Frequently asked questions
What is the TCF?
The “Transparency and Consent Framework (TCF)” of the International Advertising Bureau Europe (IAB) is a technical standard spanning multiple sectors for the retrieval and transfer of a user’s consent signals between publishers and third party providers who have committed themselves to the framework (e.g. Google, Criteo, Quantcast or Taboola). The framework thereby establishes a “common language” on whose basis all participants in the advertising value chain can communicate, and which enables marketing to be conducted legally in the future via these channels.
What is the IAB?
The
Interactive Advertising Bureau Europe (IAB Europe) is an international business organisation for the online advertising sector. In its own words, the organisation represents the interests of companies from the digital advertising and media industry, ensures consistency and standardization and serves to improve the use of digital advertising channels for advertising customers.
How can I tell if I have TCF enabled?
There are subtle differences between a standard banner with- and without TCF enabled. The most noticeable would be that the TCF banner includes Purposes, Features, and Vendors. In the first layer information is provided about Purposes and Features. On the second layer of the CMP users can enable and disable each Purpose and Vendor separately.
For whom is TCF intended?
Not everyone who operates a website is automatically affected by TCF. The TCF is primarily relevant for publishers whose core business lies in monetising their own content through advertising - and who work together with third party providers.
Why would I need the TCF?
From 15th August 2020, vendors who have committed themselves to the framework will request consent from users to further process their data and/or to run advertising in the form of an IAB TC string which can only be created by an IAB-certified Consent Management Platform (CMP). The CMP in use by publishers who have activated TCF will not block any vendors who have committed themselves to TCF. The information on whether or not the vendors may use the personal data which has been received is available in the TC string. The vendors are themselves responsible for ceasing the use of personal data if the user has not granted consent.
What creative options do I have with CMP elements when TCF is activated?
The TCF provides exact guidelines on how the CMP should be graphically designed and which content must be presented to the user at which user levels. However, with areas such as colour, fonts, background and the placement of the company’s logo, there will continue to be scope for creativity to a certain extent. Thus, customisation to the company’s CI will still be possible. Furthermore, you can continue to label the individual layers yourself and add further texts to the banner and privacy policy. The texts displayed on the buttons can also be freely selected (e.g. the Reject/Accept buttons).
Can I display a Privacy Wall instead of the banner?
The guidelines of the TCF, according to the current situation, provide for asking for personal privacy settings via a centrally placed Privacy Wall.
Which vendors use TCF?
All vendors who have committed themselves to TCF can be found on the
Global Vendor List (GLV) which is updated weekly by the IAB.
Can I continue to work with non-IAB vendors?
Yes. Publishers will also still be able to work with vendors who have not committed themselves to TCF. However, TCF stipulates that it must be clear for the user whether the vendor is from the IAB’s Global Vendor List or if it is a non-IAB vendor. For this reason, the framework recommends clearly listing both groups separately.
Can I incorporate non-IAB vendors into the CMP?
This is possible. You can add these services to your configuration as before in the Usercentrics Admin Interface via the menu option “Service Settings”.
Can I simply incorporate the entire Global Vendor List for TCF?
You can add these services to your configuration in our Admin Interface via the menu option “Service Settings”. However - for reasons of transparency and user friendliness - it is recommended that you do not incorporate the entire list but limit yourself to third party providers to whom data will actually be forwarded for processing.
Does the TCF require user consent every time the Global Vendor List is updated?
Every time the user is shown the privacy banner e.g. on the first visit to the website or when the user wishes to change his or her personal privacy settings, the TCF requires that this occurs based on the newest version of the Global Vendor List (GLV).
The TCF guidelines do not, however, require that users check and update their selection every time the GVL is updated. The user’s TC strings may, however, not be updated without the user interface being presented once again and the privacy settings preferences queried.
It lies at the discretion of the CMP and/or the publisher to decide whether changes in the GVL compared to a previous version used to confirm the user’s privacy settings justify the banner being shown again.
The TCF guidelines merely require that users are reminded every 13 months at the latest of their right to revoke their consent and/or to object to the processing of their data.
Can I amend the text of the Data Processing Services (DPS)?
No. The information about vendors who are registered on the Global Vendor List (GLV) is comprehensively laid down by the IAB and can be amended neither by Usercentrics nor our customers. These texts are automatically entered into the Usercentrics database, updated weekly and publishers can then incorporate them into their CMP.
Information regarding non-IAB vendors can be generated as before from our own service database and it also remains possible to generate custom DPS here. These providers/services will retain the current lock logic through our CMP.
What are so-called “Stacks” with TCF?
IAB defines a stack as following in the TCF policies:
“Stack“ means one of the combinations of Purposes and/or Special Features of processing personal data used by participants in the Framework that may be used to substitute or supplement more granular Purpose and/or Special Feature descriptions in the Initial Layer of a UI.
With the update to TCF 2.2 the number of purposes has increased to 11. The publisher can combine several purposes as “stacks” to make it easier for the end user to stay on top of things provided the IAB’s requirements are fulfilled.
A complete overview of all available stacks, and practical examples of stacks can be found in the TCF policies.
Does the TCF require a “Reject” button in the first layer of the banner?
No. According to TCF 2.2 guidelines the first layer must contain only an action request for the user such that he or she can provide consent (e.g. “Accept”, “OK”, “Allow” etc.) and provide an option to amend the selection (e.g. “advanced settings”, “customize selection” etc.). TCF 2.2 guidelines do not require an action request in the first layer which enables the user to revoke consent. It is up to the publisher whether or not to show a “Reject” button in the first layer if you wish to do so or if local laws require it.
For your information
The setting which shows a “Reject” button in the first layer is activated by default in the Usercentrics CMP although this option can also be deactivated. Important to know: If the user is not given the option to opt out in the first layer, the website may no longer be GDPR compliant. Seek the advice of your lawyer or legal department before taking this step.
are granular selection options required in the first banner layer with TCF?
No. With TCF only the purposes for which third-party providers use data and the stacks need to be listed. At present, there is no obligation for CMPs to offer users a granular selection option at first. However, it is up to the publisher whether to offer this via the CMP anyway or carry out appropriate amendments if local laws should require this.
As a publisher can I define the legal basis or purposes for individual vendors?
TCF offers publishers the option to define which legal bases and for what purpose your users’ personal data can be processed by the respective vendor. Publishers can thereby define customer requirements in accordance with their own commercial and legal considerations, e.g. the exclusive use of explicit consent as a legal basis or, for example, only allow certain processing purposes with selected providers.
What is the difference between Global Scope and Service Specific Scope?
TCF gives publishers two options for how you may wish to share your consent information:
Global Scope: If the user makes a consent decision on a website, this will be stored as part of the framework and all other websites working with a CMP activated for TCF and who operate in Global Scope have the ability to access this consent information. Important to know: If the user sets his or her privacy settings in Global Scope, these settings shall be binding for all parties participating in Global Scope. Important: This also applies for cases in which the user does NOT grant consent. For example, if a user makes the decision not to provide consent on another website, all other websites from the group must likewise respect this decision.
Important
The following fundamental question must be clarified with Global Scope: Is it clear to the user (even if he or she has been informed accordingly in the banner text) with whom the information is shared? The framework itself offers this option but does not make any point as to how this approach should be legally evaluated. Publishers should definitely consult their lawyers or legal departments on this point.
Service Specific Scope: Only privacy settings relating to the website for which they were requested are valid here.
Important
Google has announced that it will only support TCF in the Service Specific Scope. Further information can be found here.
As a publisher can I define the legal basis for my own (data processing) purposes?
Yes. The guidelines of TCF 2.2 allow publishers to administer and save their own legal bases in their CMP for a variety of data processing purposes. This also applies explicitly for processing purposes which are not supported by the framework. This information can be found in the “Publisher TC Segment” of the TC string which serves to ensure seamless transfer of the publishers’ legal bases to the vendors with whom they work.
Does TCF forbid “continuing to scroll” as consent?
No. No exact definition or guideline can be found in the guidelines of TCF detailing how user consent (e.g. explicit or implicit) is to be obtained. By implication, publishers therefore have the option to regard “continuing to scroll” as user consent.
Important
Various courts have busied themselves with the matter of “continuing to scroll” in the past. The main consensus: “Continuing to scroll” can NOT be regarded as valid user consent. Furthermore, the European Data Protection Board (EDPB) has already issued statements on this matter in its Guidelines from May 2020 and likewise classed “continuing to scroll” as a non-compliant means of obtaining user consent with respect to GDPR. Publishers contemplating this option anyway are advised to consult their lawyers or legal departments.
Where can I find further information about TCF?
Comments
0 comments
Please sign in to leave a comment.