IAB Europe’s promising update to its announced Transparency and Consent Framework, known as version 2.0 (TCF 2.0) is set to be widely used starting on August 15, 2020.
Publishers do not have to present all users with the new consent language on August 15, however. The IAB clarified that TCF 1.1 consent strings themselves will no longer be valid after September 30, 2020. Their exact quote is as follows:
“Sunsetting of TCF v1.1 consent strings by end September
The Steering Group also agreed to clarify to the market that v1.1 consent strings will no longer be valid after 30 September 2020. The period between now and 30 September may be used by CMPs to gradually replace v1.1 consents with TCF 2.0 permissions based on both the consent and “legitimate interests” GDPR legal bases.”
As we’ve stated since it first was announced, TCF 2.0 is a major step toward GDPR compliance throughout the ad tech ecosystem and should be seriously considered by publishers and vendors, including those that did not adopt TCF 1.1.
Publishers are already adopting TCF 2.0
From July 15 to 30, the number of ad requests to SpotX containing TCF 2.0 tripled, and over 50 publishers started sending the new version. We expect that number to grow substantially over the coming weeks.
While TCF 1.1 established a basic structure for communication of consent from the data subject to the many companies in the ad tech supply chain that might need it, TCF 1.1 fell short in several notable areas such as: lack of publisher collaboration and control, provisions for legitimate interest, self-enforcement, and participation by the largest player in the industry, Google.
Publishers should look forward to adopting TCF 2.0 because it addresses the problems of the first version while retaining the benefits of an industry standard: complying with GDPR and honoring data subject rights while enabling publishers to capture the revenue and efficiencies of programmatic advertising.
Here are five reasons to be optimistic about TCF 2.0 and a few reasons you should be wary:
1. Better collaboration with data protection authorities, vendors, and publishers
Many criticized the first version of the TCF as being too vendor-friendly at the expense of publishers. After collaborating with concerned publishers, the IAB’s TCF 2.0 working group made changes to give publishers the control they need. As the primary owner of the interaction with the data subject, publishers face unique challenges which weren’t addressed in the previous version, but are in TCF 2.0. Moreover, involving many Data Protection Authorities in the Framework creation process means some of the gray areas of enforcement are already ironed out and there is reduced risk that the Framework itself will be successfully challenged.
2. Publishers have more control
In TCF 2.0, publishers have greater control over the vendors they work with and what legal bases vendors can use on the publisher’s user’s personal data. Although vendors can register to process using consent or legitimate interest as their legal basis, the publisher can override that preference and require a vendor only process using a specific legal basis or not process at all. Additionally, by working with their consent management platform, publishers can choose to remove certain vendors they don’t want to work with from the Transparency and Consent String (TC String), giving them the comfort they need to rely on this solution.
3. Provisions for legitimate interest
Legitimate interest is an equally valid legal basis under GDPR for processing personal data and many publishers, particularly in Germany, use legitimate interest as their primary legal basis. Those publishers were unable to use TCF 1.1 for their own purposes, and there hasn’t been any incentive to adopt it for use by their vendors. This created risks for publishers and vendors because there wasn’t an industry standard way for data subjects to object to processing (as required for legitimate interest) and it wasn’t always clear to the data subject what was happening with their data.
Now, publishers can satisfy the requirements of legitimate interest through their CMP by giving proper transparency to data subjects on the processing and allowing data subjects to object to such processing, on a granular basis, in a way that is communicated downstream.
Lastly, one of the biggest struggles of using legitimate interest is that the existing ePrivacy Directive (circa 2002) requires consent for accessing a device and setting cookies, a precondition for many ad tech companies. Recent guidance suggests that these existing consent requirements need to follow the consent gathering requirements of GDPR. Prior to TCF 2.0, there wasn’t a clean way to collect consent for cookie setting and device access, while using legitimate interest for other forms of processing. TCF 2.0 also enables “jurisdiction specific consent” to solve for nuances such as in Germany where the ePrivacy directive has not been implemented, and therefore consent for cookie setting may not be required.
4. Improved self-enforcement and regulation
An industry standard regulatory framework is only as strong as its weakest link. To strengthen the weak links, or remove those that don’t comply, TCF 2.0 has improved self-enforcement mechanisms. First, the new version requires vendors to check for and only utilize signals from registered CMPs. Even for publishers that wish to make their own private CMP, they will still have to meet a high standard and be certified by IAB Europe for adherence to the spec. Second, CMPs must maintain records of the UI deployed on any given publisher at any time and make it available. This creates transparency and allows all vendors to ensure the information displayed to data subjects is up to snuff. Third, IAB Europe created a “CMP Validator” which can be used to quickly determine whether the CMP is compliant. Finally, there are more mechanisms to remove anyone who doesn’t follow the rules. Regulators and participants alike should be comforted that participants are held to a high standard.
5. Google pledged to join, but the transition might not be easy
One of the largest obstacles holding back the adoption of TCF 1.1 was that Google, particularly in its capacity as a buyer, didn’t participate. Google was involved in the creation of TCF 2.0 and has publicly pledged on multiple occasions to join. Google has an extensive site dedicated to their interpretation of TCF 2.0 and how publishers should implement it.
A few of their policies are worth highlighting in more detail.
- Google will not retire their own consent mechanism in the foreseeable future, the Google Consented Providers Solution (CPS). Google recognizes that a number of vendors on Google’s Approved Technology Vendors list are not part of the TCF, and they wish to have a smooth transition, so it is possible their support of the CPS is only temporary. This is a bit disappointing, given that past initiatives, like the adoption of ads.txt, took a push from one of the largest players to cross the chasm into full adoption.
- Google requires consent for TCF 2.0 purposes 3 and 4, not just for their own use, but for any vendor the publisher wishes to use in concert with Google. This will, in effect, force most vendors to operate on consent rather than legitimate interest for these purposes. Google’s Funding Choices CMP “will automatically create publisher restrictions so as to choose consent for Purposes 3 and 4 if a vendor has registered flexibly” and they suggest publishers manage similar settings in their CMPs for flexibly registered vendors like SpotX.
- Google requires a macro in any advertiser creative to pass TCF 2.0, or ad serving may be interrupted. While we see this TCF 2.0 mechanism being more useful in sync pixels, Google seems to utilize a broad definition of when this macro must be used. From their interoperability guidelines:
“Macro requirements
The IAB TCF v2.0 requires use of a macro in pixel URLs on creatives to indicate where in the URL the TC string should be inserted and sent onwards, as well as to identify which vendors are present. Consistent with TCF v2.0 requirements, Google requires this macro to be present. Please ensure advertisers you work with properly include this macro, as ad serving may be interrupted if it is not present.” [emphasis mine]
We are hopeful that Google’s adoption helps push the rest of the industry toward this new standard and that the transition is smooth.
Reasons to be wary
While TCF 2.0 is a major improvement over the first version, it still isn’t perfect. There are a few issues to keep an eye out for before falling head over heels in love with the new framework.
- We don’t know how smooth the transition will be. Adopting the new framework requires significant legal, product, business, and technical resources, and it may take some time and growing pains before it’s adopted.
- The COVID-19 pandemic delayed technical implementations for many companies, and it’s unclear whether the IAB’s six-week delay was enough for the entire industry to adjust in time.
- TCF 2.0 is designed for cookied environments. We will need solutions for in-app and CTV/OTT devices for this solution to be truly ubiquitous.
The IAB has created extensive resources to help publishers and vendors adopt the new framework including webinars, how-to guides, and FAQs.
This article was written by Eric Shiffman, director of product marketing at SpotX. It was originally published on May 23, 2019, and was refreshed on August 12, 2020.