IAB Europe’s recently announced Transparency and Consent Framework version 2.0 (TCF 2.0) is a major step toward GDPR compliance throughout the ad tech ecosystem and should be seriously considered by publishers and vendors. After the somewhat lackluster rollout of TCF v1.0 in the scramble leading up to the GDPR enforcement deadline last year, it’s understandable why publishers would be skeptical about the update. While v1.0 established a basic structure for communication of consent from the data subject to the many companies in the ad tech supply chain that might need it, the v1.0 fell short in several notable areas such as: lack of publisher collaboration and control, provisions for legitimate interest, self-enforcement, and participation by the largest player in the industry.
Publishers should look forward to adopting TCF 2.0 because it addresses the problems of the first version while retaining the benefits of an industry standard: complying with GDPR and honoring data subject rights while enabling publishers to capture the revenue and efficiencies of programmatic advertising.
Here are five reasons to be optimistic about TCF 2.0 and a few reasons you should be wary:
1. Better collaboration with data protection authorities, vendors, publishers
Many criticized the first version of the TCF as being too vendor friendly at the expense of publishers. After collaborating with concerned publishers, the TCF 2.0 working group made changes to give publishers the control they need. As the primary owner of the interaction with the data subject, publishers face unique challenges which weren’t addressed in the previous version, but are in v2.0. Moreover, involving many Data Protection Authorities in the Framework creation process means some of the gray areas of enforcement are already ironed out and there is reduced risk that the Framework itself will be successfully challenged.
2. Publishers have more control
In v2.0, publishers have greater control over the vendors they work with and which of the several legal bases vendors can use on the publisher’s user’s personal data. Although vendors can register to process using consent or legitimate interest as their legal basis, the publisher can override that preference and require a vendor only process using a specific legal basis or not process at all. Additionally, by working with their consent management platform, publishers can choose to remove certain vendors they don’t want to work with from the Transparency and Consent String (TC String), giving them the comfort they need to rely on this solution.
3. Provisions for legitimate interest
Legitimate interest is an equally valid legal basis under GDPR for processing personal data and many publishers, particularly in Germany, use legitimate interest as their primary legal basis. Those publishers were unable to use TCF 1.0 for their own purposes, and there hasn’t been any incentive to adopt it for use by their vendors. This created risks for publishers and vendors because there wasn’t an industry standard way for data subjects to object to processing (as required for legitimate interest) and it wasn’t always clear to the data subject what was happening with their data.
Now, publishers can satisfy the requirements of legitimate interest through their CMP by giving proper transparency to data subjects on the processing and allowing data subjects to object to such processing, on a granular basis, in a way that is communicated downstream.
Lastly, one of the biggest struggles of using legitimate interest is that the existing ePrivacy Directive (circa 2002) requires consent for accessing a device and setting cookies, a precondition for many ad tech companies. Recent guidance suggests that these existing consent requirements need to follow the consent gathering requirements of GDPR. Prior to TCF 2.0, there wasn’t a clean way to collect consent for cookie setting and device access, while using legitimate interest for other forms of processing. TCF 2.0 also enables “jurisdiction specific consent” to solve for nuances such as in Germany where the ePrivacy directive has not been implemented, and therefore consent for cookie setting is not required.
4. Improved self-enforcement and regulation
An industry standard regulatory framework is only as strong as its weakest link. To strengthen the weak links, or remove those that don’t comply, TCF 2.0 has improved self-enforcement mechanisms. First, the new version requires vendors to check for and only utilize signals from registered CMPs. Even for publishers that wish to make their own private CMP, they will still have to meet a high standard and be certified by IAB Europe for adherence to the spec. Second, CMPs must maintain records of the UI deployed on any given publisher at any time and make it available. This creates transparency and allows all vendors to ensure the information displayed to data subjects is up to snuff. Third, IAB Europe created a “CMP Validator” which can be used to quickly determine whether the CMP is compliant. Finally, there are more mechanisms to remove anyone who doesn’t follow the rules. Regulators and participants alike should be comforted that participants are held to a high standard.
5. Google pledged to join
One of the largest obstacles holding back the adoption of TCF 1.0 was that Google, particularly in its capacity as a buyer, didn’t participate. Google was involved in the creation of TCF 2.0 and has publicly pledged on multiple occasions to join. Similar to the adoption of ads.txt, it may take a push from one of the largest players to cross the chasm into full adoption.
Reasons to be wary
While TCF 2.0 is a major improvement over the first version, it still isn’t perfect. There are a few issues to keep an eye out for before falling head over heels in love with the new framework.
- We simply don’t know when Google will join. We fear that until they do, adoption will be hampered.
- We don’t know how smooth the transition will be. Adopting the new framework requires significant legal, product, business, and technical resources, and it may take some time and growing pains before it’s adopted.
- TCF 2.0 is designed for cookied environments. We will need solutions for in-app, IOT, and CTV/OTT devices for this solution to be truly ubiquitous.
TCF 2.0 is currently in the public comment period and will be officially released as soon as June 2019.
This article was written by Eric Shiffman, senior product marketing manager at SpotX