Updated March 2, 2022.
IAB Europe (Interactive Advertising Bureau) has created the GDPR Transparency and Consent Framework (TCF) to support publishers, technology vendors and advertisers in being compliant with EU’s GDPR and ePrivacy Directive.
On May 1, 2020, IAB launched their Transparency and Consent Framework Version 2.0 (TCF 2.0) and Cookiebot consent management platform (CMP) has automatically migrated to the new framework.
In this article, we take a look at what IAB’s framework is all about, what’s new in the TCF 2.0 and how Cookiebot CMP works as an integration.
On February 2, 2022, the Belgian DPA found the IAB’s Transparency and Consent Framework (TCF) to be non-compliant with the EU’s General Data Protection Regulation (GDPR).
We here at Usercentrics, the parent company of Cookiebot CMP, are monitoring this development extremely closely and have been in direct correspondence with IAB Europe.
They have advised Usercentrics that the decision by the Belgian DPA, 'contains no prohibition of the Transparency & Consent Framework (TCF)' and there is, 'an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.'
We are currently awaiting that plan from IAB Europe, which they are required to present within 2 months of the publication date and then implement within 6 months.
We will continue to monitor developments and will be sure to update you with any relevant information.
IAB’s TCF 2.0 expands the ability for users to give or withhold consent, and to object to their data being processed.
Consent is now more granular for users, who have gained more control over whether Vendors are allowed to use their personal data.
Another new feature in IAB’s Transparency and Consent Framework (TCF 2.0) is the ability for publishers to restrict the purposes for which Vendors process personal data on publisher’s websites.
In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.
Try Cookiebot CMP free for 30 days... or forever if you have a small website.
On May 1, 2020, Cookiebot CMP IAB integration automatically migrated from the old to the new IAB framework (TCF 2.0).
Cookiebot CMP with IAB TCF 2.0 integration.
Cookiebot CMP integration consists of an extra panel in the consent banner of websites registered with the IAB, as pictured above.
The panel is called "Ad Settings", and from there, end-users can choose between IAB Purposes and Vendors before submitting their consent.
We recommend using the IAB framework integration as a supplement and not a replacement for the regular Cookiebot CMP solution.
This, because IAB’s consent model works through signaling the user’s consent to advertising vendors, whereas Cookiebot CMP consent model works through blocking non-consented vendors.
This is a key difference because, according the GDPR, it is the publisher (i.e. you, the website owner) who is liable for all tracking and personal data collection taking place on their domain – also by third parties.
Cookiebot CMP eliminates the dependency on the good faith of the vendors and gives true control to the website owner. By using Cookiebot CMP as an integration in the IAB framework (TCF 2.0), you ensure true GDPR compliance for yourself.
To ensure that user consents are being honored by advertising vendors, the Cookiebot CMP scanning technology monitors all cookies and similar trackers used by vendors on the website and marks them as non-consensual in the scan report.
Cookiebot CMP also support the IAB CCPA Compliance Framework. Read more here.
Try Cookiebot CMP free for 30 days... or forever if you have a small website.
Cookiebot CMP is one of the few fully compliant consent management platforms on the market.
Cookiebot CMP unmatched scanning technology finds all cookies and trackers and then takes automatic control until users have given their consent, enabling true compliance with the EU’s General Data Protection Regulation and ePrivacy Directive.
Cookiebot CMP performs monthly deep-scans of your domain to make sure that you always know what third-party trackers and trojan horses are loading on your website.
Cookiebot CMP then presents a true choice of consent to your users through our consent banner.
Cookiebot CPM standard consent banner for GDPR/ePR compliance.
Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
Using Cookiebot CMP is free if you have under 100 subpages (unique URLs).
IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.
In preparation to the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.
The Framework is called the IAB Europe Transparency & Consent Framework.
The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.
The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.
The General Data Protection Regulation (GDPR) sets out strict requirements for how one may record, store, use and share personal data.
In order for your consent management to comply, it has to be...
With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.
The GDPR is extremely wide-ranging both geographically, in scope, and in severity.
Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.
In scope, because of its broad definition of personal data.
Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.
For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.
This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.
In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million - whichever is higher.
The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.
Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).
In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.
In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.
This list is called the Global Vendor List or “GVL”.
In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…
Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.
When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.
The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.
Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.
By using Cookiebot CMP as your website's consent management platform, you can ensure compliance with both the EU’s GDPR and California’s CCPA.
With Cookiebot CMP IAB Framework (TCF 2.0) integration, advertisers and publishers also ensure compliant data collection and processing across the board.
Try Cookiebot CMP for free today... or forever if you have a small website.
The IAB Transparency and Consent Framework is a standardized means for online advertisers and marketers of communicating the state of user consent between first parties, third parties and the consent management system in use on the first party’s website.
IAB Transparency and Consent Framework works as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management platform in use on the first party’s website. Publishers select their vendors of choice from a list of vendors that have enrolled in the Framework. When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List. The consent state of the user is stored in a first-party cookie in the user’s browser and shared down the advertisement chain of information in the IAB Framework.
The IAB Transparency and Consent Framework 2.0 expands the ability for users to give, withhold or revoke consent and to object to their data being processed. Users are able to control whether Vendors are allowed to use their personal data and publishers are able to restrict the purposes for which Vendors process personal data on publisher’s websites.
Cookiebot CMP integrates with the IAB Transparency and Consent Framework 2.0 through an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end-users are able to choose between IAB Purposes and Vendors before submitting their consent.