Recently, the IAB Transparency and Consent Framework (TCF) has implemented its version 2, standardising purposes and consent collection across the entire industry. The deadline for switching over to TCF v2 was the 15th August, but the period between now and 30 September (when v1 consent strings will no longer be valid) acts as a type of additional delay in which to replace v1 consents with v2 permissions. So, there is still some time left! How close are you to the finish line? Didomi is here to assist your business in a last-minute switchover, or to give you some final tips on the creation of a TCF v2 compliant consent notice.
- What is TCF v2?
- First layer consent notice requirements
- UI second layer requirements
- UI third layer requirements
- Testing before going live
- How can Didomi help?
What is TCF v2 ?
TCF is a standard for collecting and transmitting user consent across the digital advertising industry. It was created in 2018 by the IAB Europe and the IAB Techlab, and defines how consent is transmitted between adtech players, from the publisher to the demand-side. Version 2 of the TCF was implemented on August 15th, and publishers must make sure they are well prepared; TCF v2 is not backwards compatible with TCF v1, and some significant changes must be made to ensure compliance.
Concerned about what this means for your business? Organise a free 30 min assessment call with a TCF v2 expert at Didomi.
Carry on reading for more information on TCF v2 requirements, or watch the replay of our recent webinar on youtube:
First layer consent notice requirements
The collecting, storing and analyzing of data via a Consent Management Platform (CMP) is paramount, not only in terms of transparency and user information, but also in terms of monetization. As of August 15th, both commercial and in-house CMPs must now be registered and pass the IAB’s compliance checks. In order to ensure compliance, changes must be made to all layers of your company’s consent notice.
These are the main changes that must be implemented into the UI first layer :
Purposes and/or Stacks -
The first layer must inform users about the Purposes and/or Stacks, as well as special features by both the owner of the website, and also its third parties. Whilst in TCF v1 it was possible to use tooltips or expansion options to show this information, it must be immediately visible in TCF v2.
UI prominence and calls to action -
UI needs to be prominently displayed and must cover most of the website content. Calls to action must be included in the first layer of the consent notice, and must allow users to express their consent (e.g. - “accept”, “agree”, “approve”), and also to customize their choices (e.g. - “advanced settings”, “customise choices”, etc.).
The IAB recommends - but does not require - that the choices be of equal visual importance so as not to influence the user. So, try to avoid having a small "learn more" button and a huge "accept cookies" button, for example, as this is not appreciated by users (nor data protection authorities). Be aware, however, that perfect symmetry between "accept" and "decline" is not required by TCF on this first consent interface.
But, French companies, note that this is different to what is likely to be announced by the CNIL, where both “accept” and “refuse” will have to appear. We will keep you updated on any future CNIL recommendations on our blog, or feel free to contact us for more information - our team would be happy to answer any questions.
Other first layer requirements -
Another first layer requirement is an example of personal data being processed, such as a mention to IP addresses and cookie identifiers in a web banner. It must be clearly indicated that users are able and have the right to modify their consent choices at any time.
Data processing and legal bases -
The new version of TCF includes use of legitimate interest as a legal basis for personal data processing. Vendors can be flexible and use either legitimate interest or consent as a legal basis. This leaves the end choice to the publisher, giving them more control. For example, Google uses legitimate interest as a legal basis to process personal data on some purposes.
To find out more about Google joining the TCF, and what this means for publishers, check out our blog post on this subject here.
Personal data processed by third parties -
Finally, you must indicate that data is stored and accessed from users’ devices by your organisation, and also by the third parties you work with. You need to have a link directly to the list of vendors used, and this must appear on the first layer of your notice.
UI Second Layer requirements
That’s all the main points for the first layer, now onto the second layer of the banner, when the user clicks on “learn more”. At Didomi, we call this the “preference view”.
User choices and preference
This view gives users the option to make more granular choices when it comes to purposes. All purposes must be displayed in this view. Legitimate interest will then be set on “approved” by default - this view will allow users to oppose legitimate interest per purpose. Special features use legitimate interest as a basis, so they will be set as off by default in the Didomi CMP.
UI Third Layer Requirements
So, that’s a small introduction on what each layer of a TCF v2 compliant consent notice should look like. The Didomi CMP is registered with and compliant with the TCF v2, and we are here to guide you and help you in your transition process. Please contact us if you’d like to have more information on the subject!
Testing before going live
Finally, before going live, there are a number of things you should test.
Re-implement the CMP - Obviously, you will need to re-implement the CMP - if you stick with TCF v1, it is very likely that at the end of the quarter your monetization will go down sharply, as TCF v2 is not backwards compatible with TCF v1. Compliance is key, but Didomi can also aid your company in optimizing monetization.
Double-check how you use purposes on your websites/apps - The IDs of the purposes are changing, so this all needs to be tested before you go live.
Validate with your vendors that they are ready to receive the updated consent string - Didomi is working closely with vendors and publishers to make sure that those vendors, including Google, are receiving the updated consent string.
How can Didomi help?
By the end of September, the IAB will stop supporting TCF version 1 altogether, and V1 consent strings will not be compatible with V2. The deadline may have already passed, but, don’t worry, it is not too late for a last-minute switchover to TCF v2!
Undecided on whether TCF v2 is necessary for your business? Check out our blog post on why now is the right time to switch. Or, organise a demo with us today, and we will ensure a swift transition to TCF v2 compliance.