage - whereby IAB Europe monitors live Vendor implementations for compliance with the TCF Policies. The Vendor enforcement process can result in the suspension of the participating Vendor from the Framework for non-resolved breaches of TCF Policies. 

Pre-implementation validation & verification or Vendors’ registrations

After registering to TCF v2.2, Vendors need to complete a vendor compliance form before they can be added to the GVL. This includes questions about how they intend to implement the TCF and the measures they put in place to ensure compliance with the Policies.

In addition where a Vendor has provided inaccurate or incomplete information requested to register to the GVL, the following process applies:

• Vendor receives a formal suspension warning via email;
• Vendor is given 5 business days to remedy the issues;
• If, following the expiration of the delay, the issues have not been resolved, the Vendor will receive a suspension notice via email and will be suspended from the GVL until the issues have been remedied;
• If this is the fourth time within a twelve month period that the Vendor has been found in breach of the TCF Policies, it will be notified via email and suspended from the GVL with immediate effect for a minimum of 1 week and until all issues are resolved.

Monitoring of live installations

IAB Europe regularly monitors live Vendor installations and also investigates reports of non-compliance from end-users or TCF participants.

Where a Vendor’s live installation is found to be tampering with TC Strings, the following process applies:

• Vendor receives a formal suspension notice via email; 
• Vendor is immediately suspended from the GVL for a minimum of 4 weeks and until the issue is resolved;
• IAB Europe will issue a public notification of non-compliance, including facts and reasoning;
• If this is the fourth time within a twelve month period that the Vendor has been found tampering with TC Strings, it will be notified and permanently suspended from the GVL.

Where a Vendor’s live installation is found  in breach of the TCF Policies (except in cases of TC String tampering), the following process applies:

• Vendor receives a formal suspension warning via email;
• Vendor is given 20 business days to remedy the issues;
• If, following the expiration of the delay, the issues have not been resolved, the Vendor will receive a suspension notice via email and will be suspended from the GVL until the issues have been remedied;
• If this is the fourth time within a twelve month period that the Vendor has been found in breach of the TCF Policies, it will be notified via email and suspended from the GVL with immediate effect for a minimum of 2 weeks and until all issues are resolved.

Controls Catalogue and compliance resources

Controls Catalogue

The Controls Catalog maps requirements of the Policies to auditable elements to help participants in assessing and reviewing the compliance of their practical implementations. It includes the audit checks IAB Europe performs when auditing TCF participants - and corresponding enforcement process for each. The Controls Catalogue can be downloaded here.

CMP Validator

The IAB Europe CMP Validator is a Chrome browser extension developed by IAB Europe to support TCF participants:

• CMP can use it to self-test adherence to the Technical Specifications and Policies before completing the validation process;
• Publishers can use it to verify compliance of the live CMP installation deployed on their websites;
• Vendors can use it to support their internal compliance procedures and audit CMPs deployed on the digital properties where they intend to collect personal data;
• Users can use it to verify their choices have been faithfully recorded.

Since May 2023 the CMP Validator is publicly available for download in the Chrome Web Store here. The CMP validator can only be installed in a Chrome browser operating on Desktop. A dedicated guide can also be accessed here.

Device Storage & Operational Disclosures Validator

The Device Storage & Operation Disclosures Validator is a client-side tool for Vendor to self-test adherence of their deviceStorageDisclosureUrl to the technical specifications here.   The Validator is available here. An additional FAQs document can also be accessed here.

Submit a non-compliance report 

Users or TCF participants observing non-compliant CMPs or Vendors implementations are encouraged to submit a complaint. To report non compliant CMPs or Vendors, please use the TCF Non-Compliance Submission Form here.

Additional Information

Please also visit the TCF v2.2 Supporting Resources page to review the most relevant resources about TCF v2.2, including the latest:  

• TCF Policies 
• TCF Terms & Conditions
• TCF Technical specifications
• TCF Implementation Guidelines
• TCF Data Processing Purposes Translations
• Lists of TCF Vendors & TCF CMPs
• Vendors & CMP Notifications 
• Compliance documentation
• FAQs, Webinars and Blogs