EU: Unpacking IAB Europe's TCF V2.2
Representing a significant portion of the digital advertising landscape, Interactive Advertising Bureau (IAB) Europe established the Transparency and Consent Framework (TCF). The TCF aims to strike a balance: ensuring businesses can continue to deliver tailored digital experiences while upholding the users' fundamental right to data protection and privacy. Pedro Vidigal Monteiro, Partner at Telles de Abreu e Associados - Sociedade de Advogados, SP, RL, offers an in-depth look into the vital components of the TCF, illuminating its foundational principles, overall scope, and the notion of user consent.
In the ever-evolving digital age, the boundary between personalization and privacy often treads a thin line. As online interactions multiply and diversify, the digital advertising ecosystem, integral to a free internet, seeks to present users with relevant content. Yet, with relevance comes the need to process user data, placing user privacy at the forefront of global conversations. The EU, recognizing the importance of data protection and privacy, introduced the General Data Protection Regulation (GDPR) and the ePrivacy Directive. These stringent regulations necessitated a standardized approach for digital advertisers to collect and process user data without infringing upon the user's rights.
Who is IAB Europe?
IAB Europe is the European-level association for the digital marketing and advertising ecosystem.
Through its membership in media, technology, and marketing companies, as well as national IABs, its purpose is to lead political representation and promote industry collaboration to deliver frameworks, standards, and industry programs that enable businesses to thrive in the European market.
What should be considered digital advertising?
Digital advertising is seen as a targeted approach to market a product online. This marketing takes place across websites, social media channels, search engines, and even email communications. Essentially, digital advertising revolves around showcasing products or services to online audiences, encompassing ads and promotional messages disseminated via email, social media platforms, search engine advertisements, banners on mobile and web platforms, and through affiliate programs.
TCF standardization principles - a brief insight
All vendors that register with the TCF provide and maintain detailed information that, as a minimum, should be disclosed to users to meet their transparency and accountability requirements under the GDPR.
The information to be provided includes:
- their identity;
- a direct link to their privacy policies;
- the duration of the cookies they may rely on, whether they use non-cookie methods for accessing users' devices (e.g., mobile identifiers);
- the data processing purposes they pursue;
- associated legal bases for processing personal data;
- retention periods; and
- categories of data collected and processed.
A vendor means a company that 'participates in the delivery of digital advertising or other online activities within a publisher's website, app or other digital content, to the extent that company is not acting as a publisher or CMP [Consent Management Platform], and that either accesses an end user's device or processes personal data about end users visiting the publisher's content and adheres to the policies,' as defined in the TCF. To be noted that a vendor may be considered, depending on specific circumstances, a controller or a processor, or even both. On the other hand, a publisher means 'an operator of a digital property and who is primarily responsible for ensuring the framework UI (user interface) is presented to users and that legal bases, including consent, are established with respect to vendors that may process personal data based on user's visits to the publisher's content' (definitions as set out in the IAB Europe TCF).
The aforementioned clearly aligns with recommendations and guidelines set forth by the European Data Protection Board (EDPB) and various data protection authorities and legal interpretations. This guidance mandates a 'layered approach' for CMPs, outlining specific criteria for the primary level (cookie banner) and subsequent user interface (UI) layers.
Scope of the TCF
The IAB Europe TCF is an industry-wide initiative developed by IAB Europe.
It was developed to provide a standardized approach for obtaining and managing user consent for the processing of personal data in online advertising and it has the objective to help all parties in the digital environment to comply with the GDPR and the ePrivacy Directive when processing personal data, accessing, and/or storing information on a user's device, as described on the IAB website.
Therefore, the TCF addresses the requirements of the GDPR and the ePrivacy Directive. These legal frameworks highlight the importance of user consent as a legal basis for processing personal data and the control that data subjects must have over their personal data when it is collected and used for online advertising purposes.
The TCF has specific objectives focused on:
The TCF seeks to ensure that users are informed about who is collecting their data, how it will be used, and who it will be shared with. Transparency as a principle to be pursued by controllers helps users make informed choices about their data.
Enabling user choice and control
The TCF allows users/data subjects to exercise their rights by providing options for granting or withholding consent for the processing of their personal data. It enables users to select their preferences for different purposes and control the use of their data across participating websites and vendors.
Promoting industry collaboration
The TCF encourages collaboration between publishers, technology vendors, and advertisers to establish a common framework for data protection and consent management. It provides specific guidelines and technical specifications to ensure consistent implementation across the online advertising ecosystem.
The TCF introduces also a standardized technical mechanism for obtaining and transmitting user consent signals, namely CMPs. CMPs are responsible for presenting consent notices to data subjects and recording their choices. Publishers and technology vendors integrate with CMPs to ensure compliance with the TCF policies.
The policies of the TCF cover various aspects related to consent management, including:
Consent string format
The TCF defines a specific format for encoding and transmitting user consent choices across the advertising ecosystem. The consent string contains information, such as consent status, purposes for data processing, vendors involved, and other relevant details.
Consent signals and purposes
The TCF defines a set of predefined purposes that describe the intended use of personal data. Publishers and vendors must therefore provide unambiguous and clear information about the purposes for which they process data. Users can then choose to grant or withhold consent for each purpose individually, remembering that withdrawing consent is a right that in all cases must be ensured, following Article 7 of the GDPR.
Transparency and information requirements
The TCF highlights the importance of providing clear and easily understandable information to users about data processing practices. Publishers and vendors must disclose relevant details in their consent notices, such as the identity of the data controller, purposes, data retention periods, and the rights of users.
Accountability and compliance
The TCF's goal is to promote accountability by requiring publishers and vendors to maintain records of consent choices and be able to demonstrate compliance with the TCF. It also encourages cooperation with data protection authorities and provides guidelines for handling user complaints and data breaches.
That said, the goal of the TCF is to help players in the online ecosystem to meet the requirements of the legal framework in force, providing a way of informing users about the processing of their personal data (e.g., purposes, storage, and access of information on their devices). However, it is not intended or has been designed to provide a safeguard for data transfers outside the EU, to facilitate the processing of data relating to criminal convictions, special categories of data, or automatic decisions, including profiling.
What is consent, in short?
According to Article 4 of the GDPR, 'consent' of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
As defined by the EDPB Guidelines 05/2020 on consent under Regulation 2016/679 (the Consent Guidelines), the notion of consent as used in the Data Protection Directive and the e-Privacy Directive has evolved and the GDPR 'provides further clarification and specification of the requirements for obtaining and demonstrating valid consent.'
Consent of the data subject must be:
- freely given;
- informed; and
- an unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
The Consent Guidelines referred to above provide further clarification on these cumulative requirements and many other aspects that gravitate around consent, such as how to provide information, how to obtain explicit consent, consent granularity, and the withdrawal of consent.
What are the main differences between TCF V2.1 and V2.2.?
To begin with, the TCF V2.2 aims to further standardize the details and options presented to data subjects about their personal data processing. Additionally, it clarifies how these preferences should be captured, communicated, and respected.
In particular, the above includes:
Removal of the legitimate interest legal basis for advertising and content personalization
Improvements to the information provided to end-users
The purposes and features' names and descriptions have changed. More important, and with a clear objective to facilitate comprehension, the legal text has been removed and replaced by user-friendly descriptions, supplemented by examples of real-use cases provided with illustrations, which are indicative examples of operations covered by a given purpose, allowing end-users to easily understand, in practice, how their data can be processed and the purposes associated with such processing.
Standardization of additional information about vendors
Vendors will be required to provide additional information about their data processing operations - so that this information can in turn be disclosed to end-users, all in favor of transparency:
- categories of data collected;
- retention periods on a per-purpose basis;
- legitimate interest(s) at stake, where applicable; and
- support for multiple languages URL declaration.
Transparency over the number of vendors
CMPs will be required to disclose the total number of vendors seeking to establish a legal basis on the first layer of their UIs.
Specific requirements to facilitate users' withdrawal of consent
Publishers and CMPs will need to ensure that users can resurface the CMP UIs and withdraw consent easily. It is essential to bear in mind that it shall be as easy to withdraw as to give consent as provided for in Article 7(4) of the GDPR.
Information on how the total number of vendors needs to be added to the CMP UI
Information is key when providing information to data subjects, as it relates strongly to the principles of accountability, transparency, and others, provided for in Article 5 of the GDPR.
In this regard, the initial layer of the framework UI has to disclose the number of third-party vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s), so that data subjects can be specifically and properly informed about the number of entities susceptible to processing their personal data.
As for the secondary layer of the framework UI, it needs to disclose the numbers of third-party vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s) for each purpose. The GDPR imposes that purposes are specified, explicit, and legitimate, as per Article 5(b). These numbers may also include the number of non-TCF vendors for which the publisher establishes transparency and consent using the TCF purposes nomenclatures.
Retention periods and categories of data
The new information is disclosed by the CMPs on a per-vendor basis, by using the information published in the Global Vendor List (GVL), which means the list of vendors who have registered with IAB Europe for participating in the TCF in accordance with the definition set out in the IAB Europe TCF. This list is managed and maintained by IAB Europe.
CMPs, in order to facilitate the user's understanding, may convert retention periods provided by vendors in days into a different time unit (e.g., in months), the same way they may currently do with vendors' maximum device storage durations.
Use of multiple URLs by CMPs that may be provided by vendors to access privacy documentation
In the TCF V2.2, vendors are able to declare URLs to their own privacy policies and legitimate interests, which enables CMPs to provide users with links to a vendor's privacy documents in the same language that corresponds to the language of the publisher's digital property or the language of the user's browser. This emphasizes a specific concern related to providing accessible information, one that can be understood by all users no matter their native language.
In those cases, where vendors did not declare URLs to their privacy documents, publishers may choose not to work with vendors that do not maintain privacy documentation in the language of their users, or, on the other hand, CMPs may choose to provide links to the vendor's privacy documents in a different language.
Is a 'reject all' button required?
The new TCF policies do not require this button. In such a case, as in others not covered by the policies, local data protection requirements must be taken into consideration.
Nonetheless, including a 'reject all' button, or a similar one, may be considered a good practice to be taken into consideration.
At this point, it is important to recall, on the basis of the 'Report of the work undertaken by the Cookie Banner Taskforce,' adopted in January 2023, that the EDPB notices that 'some cookie banners displayed by several controllers contain a button to accept the storage of cookies and a button that allows the data subject to access further options, but without containing a button to reject the cookies.' In this regard, when authorities 'were asked whether they would consider that a banner which does not provide for accept and refuse/reject/not consent options on any layer with a consent button is an infringement of the ePrivacy Directive, a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.'
It is also important to take into consideration, in this context, that the members of the taskforce referred to above also confirmed that 'several controllers provide users with several options (typically, representing each category of cookies the controller wishes to store) with pre-ticked boxes on the second layer of the cookie banner (after the user clicked on the "Settings" button of the first layer),' pointing out that 'pre-ticked boxes to opt-in do not lead to valid consent as referred to either in the GDPR (see in particular recital 32 "Silence, pre-ticked boxes or inactivity should not therefore constitute consent") or in Article 5(3) of the ePrivacy Directive.'
Reminding users of their choices
Data protection authorities have issued different guidelines on this matter, varying from six to 24 months. In this regard, publishers should consider information laid down by local regulators.
Nevertheless, it can be understood that six months is a reasonable and minimum period of time to periodically remind data subjects of the consent given.
Why were the requirements to maintain records of consent removed?
IAB Europe makes notice that records of consent were not defined in previous policies, 'due to Data Protection Authorities having issued different guidelines and recommendations on the various methods that can be employed by data controllers to demonstrate proof of consent.'
Nonetheless, the new TCF policies take into consideration the various methods referred to by data protection authorities and leave to participants the definition on how the GDPR requirement should be met.
In this regard, one should consider the EDPB's Consent Guidelines, where the same states that 'it is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists' and that 'the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained, and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place.'
The IAB Europe's TCF encompasses a collection of technical guidelines and policies. Publishers, advertisers, vendors, and CMPs have the option to follow these, making it easier for them to align with existing data protection regulations.
The purpose of the TCF is to help all parties in the digital environment comply with the GDPR and the ePrivacy Directive when processing personal data, accessing, and/or storing information on a user's device, constituting an important tool to help publishers, advertisers, vendors, and CMPs comply with the GDPR and the ePrivacy Directive. By adhering to the TCF, parties in the digital environment can demonstrate that they are committed to user privacy and compliance with data protection laws, allowing users to have control over their personal data and that the data is processed in a transparent and lawful manner.
Guidance from national data protection authorities should also be taken into account to minimize both financial and reputational risks, thereby averting an increase in complaints from data subjects.
Pedro Vidigal Monteiro Partner
Telles de Abreu e Associados - Sociedade de Advogados, SP, RL, Porto