Why has the IAB introduced changes to the Transparency and Consent Framework?
On February 2, 2022, the Belgian DPA found the IAB’s Transparency and Consent Framework (TCF) to be noncompliant with several provisions of the GDPR. It required the IAB to present an action plan to implement corrective measures that address the infringements and bring the TCF into compliance with the GDPR.
In response to feedback from the market, as well as evolving case law and guidelines from various national data protection authorities, the IAB has implemented the TCF v2.2. The new framework aims to improve the standardization of information presented to users, and give them more control over how their personal data is processed.
The TCF v2.2 includes some measures related to the action plan that the IAB submitted to the Belgian DPA.
What is new in IAB Transparency and Consent Framework v2.2 (TCF v2.2)?
The Transparency and Consent Framework (TCF) v2.2 is a significant update to the previous version, with policy changes aimed to increase transparency and provide users with more control over their consent choices.
Removal of legitimate interest
TCF v2.2 no longer allows legitimate interest as a legal basis for data processing operations related to advertising and content personalization. Vendors can now only select explicit consent as an acceptable legal basis for these purposes.
Improved user interface (UI)
The information required in consent management platforms’ (CMP) UI has been improved to include user-friendly standard texts, new features of processing, and real use case illustrations to make it easier for users to understand what they’re consenting to and what their options are.
Easier consent withdrawal
Users can now change their minds about sharing their data with vendors, and they must be able to re-access the CMP UI to change or withdraw consent at any time. The process to withdraw consent must be as easy as the process to give it. The practical implications of this are that the CMP UI must be easily accessible to users and not buried on the website or app where users must hunt to find it.
More vendor transparency
Detailed disclosures about vendors regarding data categories and retention periods, are standardized under TCF v2.2 and must be provided to users in the secondary layer(s) of CMP UIs.
Enhanced compliance programs
New auditing mechanisms and differentiated enforcement procedures will be implemented, including proactive auditing of a larger number of randomly selected CMPs and vendors each month.
In doubt about whether your website is GDPR-compliant? Test it with the free Cookiebot CMP compliance test.
Cookiebot CMP and the new IAB Framework (TCF v2.2)
CMPs must implement the new policies and specifications of the TCF v2.2 by November 20, 2023. Cookiebot CMP’s IAB integration supports the new IAB framework (TCF v2.2).
Cookiebot CMP integration consists of an extra panel in the consent banner of websites registered with the IAB, as pictured above.
The panel is called “Ad Settings”, and from there, end-users can choose between IAB Purposes and Vendors before submitting their consent.
We recommend using the IAB framework integration as a supplement and not a replacement for the regular Cookiebot CMP solution.
This, because IAB’s consent model works through signaling the user’s consent to advertising vendors, whereas Cookiebot CMP consent model works through blocking non-consented vendors.
This is a key difference because, according to the GDPR, it is the publisher (i.e. you, the website owner) who is liable for all tracking and personal data collection taking place on their domain – also by third parties.
Cookiebot CMP eliminates the dependency on the good faith of the vendors and gives true control to the website owner. By using Cookiebot CMP as an integration in the IAB framework (TCF v2.2), you ensure true GDPR compliance for yourself.
To ensure that user consents are being honored by advertising vendors, the Cookiebot CMP patented scanning technology monitors all cookies and similar trackers used by vendors on the website and marks them as non-consensual in the scan report.
Cookiebot CMP also supports the IAB CCPA Compliance Framework. Read more here.
The unmatched scanning technology of Cookiebot CMP
Cookiebot CMP is one of the few fully compliant consent management platforms on the market.
Cookiebot CMP unmatched scanning technology finds all cookies and trackers and then takes automatic control until users have given their consent, enabling true compliance with the EU’s General Data Protection Regulation and ePrivacy Directive.
Cookiebot CMP performs monthly deep-scans of your domain to make sure that you always know what third-party trackers and trojan horses are loading on your website.
Cookiebot CMP then presents a true choice of consent to your users through our consent banner.
Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
Using Cookiebot CMP is free if you have under 50 subpages (unique URLs).
What is the IAB Framework and how does it meet GDPR requirements?
IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.
In preparation for the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.
The Framework is called the IAB Europe Transparency & Consent Framework.
The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.
The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.
What are the GDPR requirements and what do they mean for advertisers?
The General Data Protection Regulation (GDPR) sets out strict requirements for how one may record, store, use and share personal data.
Requirements for compliant consent in the GDPR
In order for your consent management to comply, it has to be…
- Informed: What data is processed and for what purpose? It must be clear for the user, what the consent is being given to.
- Based on a true choice: the user must not be coerced into accepting the cookies.
- Given by means of an affirmative and unambiguous action.
- Given before the initial data processing takes place.
- Withdrawable: It must be as easy for the user to withdraw the consent again, as it was to give it in the first place.
- The user has the right to be forgotten. At the user’s request, all of his or her personal data must be properly deleted.
- All given consents must be recorded as documentation that the consent was given.
With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.
The GDPR is extremely wide-ranging both geographically, in scope, and in severity.
Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU that have EU citizens as users.
In scope, because of its broad definition of personal data.
Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data that can be singled out or connected with other data in order to identify a concrete person.
For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behavior and preferences, are subject to the GDPR.
This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.
In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million – whichever is higher.
What is the purpose of the IAB Framework?
The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.
Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).
What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?
- Publishers in the IAB Framework are digital media that publish content on the internet. In general, the publishers represent the first party: i.e. the website that the user has sought access to. In the digital advertising industry, publishers often are dependent on displaying third party advertisements on their websites in order to monetize views. This usually is resolved by using an ad network that directs relevant ads to the users that are accessing the publishers’ content. In the context of the IAB Framework, ad networks and advertisers are called “vendors”.
- Vendors in the IAB Framework are the third-party advertisers that the publisher has chosen to partner with. The vendors display third party content on the publishers’ website. They are the ones setting marketing cookies on the end-user’s browser, in order to display relevant ads to potential customers.
- Consent management providers (CMP) supply the technology that enables user consent for processing data on the publishers’ website. In the IAB Framework, they signal the end-users’ consent settings to the vendors operating on the current website.
How does the IAB Framework work?
In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.
In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.
This list is called the Global Vendor List or “GVL”.
In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose.
Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors that have adhered to the rules of the Framework.
When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List that they want to partner with.
The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.
Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.
Cookiebot CMP for GDPR & CCPA compliance through IAB
By using Cookiebot CMP as your website’s consent management platform, you can ensure compliance with both the EU’s GDPR and California’s CCPA.
With Cookiebot CMP IAB Framework (TCF v2.2) integration, advertisers and publishers also ensure compliant data collection and processing across the board.
The IAB Transparency and Consent Framework is a standardized means for online advertisers and marketers of communicating the state of user consent between first parties, third parties and the consent management system in use on the first party’s website.
IAB Transparency and Consent Framework works as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management platform in use on the first party’s website. Publishers select their vendors of choice from a list of vendors that have enrolled in the Framework. When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List. The consent state of the user is stored in a first-party cookie in the user’s browser and shared down the advertisement chain of information in the IAB Framework.
The IAB Transparency and Consent Framework 2.2 expands the ability for users to give, withhold or revoke consent and to object to their data being processed. Users are able to control whether Vendors are allowed to use their personal data and publishers are able to restrict the purposes for which Vendors process personal data on publisher’s websites.
Cookiebot CMP integrates with the IAB Transparency and Consent Framework 2.2 through an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end-users are able to choose between IAB Purposes and Vendors before submitting their consent.
monthly user consents