Schedule a demo
Login to console
  • Compliance

  • TCF v2

What are the requirements of a TCF v2 compliant consent notice?

July 20, 2020 by Yannig Roth

On a website or in a mobile app, the notice is the first and main consent UI that users interact with. That’s where most users get informed on purposes and vendors that consent is collected for, and how users will make a choice to give or deny consent. As a result, the content of a consent notice is key to ensuring compliance with GDPR, local recommendations from data protection authorities, and the IAB TCF framework. This article, adapted from our Help Center presents some of the requirements that a consent notices must meet (this is not an exhaustive list, implementing all of them does not necessarily guarantee compliance).

 

Summary 

 

 


 

What are the responsibilities of each party?

 

What about Didomi (or any other CMP)? 

Didomi’s role is to provide tools and general guidance to get in compliance with various privacy regulations (GDPR, CCPA, etc.) and standards (IAB TCFIAB CCPA, etc.) that companies implementing our CMP might be subject to. Didomi provides example configurations and texts that incorporate rules from different regulations and the IAB frameworks. 

Discover Didomi for Compliance

As an IAB-registered CMP, Didomi’s role is to ensure that the IAB frameworks are respected by all websites and mobile apps that implement them through the Didomi CMP. Didomi is held responsible by the IAB Europe through regular audits of our clients’ websites and mobile apps. While Didomi is here to help, we are not legally authorized to provide legal counsel and cannot be held responsible for a lack of compliance due to a misconfigured CMP.

 

Discover our CMP

 

And what about you (your organisation, your DPO, your team)? 

 

Every organisation is different and you must customise the CMP and its texts to ensure that it is compliant and that the user information is complete by adding information about extra data processing that your organisation is operating. To give you maximum control, Didomi allows you to customise the content of a consent notice.

 

We recommend working closely with Didomi, your legal department and the local IAB organisations to ensure that your configuration of the Didomi CMP is in compliance with the regulations that your organisation is subject to and the IAB TCF framework.

 

When launching a consent notice, you must ensure that your texts and disclosures are compliant with the regulations and the IAB TCF framework. As non-compliance of your websites and mobile apps with the IAB TCF framework can impact Didomi’s standing as a CMP for all of Didomi’s clients, Didomi will proactively check the compliance of your consent notices and will work with you on ensuring that they are compliant. In rare cases and if compliance cannot be achieved through discussions engaged by Didomi with your organisation, Didomi might temporarily disable consent notices or disable the IAB TCF support for notices that remain non-compliant.

 

Discover our CMP

 

What are the 10 simple steps to ensure TCFv2 compliance? Download the Didomi TCFv2 Checklist to find out!  

 

Download our checklist

 

Here are 10 TCF v2 requirements

 

Consent under GDPR must be informed, freely given, specific, and unambiguous.

The requirements listed below help ensuring that your consent notice is configured to respect the definition of a valid consent.

 

The list of requirements and the example texts provided are the minimal list of requirements for a valid notice running on the Didomi CMP. It does not guarantee a compliant notice with respect to the regulations and requires customisation to fit the exact data processing and business practices of your organisation.

 

The requirements include global GDPR requirements valid across all countries, and IAB TCF-driven requirements. For country-specific requirements, dedicated articles are available in our documentation.

 

Here is an example of a notice that meets all the requirements listed below (except for the full list of data processing and legal bases, that depends on your organisation):

 

We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, for data processing like displaying personalized ads, measuring preferences of our visitors, etc.
You can make a choice here and change your preferences at any time in our Privacy Policy on this website.Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

 

REQUIREMENT 1: COMPLETE LIST OF DATA PROCESSING AND LEGAL BASES USED BY YOUR ORGANIZATION AND ITS PARTNERS

For the user to be fully informed, they must be given a chance to review the full list of all the data processing operated by your organisation and your partners, as well as all the legal bases used for those data processing. This includes purposes and their legal bases, as well as special IAB TCF entities like features, special features, and special purposes.

 

Didomi provides an easy way to display an automated list of data processing and legal bases configured in the CMP:

 

While it is acceptable to list the data processing and legal bases in your custom texts, we recommend enabling that automated list to ensure that the list is always up-to-date from your notice configuration. 

 

REQUIREMENT 2: INDICATE THAT DATA IS STORED AND ACCESSED FROM THE USER DEVICE BY YOUR ORGANIZATION AND BY THIRD-PARTIES

Your notice must include information about the fact that information is stored and accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data) by your organisation and by third-parties. Simply informing the user about your organisation is not enough. While this is partly covered by informing the user on data processing related to cookies as part of the list of data processing, this information must be more explicitly detailed for the user to be fully informed.

Example: We and our partners store and access non-sensitive information from your device…

REQUIREMENT 3: INDICATE THAT BOTH YOUR ORGANIZATION AND THIRD-PARTIES ARE PROCESSING PERSONAL DATA FROM THE USER

The user usually have a direct relationship with your organisation but a limited knowledge of the third-parties that you work with and how they might process their personal data. It is important for the user to be informed that third-parties are also processing their personal data on your website or mobile.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies, for data processing …

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, for data processing …

REQUIREMENT 4: EXAMPLES OF PERSONAL DATA BEING PROCESSED

The user needs to be able to understand what personal data will be collected and processed. The text must include examples of such data, like “cookies” (for Web), “device identifiers” (for mobile apps), browsing data, information about your interests, etc.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers,…

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, and process personal data like IP addresses and cookie identifiers,…

REQUIREMENT 5: LINK TO THE LIST OF THIRD-PARTIES PROCESSING PERSONAL DATA

Your notice must include a link for the user to access the full list of third-parties that might process their personal data. Didomi automatically adds a “View our partners” link to all notices. The link added by Didomi will be automatically hidden if you specify your own link to Didomi.preferences.show() in your notice text.

REQUIREMENT 6: CONSEQUENCES OF CONSENTING OR NOT

As consent should be freely given, the user should be clearly informed of the consequences of consenting or not consenting. Keep in mind that there cannot be adverse consequences for not consenting. For instance, you cannot prevent users from accessing your website or mobile app if they do not consent to their personal data being processed.

REQUIREMENT 7: RIGHT TO MODIFY CONSENT CHOICES

Users have the right to modify their consent choices it any time and should be informed of that right and how to exercise it. The instructions for modifying their choices should be clear and specific.

Example for Web: You can change your preferences at any time in our privacy policy on this website.

Example for Mobile Apps: You can change your preferences at any time in the Privacy menu of this app.

REQUIREMENT 8: MODIFYING CONSENT CHOICES

 

In addition to requirement 7 (the right to modify consent choices), a link should be added to your website or mobile app to show the Preferences again and allow the user to update or withdraw their consent choices. That link should preferably be added to all the pages / views of your website or mobile app, or in the privacy policy.

Add a link to Didomi.preferences.show() to allow the user to open the Preferences view.

REQUIREMENT 9: LEGITIMATE INTEREST

Your organization and third-parties might use legitimate interest as the legal basis for some data processing. If that is the case, the user must be informed of that fact and that they have the right to object to that data processing.

Example: Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Important note: this requirement does not apply to TCF v1.1 and only applies to TCFv2.

REQUIREMENT 10: CALLS TO ACTION MUST BE OF EQUAL VISUAL PROMINENCE

Choices offered to the user (Agree / Disagree, Learn more, etc.) must be of equal visual prominence so as not to imply that one choice is better than the other.
This implies that the visual components used for those choices should be of the same nature. You cannot have one option displayed as a button while the other option is displayed as simple link.

 

For instance, if Agree and Learn More are the two options available, they should both be buttons or links. You cannot display an Agree button and Learn more link:

If you want to learn more from someone else than Didomi, the IAB Europe has detailed rules and exa mples in their CTA requirements documentation. But our team is happy to help you in the TCF v2 transition, of course. You will find dedicated TCF v2 resources in our Help Center as well as on this TCF v2 Transition Page (includes a 10-step transition checklist).

 

What are the 10 simple steps to ensure TCFv2 compliance? Download the Didomi TCFv2 Checklist to find out!  

 

Download our checklist

 

Want to ensure a swift and easy transition to TCF v2? Organise a free demo with Didomi. 

 

Schedule a demo

 

Related articles