Consent Management: IAB TCF Explained
The IAB (Interactive Advertising Bureau) Transparency & Consent Framework (TCF) is a consent signal and framework that was jointly developed by the publishing, advertising, and online services industries to give users granular control over their data while ensuring the industry could publish content and supply advertising backed services at scale.
The TCF interprets the requirements of various privacy regulations, notably the GDPR in Europe (see note on TCF Canada below) to provide an agreed way for a website, such as a publisher, to obtain a consumer’s consent, record that consent, and distribute it in a format that all other downstream processors of that consumer’s personal data can understand and correctly enforce on their data processes.
TCF lets a visitor to a publisher’s website manage their consent preferences through the publisher’s consent management platform (CMP). Publishers select the vendors they work with and the CMP ensures site visitors are informed of those vendors and the purposes for which they use personal data, such as “content personalization”.
When a user arrives on a website for the first time, they are asked to select who their personal data can be shared with. Once the user takes this action, the CMP records the user’s consent preferences and communicates these using the TCF framework such that vendors are notified and can respect the privacy of the visitor.
Although the TCF may initially appear complex, it’s intended to provide greater transparency to consumers and site visitors as to how their data is being processed while assuring a standard method of communicating a site visitor’s preferences to advertisers and ad technology vendors on the publisher’s site.
TCF 1.0 was the first version of the framework published in 2018 and one of the major points of feedback was that it appeared to disproportionately favor advertising vendors rather than publishers and consumers.
As such, in 2019, TCF 2.0 introduced the following improvements:
- More control for publishers: Publishers had the ability to define which advertisers they worked with and remove vendors as well as specifying what legal reasons vendors can use to collect their visitor's data.
- Inclusion of legitimate interest provisions: In IAB TCF 1.0 publishers were not able to select legitimate interests as the legal reason for collecting and processing data.
As with anything, continuous iteration and improvement is vital and TCF 2.2 further enhanced the capabilities of the TCF standard as follows:
- Legitimate interest limitation: To ensure that legitimate interest couldn’t be misused for certain data processing purposes, it is no longer possible to use it as the legal basis for some data processing activities.
- User-friendly text: TCF 2.2 attempts to improve the consumer experience by further simplifying the names, descriptions and explanations of how data is used with easy-to-follow examples that help a consumer better understand their choices.
- New data processing purposes: The introduction of an 11th data processing purpose, “use limited data to select content”, provides a specific way to cover the use of data for non-advertising content.
- Additional vendor information: TCF 2.2 requires vendors to provide additional information about how they process data to increase transparency and accountability.
- Total vendor transparency: CMP’s must now specify the total number of vendors on their consent notices to simplify understanding for a consumer about who, or how many vendors are requesting to process their data.
- Consent withdrawal: Finally, TCF 2.2 makes specific technical requirements of how a CMP must function on a publisher site in order to allow a user to change or withdraw their consent preferences in the future if they wish to do so, ensuring a consumer has the ability to easily manage their consent.