How the IAB’s GDPR Transparency and Consent Framework Works From a Technical Perspective (TCF 1.0, 2.0, and 2.2)

IAB

Contents

Our Newsletter

Get AdTech & MarTech resources sent straight to your inbox

We respect your privacy. Learn more here.

As of May 25, 2018, all companies that collect, use, process, and share data about EU citizens will be required to comply with the General Data-Protection Regulation (GDPR) and implement new data-protection and security measures. 

The regulation does not apply to EU companies alone. Regardless of whether an organization is based in the EU, it must comply with the regulation when processing EU/EEA-citizen data, or face severe financial penalties. 

For AdTech and MarTech vendors, the most important implications of the GDPR include:

A change to the definition of personal data: Identifiers such as IP addresses, device IDs, location data, and cookies will be considered personal data. This will change the way advertisers and technology vendors collect, store, and use such information. 

New rules for data collection: Companies wanting to collect and process user data will have to obtain consent from users and comply with some stringent rules. For the most part, consent will have to be freely given, specific, informed, and unambiguous. Also, consent boxes cannot be pre-ticked and will have to be given with a statement or clear, affirmative action. All companies processing the data will be required to provide evidence that consent was given.

Consent is required for each data-processing activity: If companies wish to process user data for multiple purposes (e.g. behavioral targeting and personalization), they’ll have to obtain user consent for each process.

For AdTech vendors, these new rules create a whole world of problems due to the fragmented nature of the online advertising ecosystem and the sheer number of players involved in a typical media transaction.

An illustration of how user data is shared (aka leaked) to various platforms during an online media transaction. Under the GDPR, each platform in the diagram has to obtain consent from the user to collect and process their data.

IAB—the Interactive Advertising Bureau, an organization responsible for creating and governing industry standards, research, and legal support for online advertisers—has proposed its own solution to help support the industry through the roll-out of the GDPR and solve some of the main challenges in its GDPR Transparency and Consent Framework

In March 2018, the IAB’s framework was submitted to AdTech companies and publishers for public comment.

The framework is intended to support publishers, technology vendors, and advertisers in meeting the transparency and user-consent requirements of the GDPR.

The framework is governed by the IAB Tech Lab and is a non-commercial, open-source initiative and was developed in collaboration with a number of publishers, advertisers, and other important industry participants. First released for public review in March 2018, with the commercial version released in April, the framework is designed to standardize the process of gaining consent to collect and use personal data.

Custom Consent Management Platform (CMP) Development

Our MarTech development teams can work with you to design, build, and maintain a custom-built consent management platform (CMP).

How Does the Framework Actually Work?

User consent is one of six “legal grounds” for processing personal data. The framework makes it much easier for first-party publishers (whose services entail the use of a number of third parties) to process user data and to obtain consent in compliance with the rules laid down by GDPR. 

The IAB’s framework standardizes the process of getting Internet users’ consent for data processing, and relays this information further down the advertising supply chain.

The proposal also includes a Global Vendor List (GVL), which works as a registry of data controllers participating in the Framework. Think of it as a “whitelist” of vendors through which consent can be requested by first parties—publishers who directly interact with users. 

Here’s a brief step-by-step overview of how it works:

Step 1

The publisher selects which technology vendors from the Global Vendor List it would like to partner with.

Step 2

Each time a user accesses the publisher’s website for the first time, they are asked to select the companies with whom the publisher can share their data. This information will be stored in a first-party cookie in the user’s browser.

In June 2018, the IAB Tech Lab and IAB Europe released a mobile in-app specification for mobile app providers.

Step 3

Once the user has made their selection, the publisher can then share the user’s data with the selected technology vendors.

An example of how the consent-sharing process could look. The user has allowed the platforms in blue to collect and use their data. The platforms in orange were on the publisher’s Global Vendor List, but the user didn’t provide consent. Those in red weren’t on the publisher’s Global Vendor List.

Assuming the user has allowed all the technology vendors to collect their data, which isn’t likely, only those on the publisher’s Global Vendor List would be able to collect the user’s data.

Looking at the example diagram above, the user hasn’t allowed DSP#1, DMP#2, and DMP#3 to collect their data, even though they are included on the publisher’s Global Vendor List.

How Will Publishers Communicate User Consent With Approved Vendors?

In order for publishers to effectively communicate with whitelisted technology vendors, the IAB recommends passing the user’s consent decisions down the supply chain.

The user-consent information would consist of two binary strings (a purpose-choice string and a vendor-choice string) and then turned into a compressed value as seen in the image below.

The purpose choices represent the purpose of the data collection (e.g. behavioral advertising and retargeting) and the vendor choices represent the technology vendors the publisher has whitelisted that have received user consent and, therefore, can receive the user’s data.
Source: Digital Advertising: Transparency, Control, Consent. IAB Europe, March 2018

The compressed value would be added to each ad and bid request further down the supply chain (or daisy chain, as the IAB is calling it), allowing only the whitelisted technology vendors to receive the user’s data.

Benefits

The IAB’s GDPR Transparency and Consent Framework offers an array of benefits for users and advertisers:

  • It introduces an industry-wide standard for collecting user consent for data processing.
  • It relays the user-consent information further down the advertising supply chain and signals it to other third parties.
  • While still not perfect, the framework is a step in the right direction towards GDPR compliance in general, easing the whole transition process for AdTech companies and publishers.
  • It will be supported in OpenRTB transactions, which bodes well for its adoption rates as a lot of popular AdTech vendors utilize the OpenRTB protocol.
  • The framework can benefit publishers by offering a means to be more transparent with users and also exercise stricter control over how the user data is processed by various technology providers; publishers can choose which third parties and which data-processing purposes they solicit user consent for.
  • At the same time, it gives publishers the power to decide how best to leverage its possibilities.
  • The framework does not impose all-or-nothing decisions on uses. Users can choose which third parties they want to share their data with. The framework, in its current wording, allows users to consent to some, all, or none of the disclosed data-processing purposes, and to processing of the data by some, all, or none of the disclosed third parties.

Pitfalls

The IAB’s GDPR Transparency and Consent Framework is still far from perfect and requires certain adjustments to guarantee full compliance with the GDPR for AdTech companies and publishers. This is no small feat, considering the complex nature of the programmatic ecosystem. Many of the benefits of the GDPR create new challenges, not only for AdTech companies, but also for Internet users.

Some articles urge publishers against teaming up with companies behind IAB’s framework (Google and Facebook included), as it may be seen as favoring advertisers. There are a number of publications around the web pinpointing the inadequacies of the IAB framework, but the main complaints include:

  • Data leakage (i.e. when user data is passed on to multiple companies without the user’s knowledge) is a regular occurrence due to the pure nature of the online programmatic and RTB ecosystem, and often happens without the publisher’s and user’s knowledge. The GDPR holds the publisher responsible whenever it happens.
  • While users can choose which third parties they want to connect with, the framework is not restrictive and still allows publishers to present users with this take-it-or-leave-it kind of choice, if they want to.
  • As PageFair pointed out in a recent article, there is close to no control over what happens to a user’s personal data once it enters a real-time bidding transaction. Again, this imposes a huge liability on the publishers’ part—CMPs, SSPs, DSPs, ad exchanges and the ways in which they use the data is something publishers have little control of.
  • The IAB proposes that all consent is bundled under a single OK button, which may sabotage their own opt-ins as Internet users are very likely to say no to all of them in an effort to close the consent box and view the content on the page. It’s highly unlikely that users will take the time to carefully consider the implication of sharing their data with each platform.
  • The framework itself, as PageFair aptly noted, still fails to comply with Article 5 of the GDPR, one that requires consent to be requested in a granular manner for a “specified, explicit” set of purposes. Within the framework, the IAB proposes a design whereby consents are bundled together with a host of data-processing purposes, all under a single opt-in.
  • Likewise, the framework’s proposed “advertising personalization” opt-in appears to severely breach Article 6 (lawfulness of processing) and Article 13 (information to be provided where personal data is collected from the data subject) of the GDPR. Again, the message bundles several distinct purposes together, but provides no indication of what exactly will be done with the user’s personal data, which strictly violates the GDPR.
  • The current shape of the framework may result in thwarting the whole idea of the GDPR. Users may still be encouraged to agree to everything, which may result in reverting back to the original state of online advertising—i.e. maximum behaviorally targeted advertising and unbridled data collection. This is, at least, what would work in the best interest of some advertisers.

Updates to the IAB’s Transparency and Consent Framework

In April 2019, IAB Europe and the IAB Tech Lab released the second version of the framework (version 2.0) for public comment. 

The update also included feedback gathered from data protection authorities, such as the UK’s Information Commissioner’s Office (ICO), which published a report in June 2019 titled Update report into adtech and real-time bidding. The report highlighted some serious concerns around areas like transparency, the collection of special category data, and legitimate interest. 

What’s New in TCF 2.0

On August 21, 2019, The IAB Tech Lab and IAB Europe announced the release of the Transparency and Consent Framework version 2.0 – an upgrade intended to combat some of the pitfalls of the initial release of the framework. 

TCF 2.0 aims to further increase consumer transparency and choice and support industry collaboration. The framework is developed in collaboration with various publishers and regulators to support GDPR-compliant programmatic deals.

For consumers

The recommendations set out in TCF 2.0 cover consumers’ right to grant or withhold consent, as well as exercise their right to object to the processing of their data. Consumers also gain more control over whether and how AdTech vendors may use certain features of data processing like precise geolocation.

For publishers

The updates to TCF also allow publishers to control which data-processing purposes are used by individual AdTech vendors on their sites.

A couple more updates include:

  • More granular “purposes” of data processing – increasing the number from 5 to 10, plus two special purposes to give publishers more flexibility:
  • Better interpretation of “legitimate interest” for processing personal data which covers vendors’ disclosure of the legitimate interest basis, and more complete accommodation of user’s “right to object”

Purposes in TCF 2.0

Below are the new purposes included in TCF 2.0 as provided by IAB Europe.

Purpose 1: Store and/or access information on a device

Cookies, device identifiers, or other information can be stored or accessed on a user’s device for the purposes presented to them.

Purpose 2: Select basic ads

Ads can be shown to users based on the content they’re viewing, the app they’re using, their approximate location, or their device type.

Purpose 3: Create a personalised ads profile and select personalised ads

A profile can be built about a user and their interests to show them personalised ads that are relevant to them.

Purpose 4: Select personalised ads

Personalised ads can be shown to a user based on a profile about them and ads that are relevant to them.

Purpose 5: Create a personalised content profile

A profile can be built about a user and their interests to show them personalised content that is relevant to them.

Purpose 6: Select personalised content

Personalised content can be shown to a user based on a profile about them.

Purpose 7: Measure ad performance

The performance and effectiveness of ads that a user sees or interacts with can be measured.

Purpose 8: Measure content performance

The performance and effectiveness of content that a user sees or interacts with can be measured

Purpose 9: Apply market research to generate audience insights

Market research can be used to learn more about the audiences who visit sites/apps and view ads.

Purpose 10: Develop and improve products

A user’s data can be used to improve existing systems and software, and to develop new products.

Special Purposes

TCF 2.0 also includes two Special Purposes and don’t require consent from users as they fall under a different legal basis (legitimate interest) in the GDPR:

Special Purpose 1: Ensure security, prevent fraud, and debug

A user’s data can be used to monitor for and prevent fraudulent activity, and ensure systems and processes work properly and securely.

Special Purpose 2: Technically deliver ads or content

A user’s device can receive and send information that allows them to see and interact with ads and content.

Google and TCF 2.0

Google announced on August 12, 2020, that it would be integrating the IAB’s TCF 2.0 with its ad products:

  • Google Ad Manager
  • AdSense
  • AdMob
  • Google Analytics (for advertising features used in conjunction with Google ads products)
  • Google Display Ads (for integrated properties)
  • Display & Video 360 and Campaign Manager (for integrated properties)
  • Google Authorized Buyers
  • Funding Choices

Google has given publishers a series of dates, before which they’ll need to adjust their consent collection to be compliant with TCFv2:

To support our partners with the transition, we will give them a 90-day grace period from August 15 to ensure their implementation is working properly and meeting our policy requirements.

Google

Here’s an overview of the grace period:

  • Within the first 30 days (until September 15, 2020), Google will continue to serve personalized and non-personalized ads.
  • For the remaining 60 days (until November 15, 2020), Google will only serve non-personalized ads on websites. 
  • After 90 days (after November 15, 2020), Google will stop serving ads.

What’s New in TCF 2.2

On May 16, 2023, an updated version of IAB Tech Lab’s Transparency and Consent Framework, known as TCF 2.2, was released.

Revisions to the framework had been undertaken in light of IAB’s ongoing legal conflict surrounding the compatibility of the TCF with the European Union’s General Data Protection Regulation (GDPR)

One significant change in the revamped framework is the exclusion of legitimate interest as a valid legal basis for processing and using personal data for advertising and content personalization.

Furthermore, the information provided to end-users has undergone several enhancements. The purposes and features now have different names and descriptions that are more user-friendly. 

Instead of legal text, the descriptions are now accompanied by real examples to help illustrate their practical applications.

The updated TCF also establishes a standard format for gathering more details from vendors regarding their data processing activities.

This collected information would then be made available to end-users, with the additional information covering the following aspects:

  • Categories of data collected by the vendors.
  • Specific retention periods for each purpose of data processing.
  • Identification and disclosure of any legitimate interest(s) that are involved in the data processing, if applicable.

Yet another aspect mentioned in TCF 2.2 is that consent management platforms (CMPs) must provide clear information on the total number of vendors aiming to establish a legal basis, prominently displayed on the initial layer of their user interfaces, ensuring transparency.

On top of that, publishers and CMPs must establish clear measures to enable users to easily access the CMP user interfaces and withdraw their consent.

Although the TCF was created to help companies comply with the GDPR, privacy advocates and data protection authorities in Europe have argued that it breaks many articles contained in the regulation.

Back in 2019, the Belgian Data Protection Authority (DPA) launched an investigation following 22 complaints concerning the IAB TCF and its potential violation of the GDPR.

In 2020, it was determined that the TCF violated the GDPR for facilitating unauthorized sharing of personal data among organizations and lacking adequate controls in the OpenRTB system.

The Belgian DPA released its preliminary decision in this case in November 2021, and later, on February 2, 2022, the final decision was issued.

Due to the TCF being found insufficient for preserving EU data protection law, the pop-up notifications that request people’s consent upon visiting a website are considered unlawful, meaning that all the information gathered through those pop-ups from over 1,000 companies, including Google and Amazon, must be erased.

The Belgian DPA granted approval for an action plan in January 2023, requiring IAB Europe to update its framework within a six-month period. 

However, merely two months later, in March 2023, the DPA decided to suspend the original six-month deadline. As of now, the implementation timeline is being reevaluated by the authorities.

The final ruling could have far-reaching implications, potentially disrupting data collection practices and raising questions about accountability for resolving the problem.

It goes without saying that advertisers, publishers and everything in between must promptly evaluate their dependence on the framework. 

Given that numerous businesses have made payments to IAB Europe for this service, it has the potential to place the trade group in an uncomfortable predicament.

Currently, there is a great deal of uncertainty surrounding the whole situation, and nobody possesses a definitive understanding of its implications.

It’s challenging to determine the exact form of the TCF’s remedy without additional specifics about the action plan. Nevertheless, the Belgian DPA has provided a set of corrective actions that IAB Europe should incorporate into their proposed measures. 

These suggested actions are likely to be a crucial part of the approved remediation process.

Even the question of whether the regulators can effectively implement their own decisions remains uncertain.

However, there is one clear aspect: the major tech platforms will likely accept and adapt to whatever outcome arises, as they have already established terms of service to which users agree when using their platforms.

Alternatives to IAB’s Transparency and Consent Framework

In a post-GDPR world, advertisers have problems providing full personalization and targeting without clear and explicit consent of the user. Audience selection will have to be based on cohorts and context, i.e. non-personal data.

There are, however, certain alternatives to the IAB’s proposed framework, which could offer better protection for publishers, restrict data leakage, and allow advertisers and AdTech companies to run personalized and targeted campaigns to users who have provided consent.

Piwik PRO Consent Manager
Piwik PRO GDPR Consent Manager allows you to collect visitor consents in line with GDPR, and efficiently manage all data-subject requests from a beautifully designed panel. Using a simple editor, you’ll be able to create and edit consent-request popups and other types of widgets helping you to collect lawful consents. They will serve as a gatekeeper between your website’s visitors and an array of tools that will later operate on agreed types of data.

Konsento
Konsento makes it easy to collect and manage user consents and keep track of your records of data-processing activities. Perfectly suited for non-profits, sports clubs, and associations.

Ensighten
Ensighten offers an easy-to-install (via a single line of code through any tag-management system) GDPR solution.

TrustArc Cookie Consent Manager
Cookie Consent Manager provides a cookie-compliance solution, including support for visual customization and branding. It enables implementation through a single script and integration with tag-management systems.

Publishers, agencies, and AdTech vendors who don’t consider IAB’s consent framework compelling enough can still resort to building their own user-consent tool. Teaming up with an experienced software-development company that specializes in building custom software solutions can make compliance with the GDPR and other privacy laws much easier.

Specifically, a bespoke consent tool can help your company avoid the costly fines associated with non-compliance with the GDPR. Designing and developing new software allows you to focus on specific features and technologies your company needs: acquiring user consent, managing user rights, or minimizing data leaks.

Custom Consent Management Platform (CMP) Development

Our MarTech development teams can work with you to design, build, and maintain a custom-built consent management platform (CMP).

Reading recommendation

Read our online book

The AdTech Book by Clearcode

Learn about the platforms, processes, and players that make up the digital advertising industry.

Mike Sweeney

Head of Marketing

“The AdTech Book is the result
of our many years of experience in designing and developing advertising and marketing technologies for clients.”

Find out how we can help you with your project

Schedule a call with us today and find out how we can help you with your AdTech or MarTech development project.