Updated January 17, 2023.
IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework (TCF) to support publishers, technology vendors and advertisers in being compliant with EU’s GDPR and ePrivacy Directive.
On May 1, 2020, IAB launched their Transparency and Consent Framework Version 2.0 (TCF 2.0) and Cookiebot consent management platform (CMP) has automatically migrated to the new framework.
In this article, we take a look at what IAB’s framework is all about, what’s new in the TCF 2.0 and how Cookiebot CMP works as an integration.
Update on the Belgian DPA and IAB TCF (February 2022)
On February 2, 2022, the Belgian DPA found the IAB’s Transparency and Consent Framework (TCF) to be non-compliant with the EU’s General Data Protection Regulation (GDPR).
We here at Usercentrics, the parent-company of Cookiebot CMP, are monitoring this development extremely closely and have been in direct correspondence with IAB Europe.
They have advised Usercentrics that the decision by the Belgian DPA, ‘contains no prohibition of the Transparency & Consent Framework (TCF)’ and there is, ‘an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.’
We are currently awaiting that plan from IAB Europe, which they are required to present within 2 months of the publication date and then implement within 6 months.
We will continue to monitor developments and will be sure to update you with any relevant information.
What is new in IAB Transparency and Consent Framework 2.0 (TCF 2.0)?
IAB’s TCF 2.0 expands the ability for users to give or withhold consent, and to object to their data being processed.
Consent is now more granular for users, who have gained more control over whether Vendors are allowed to use their personal data.
Another new feature in IAB’s Transparency and Consent Framework (TCF 2.0) is the ability for publishers to restrict the purposes for which Vendors process personal data on publisher’s websites.
In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
Cookiebot CMP and the new IAB Framework (TCF 2.0)
On May 1, 2020, Cookiebot CMP IAB integration automatically migrated from the old to the new IAB framework (TCF 2.0).
Cookiebot CMP integration consists of an extra panel in the consent banner of websites registered with the IAB, as pictured above.
The panel is called “Ad Settings”, and from there, end-users can choose between IAB Purposes and Vendors before submitting their consent.
We recommend using the IAB framework integration as a supplement and not a replacement for the regular Cookiebot CMP solution.
This, because IAB’s consent model works through signaling the user’s consent to advertising vendors, whereas Cookiebot CMP consent model works through blocking non-consented vendors.
This is a key difference because, according the GDPR, it is the publisher (i.e. you, the website owner) who is liable for all tracking and personal data collection taking place on their domain – also by third parties.
Cookiebot CMP eliminates the dependency on the good faith of the vendors and gives true control to the website owner. By using Cookiebot CMP as an integration in the IAB framework (TCF 2.0), you ensure true GDPR compliance for yourself.
To ensure that user consents are being honored by advertising vendors, the Cookiebot CMP scanning technology monitors all cookies and similar trackers used by vendors on the website and marks them as non-consensual in the scan report.
Cookiebot CMP also support the IAB CCPA Compliance Framework. Read more here.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
The unmatched scanning technology of Cookiebot CMP
Cookiebot CMP is one of the few fully compliant consent management platforms on the market.
Cookiebot CMP unmatched scanning technology finds all cookies and trackers and then takes automatic control until users have given their consent, enabling true compliance with the EU’s General Data Protection Regulation and ePrivacy Directive.
Cookiebot CMP performs monthly deep-scans of your domain to make sure that you always know what third-party trackers and trojan horses are loading on your website.
Cookiebot CMP then presents a true choice of consent to your users through our consent banner.
Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
Using Cookiebot CMP is free if you have under 100 subpages (unique URLs).
What is the IAB Framework and how does it meet GDPR requirements?
IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.
In preparation to the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.
The Framework is called the IAB Europe Transparency & Consent Framework.
The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.
The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.
What are the GDPR requirements what do they mean for advertisers?
The General Data Protection Regulation (GDPR) sets out strict requirements for how one may record, store, use and share personal data.
Requirements for compliant consent in the GDPR
In order for your consent management to comply, it has to be…
- Informed: What data is processed and for what purpose? It must be clear for the user, what the consent is being given to.
- Based on a true choice: the user must not be coerced into accepting the cookies.
- Given by means of an affirmative and unambiguous action.
- Given before the initial data processing takes place.
- Withdrawable: It must be as easy for the user to withdraw the consent again, as it was to give it in the first place.
- The user has the right to be forgotten. At the user’s request, all of his or her personal data must be properly deleted.
- All given consents must be recorded as documentation that the consent was given.
With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.
The GDPR is extremely wide-ranging both geographically, in scope, and in severity.
Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.
In scope, because of its broad definition of personal data.
Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.
For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.
This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.
In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million – whichever is higher.
What is the purpose of the IAB Framework?
The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.
Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).
What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?
- Publishers in the IAB Framework are digital media that publish content on the internet. In general, the publishers represent the first party: i.e. the website that the user has sought access to. In the digital advertising industry, publishers often are dependent on displaying third party advertisement on their websites in order to monetize views. This usually is resolved by using an ad network that directs relevant ads to the users that are accessing the publishers’ content. In the context of the IAB Framework, ad networks and advertisers are called “vendors”.
- Vendors in the IAB Framework are the third-party advertisers that the publisher has chosen to partner with. The vendors display third party content on the publishers’ website. They are the ones setting marketing cookies on the end-user’s browser, in order to display relevant ads to potential customers.
- Consent management providers (CMP) supply the technology that enables user consent for processing data on the publishers’ website. In the IAB Framework, they signal the end-users’ consent settings to the vendors operating on the current website.
How does the IAB Framework work?
In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.
In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.
This list is called the Global Vendor List or “GVL”.
In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose.
Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.
When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.
The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.
Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.
Cookiebot CMP for GDPR & CCPA compliance through IAB
By using Cookiebot CMP as your website’s consent management platform, you can ensure compliance with both the EU’s GDPR and California’s CCPA.
With Cookiebot CMP IAB Framework (TCF 2.0) integration, advertisers and publishers also ensure compliant data collection and processing across the board.
Try Cookiebot CMP for free today… or forever if you have a small website.
What is the IAB Transparency and Consent Framework?
The IAB Transparency and Consent Framework is a standardized means for online advertisers and marketers of communicating the state of user consent between first parties, third parties and the consent management system in use on the first party’s website.
How does the IAB TCF work?
IAB Transparency and Consent Framework works as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management platform in use on the first party’s website. Publishers select their vendors of choice from a list of vendors that have enrolled in the Framework. When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List. The consent state of the user is stored in a first-party cookie in the user’s browser and shared down the advertisement chain of information in the IAB Framework.
What’s new in the IAB TCF 2.0?
The IAB Transparency and Consent Framework 2.0 expands the ability for users to give, withhold or revoke consent and to object to their data being processed. Users are able to control whether Vendors are allowed to use their personal data and publishers are able to restrict the purposes for which Vendors process personal data on publisher’s websites.
How does Cookiebot CMP integrate with the IAB TCF 2.0?
Cookiebot CMP integrates with the IAB Transparency and Consent Framework 2.0 through an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end-users are able to choose between IAB Purposes and Vendors before submitting their consent.