The IAB Transparency and Consent Framework
The IAB Europe Transparency and Consent Framework (TCF) consists of technical specifications and policies to help all parties involved in digital advertising to comply with the GDPR and ePD when processing personal data and/or accessing and/or storing information on a user’s device.
The TCF is a means of standardizing consent signals within the programmatic ecosystem. It does this by generating a transparency and consent string (TC String—previously known as Consent String in v1.0) that acts as a universal method of communicating relevant consumer consent preferences across the ecosystem [For more technical information: Github]. Given the complexity of compliance, these sorts of standardized signals streamline compliance by ensuring participants are all speaking the same language, as opposed to creating their own means of generating and signaling consent.
The second version of the Transparency Consent Framework (TCF v2.0) creates a standardized framework for publishers, vendors, and advertisers to transmit consent, and this new iteration is intended to eliminate ambiguity and better facilitate “legitimate interest” data processing under the GDPR.
Publishers
A Publisher represents the first party: i.e. the website or mobile application that the user has sought access to. In general, they are an operator of a website, app, or other content that publishes digital media and monetizes their content through digital advertisements.
Vendors
A Vendor in the IAB Framework are the third-party advertisers that the publisher has chosen to partner with. Generally, vendors are ad networks and advertisers. Vendors display third party content on the publishers’ website, such as setting marketing cookies on the end user’s browser, in order to display relevant ads to potential customers.
IAB creates a standardized cooperation between these publishers, vendors, and their consent management providers (CMP’s). These are the benefits of TCF v2.0:
For publishers:
Select and control third-party vendors they want to work with
Provide users with transparency into third-party vendors selected by them and the purposes for which they process data
Request and obtain informed consent to process data, or establishing other legal bases to process data
Transparently pass information relating to user choices to the ecosystem
Support the use of data for measuring campaign effectiveness and the use of contextual advertising that requires access to users’ devices
For data subjects:
Greater transparency: Detailed and consumer-friendly Purpose definitions enable better-informed consent
More control: TCF v2.0 is more comprehensive with features like Right to Object (RTO) built directly into the specification
For vendors:
More consistent and secure implementations: TCF v2.0 includes a validation mechanism in the form of a checksum to inform all parties on whether the TC string is complete and valid.
Compliance focused: TCF v2.0 is focused on clearly informing data subjects and encompassing more facets of consent like RTO built into the spec. As a result, TCF v2.0 support provides strong guidelines for compliance
Purposes
Under the TCF framework, a purpose is a predefined reason for the processing of data. For each purpose, advertisers must choose a legal basis for processing: consent or legitimate interest. To the user of the website, these purposes appear in cookie banners when consent is collected.
Name of Purpose/Feature | Legal Bases Required | Legal Description |
---|---|---|
Purpose 1: Store and/or access information on a device | Consent | Store and access information on the device such as cookies and device identifiers for the purposes presented to a user.
|
Purpose 2: Select basic ads | Consent, Legitimate Interest |
|
Purpose 3: Create a personalized ads profile | Consent, Legitimate Interest |
|
Purpose 4: Select personalized ads | Consent, Legitimate Interest |
|
Purpose 5: Create a Personalized content profile | Consent, Legitimate Interest |
|
Purpose 6: Select personalized content | Consent, Legitimate Interest |
|
Purpose 7: Measure ad performance | Consent, Legitimate Interest |
|
Purpose 8: Measure content performance | Consent, Legitimate Interest |
|
Purpose 9: Apply market research to generate audience insights | Consent, Legitimate Interest |
|
Purpose 10: Develop and improve products | Consent, Legitimate Interest |
|
Special Purposes
Special purposes are essential to the functioning of the website, and the framework doesn’t require the user to give their consent for it. Instead, special purposes operate under legitimate interest is one of the defined purposes for processing the data by vendors participating in the framework for which the user is not given a choice to consent by the CMP. Examples of special purposes include Ensure security, prevent fraud, and debug.
Special Purpose | Legal Basis Required | Legal Description |
---|---|---|
Special Purpose 1: Ensure security, prevent fraud, and debug | Legitimate Interest |
|
Special Purpose 2: Technically deliver ads or content | Legitimate Interest |
|
Feature
A Feature means one of the features of processing personal data that can be used to support a purpose by vendors participating in the Framework. Since, it is in pursuit of a purpose, users are not given a separate choice for the feature itself. Instead, the choices selected by the user for the particular purpose are used to establish legal basis. However, the feature along with the purpose must still be disclosed to the user. Examples of Features include combining data obtained offline with data collected online, linking devices that belong in the same household, and receiving automatically-sent device characteristics, e.g. IP address, user-agent string.
Special features represent data that is particularly sensitive. Because of that, the consumer must opt-in separately.
Feature | Legal Basis Required | Legal Description |
---|---|---|
Feature 1: Match and combine offline data sources | Consent, Legitimate Interest as established by Purpose. Only Disclosure of the feature to the user. |
|
Feature 2: Link different devices | Consent, Legitimate Interest as established by Purpose. Only disclosure of the feature to the user. |
|
Feature 3: Receive and use automatically-sent device characteristics for identification | Consent, Legitimate Interest as established by Purpose. Only disclosure of the feature to the user. |
|
Special Feature 1: Use precise geolocation data | Disclosure of the feature to the user and it’s separate opt- in by the user. |
|
Special Feature 2: Actively scan device characteristics for identification | Disclosure of the feature to the user and it’s separate opt- in by the user. |
|
Stacks
In addition, Purposes and features can be grouped together to simplify consent for the user. There are 37 Stacks created by the IAB, with different combinations of Purposes or Special Features. Stacks are groupings of purposes designed to appear in the first-layer of the Cookie notice.
The user can expand a stack to see a detailed and user-friendly description. For example, a stack can be used to deliver personalized ads based on a profile. Here, three purposes are combined to personalize ads; selecting basic ads Purpose 2, selecting personalized ads (Purpose 4), and measuring ad performance (Purpose 7).