In February last year, the Belgian Data Protection Authority (APD, “Autorité de Protection des Données”) issued a decision against IAB Europe related to the Transparency and Consent Framework (TCF), fining the organization EUR250k and instructing it to come up with a plan to solve the issues that were identified.
Since then, IAB Europe has come up with a plan to update its TCF, which will come into action over the following months. In this article, we review the context surrounding the APD decision, catching you up on the events from last before presenting IAB Europe’s action plan, and finally going over what these changes will mean in practice for Didomi users.
August 2023 update: IAB Europe has officially confirmed that it is pushing the deadline for the TCF v2.2 to November 20th, 2023.
For more information, watch the recording of our webinar with Google to get a comprehensive understanding of the IAB TCF v2.2 and the new Google CMP certification, and to learn how to leverage advertising in the privacy-first era:
Context about the Belgian APD and the Transparency and Consent Framework
A year ago, on February 2nd, 2022, the Belgian APD issued a decision against IAB Europe, citing 4 issues with its Transparency and Consent Framework (what’s the TCF? Learn more here). According to the Belgian APD:
The Transparency & Consent (TC) string, the consent signal stored by players in the advertising industry, is personal information. As such, participants should establish a legal basis.
IAB Europe is a data controller of that information, whether or not it processes the consent information
IAB Europe is a joint controller with TCF participants (vendors, CMPs, publishers)
Security measures in place to protect the integrity of the consent signal were not sufficient
IAB Europe was subsequently fined and instructed to come up with an action plan to solve these issues. The IAB Europe, along with some TCF participants, has worked on the action plan and submitted it to the APD in April 2022. Despite additional procedural events in September, the action plan was reviewed on January 11th by the Belgian APD.
From now until April, IAB Europe will clarify which changes are needed to comply with the updated Transparency and Consent Framework. Then, between April and July, these changes will need to be applied in the real world, including your configuration if you’re using the TCF.
Of course, we will communicate with Didomi customers with specific action points before then.
What is going to change in 2023 for the TCF?
Here are the main changes and obligations that will impact your Consent Management Platform if you’re using the TCF after April 2023:
New TC string special purpose
Users of the TCF will be required to add a new (special) purpose to the classification of purposes in the TCF, informing their users that they are capturing and sharing data subject choices via the TC String.
No more legitimate interest for targeted advertising
Going forward, users won’t be able to rely on legitimate interest for personalized advertising.
Specifically, the purposes impacted will be purpose 3 (create a personalized ads profile), purpose 4 (select personalized ads), purpose 5 (create a personalized content profile), and purpose 6 (select a personalized content profile).
Mandatory disclosures in the second layer of the CMP
After April, users of the TCF will be required to disclose new information in their CMP second layer:
The legitimate interests at stake
The categories of data collected and/or already held by Vendors
The retention periods (in the Vendors’ description)
Publishers will be presented with a warning about the impact that a large number of vendors can have on the ability of users to make informed choices (learn how to reduce your vendor list).
Additionally, the number of vendors will need to be disclosed in the first layer of the CMP. Finally, we will recommend using event listeners to ensure proactive communication of changed TC String to vendors.
We’ve seen changes related to vendor management come, and have been investing in providing our users with technology to address these issues. First, by acquiring privacy and compliance monitoring startup Agnostik last year, which allowed us to add an extra layer to our product offering.
Additionally, we’ve released a free compliance testing tool and made it publicly available online. This lightweight version of our advanced monitoring solution allows users to test their compliance and find out the level of compliance of their website. Feel free to give it a try:
As a Didomi customer, what do these changes in the TCF mean and what are you supposed to do? Don’t worry, we’ve got it all planned out.
As a Didomi customer, what am I supposed to do?
Not a lot will be expected from Didomi customers. However, if you decide to continue using the Transparency and Consent Framework, you must know that consent notices/consent banners will be changing slightly (based on the changes listed in the previous section), and you should therefore be ready for it.
The migration from the TFC v2 to the next iteration of the framework will take place around May or June, with July 11th, 2023 serving as the hard deadline for the change.
Once the migration will be complete, we will recommend that you recollect consent from your customers, as previously collected consent was deemed invalid following the Belgian APD decision. Additionally, you’ll most likely have to reduce your vendor list, and updating mobile SDK versions to get the new TCF various updates will be compulsory.
But don’t worry, we will remind you about this before the deadline.
To conclude, and while it’s important to be aware of the upcoming changes following this important industry decision, the impact on Didomi customers should be minimal, and we’re hoping to provide thorough assistance to everyone along the way.
To learn more about the changes to the TCF and how it will shape your CMP experience, follow our updates here, join the Yes We Trust community to discuss with other privacy professionals, and reach out to our experts if you have any questions: