TCF 2.0: The Latest Standard of Transparency and User Consent

  • by Noah Ramirez, JD / CIPP
  • last updated July 29, 2020
TCF 2.0: The Latest Standard of Transparency and User Consent

Meeting the transparency and user choice requirements of the General Data Protection Regulation (GDPR) is challenging for most businesses. How do you give users granular control over their data while still publishing content or supplying ads and other services at scale?

In 2018, IAB Europe collaborated with players across the publishing, advertising, and online services industries to create the Transparency and Consent Framework (TCF): a framework for complying with GDPR and providing a way to transmit consent from users to third party vendors. The framework informs users how your vendors/partners use their data and gives them the option to consent or deny sharing their data individually. 

TCF was a big step toward transparency, user consent, and GDPR compliance, but it wasn’t perfect. Some publishers argued that the framework was biased toward ad tech vendors. (The bias wasn’t surprising, since IAB Europe’s members are mostly ad sellers.) In response, IAB released TCF 2.0, a new version that caters to publishers a bit more and closes some of TCF 1.0’s loopholes.

What is TCF 2.0?

TCF 2.0 is an upgrade that’s designed to address some of the challenges of the framework’s first version. The improvements are based on feedback gathered from data protection authorities, such as the UK’s Information Commissioner’s Office (ICO), which published a report (Update Report Into Adtech and Real-Time Bidding) that exposed some flaws in TCF 1.0. 

The goal of TCF 2.0 is to increase consumer transparency and choice, and support industry collaboration by standardizing how publishers and ad tech vendors work together on the open exchange. That’s to say, TCF 2.0 helps businesses transfer data at scale, while still complying with GDPR.

How Does the Framework Work?

User consent is paramount under GDPR. Publishers can’t send a user’s data to a vendor without that user’s consent. TCF makes it easier for publishers to get consent from users and relay their data down the advertising supply chain. 

TCF lets users interface with vendors through the publisher’s consent management platform (CMP). Publishers select the vendors they work with and the CMP communicates that list to users, along with the purposes the vendors use their data (e.g., “ad selection” or “content personalization”). 

When users arrive on the publisher’s website for the first time, they are asked to select the companies with whom the publisher can share their data. Once the user makes a selection, the CMP shares the user data with only the selected vendors. 

Whether you’re a publisher, advertiser, vendor, or user, TCF offers some clear benefits:

  • It creates an industry-wide standard for collecting user consent for data processing.
  • It relays the user data down the ad supply chain and to other third parties.
  • It helps publishers and ad sellers stay compliant with the GDPR. 
  • Publishers gain more control over how user data is handled by technology vendors.
  • Publishers can be more transparent with users.
  • It’s not an all-or-nothing tool. Rather than choosing whether to share data (a yes/no decision), users can choose who to share the data with. This makes users more likely to use the site in some capacity instead of abandoning it entirely.

Who Does it Apply to?

TCF 2.0 applies to anyone who passes user data to other parties in the European Union. It’s also applicable to organizations outside of the European Union who prefer to comply with GDPR for the sake of simplicity.

What's New in TCF 2.0?

TCF 2.0 is about giving more control to publishers and site owners, adding flexibility for vendors, and creating more transparency for users. After countless consultations with users and stakeholders, IAB came up with these changes:

  1. Users now have a “right to object” to the publisher sharing their data based on the vendor’s legal basis. That objection gets communicated through the CMP.
  2. The purposes of data processing have been subdivided, revised, and refined. There are now 12 purposes to choose from instead of five. Two special purposes have also been added. (Vendors must declare a purpose for processing. Users can object to a purpose.)
  3. Vendors receive an explicit signal when their “legitimate interest” legal basis is acknowledged, ultimately making them more accountable. 
  4. Publishers can create different rules for each vendor (or group of vendors), giving them more granular control over the data processing purposes. 
  5. Publishers can choose to remove certain vendors they don’t want to work with.
  6. Vendors may only accept signals from registered CMPs. 
  7. There are more mechanisms to remove anyone who doesn’t abide by the framework’s guidelines.

Do You Need TCF 2.0?

Technically, no. TCF is a tool to help you comply with GDPR’s requirements. It’s an industry attempt at standardization, but it’s not law. It’s just a set of guidelines, so there’s no enforcement or oversight. 

That said, you still have to comply with GDPR’s transparency and consent requirements. Compliance without the framework is complex, time consuming, expensive, and risky. So it’s smart to use TCF 2.0. 

Thanks to the upgrade, Google has committed to integrating with TCF 2.0. Their participation has incentivized many other organizations to make the switch. In the past, you had to struggle with using different sets of rules to transmit consent signals - one set of rules for IAB Europe and another for Google. This standardization makes life simpler for vendors and publishers who can use the same framework.

What Needs to be Done?

If you’re already using TCF 1.0, work with your consent management platform (CMP) to upgrade. TCF 2.0 is not backwards compatible, so the upgrade process will require your input. If you aren’t using TCF 1.0, you’ll need to open a relationship with a CMP that’s registered with the IAB. You could build and maintain your own CMP, but we don’t expect it to be cheap or easy. 

Next, work with your vendors to set up implementation. Be careful with the timeline here. Your vendors have to support TCF 2.0, so choose a time that doesn’t inadvertently cut them off from working with you. (The IAB recommends that ad tech companies support both versions for the time being, but publishers should choose one or the other.)

How Can Osano Help?

Osano is a registered consent management platform with the IAB, and approved for TCF 2.0. We record every single visitor consent on our private, fast quantum blockchain, which is why we’re the most popular cookie consent solution on the planet, serving more than two billion consents per month across 3.5 million websites. By adding one line of JavaScript to your website, you instantly become compliant with the GDPR, as well as the data privacy laws of over 40 countries.

If you want to implement TCF 2.0 to better serve your users and comply with GDPR - and you should - get started with Osano now.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.