Skip to content

Consent Management: IAB TCF Explained

What is the IAB TCF?

The IAB (Interactive Advertising Bureau) Transparency & Consent Framework (TCF) is a consent signal and framework that was jointly developed by the publishing, advertising, and online services industries to give users granular control over their data while ensuring the industry could publish content and supply advertising backed services at scale.

The TCF interprets the requirements of various privacy regulations, notably the GDPR in Europe (see note on TCF Canada below) to provide an agreed way for a website, such as a publisher, to obtain a consumer’s consent, record that consent, and distribute it in a format that all other downstream processors of that consumer’s personal data can understand and correctly enforce on their data processes.

TCF lets a visitor to a publisher’s website manage their consent preferences through the publisher’s consent management platform (CMP). Publishers select the vendors they work with and the CMP ensures site visitors are informed of those vendors and the purposes for which they use personal data, such as “content personalization”.

When a user arrives on a website for the first time, they are asked to select who their personal data can be shared with. Once the user takes this action, the CMP records the user’s consent preferences and communicates these using the TCF framework such that vendors are notified and can respect the privacy of the visitor.

What are the benefits of the IAB TCF?

Although the TCF may initially appear complex, it’s intended to provide greater transparency to consumers and site visitors as to how their data is being processed while assuring a standard method of communicating a site visitor’s preferences to advertisers and ad technology vendors on the publisher’s site.

What is the difference between TCF 1.0, 2.0 and 2.2?

TCF 1.0 was the first version of the framework published in 2018 and one of the major points of feedback was that it appeared to disproportionately favor advertising vendors rather than publishers and consumers.

TCF 2.0 Updates

As such, in 2019, TCF 2.0 introduced the following improvements:

  • More control for publishers: Publishers had the ability to define which advertisers they worked with and remove vendors as well as specifying what legal reasons vendors can use to collect their visitor's data.
  • Inclusion of legitimate interest provisions: In IAB TCF 1.0 publishers were not able to select legitimate interests as the legal reason for collecting and processing data.

TCF 2.2 Updates

As with anything, continuous iteration and improvement is vital and TCF 2.2 further enhanced the capabilities of the TCF standard as follows:

  • Legitimate interest limitation: To ensure that legitimate interest couldn’t be misused for certain data processing purposes, it is no longer possible to use it as the legal basis for some data processing activities.
  • User-friendly text: TCF 2.2 attempts to improve the consumer experience by further simplifying the names, descriptions and explanations of how data is used with easy-to-follow examples that help a consumer better understand their choices.
  • New data processing purposes: The introduction of an 11th data processing purpose, “use limited data to select content”, provides a specific way to cover the use of data for non-advertising content.
  • Additional vendor information: TCF 2.2 requires vendors to provide additional information about how they process data to increase transparency and accountability.
  • Total vendor transparency: CMP’s must now specify the total number of vendors on their consent notices to simplify understanding for a consumer about who, or how many vendors are requesting to process their data.
  • Consent withdrawal: Finally, TCF 2.2 makes specific technical requirements of how a CMP must function on a publisher site in order to allow a user to change or withdraw their consent preferences in the future if they wish to do so, ensuring a consumer has the ability to easily manage their consent.

TCF Concepts

The TCF concepts of purposes and legal basis are important to understand when configuring TCF for your business. You can find detailed information about TCF terminology from the IAB on the TCF policies website (opens in a new tab). Definitions of purposes and legal basis are provided below for quick reference.

Purposes

11 defined purposes for processing of data, including users’ personal data. Vendor participants in the framework must declare the purposes for which they process data when signing up. The purposes declared by each vendor are exposed for CMPs in the Global Vendor List.

Legal Basis

TCF supports two legal bases for each of the 11 defined purposes of processing personal information: consent and legitimate interest. Purposes 1 and 3-6 must use consent as the legal basis, while vendors can choose between consent and legitimate interest for purposes 2 and 7-11. Additionally, for these purposes, vendors can indicate whether they are flexible and will accept either legal basis or whether they require one or the other.