News from TCF
The countdown has started. On August 15th, the Transparency Consent Framework (TCF for short) will be switched off in its current form, from then on only TCF 2.0 will be supported. For users of the previous version, this means that they must actively implement version 2.0, an automatic upgrade will not take place.
Although the highest court decisions on the GDPR compliance of the TCF have not yet been issued, the TCF, version 2.0 which has been available since spring 2020, has established itself as best practice for standardised consent management in the online marketing industry. The TCF is not a software or technical tool, but a set of rules and regulations issued by the Interactive Advertising Bureau (IAB). Consent Management Platforms are intended to enable users to see where their data is going in a network of providers and the industry to see which user has given his or her consent and to what extent.
How does the TCF work?
The TCF lists, on the one hand, the processing purposes and, on the other hand, the publishers and the service providers involved in the delivery chain; they are called vendors in the TCF.
In the categories of processing purposes, TCF 2.0 formulates ten purposes for classical consent. The user can consent to processing as a whole or for individual purposes.
Recently, two so-called special purposes for technically necessary and security-related functions have also been made available. These are based on a legitimate interest; an objection is not possible. The same applies to the technical means listed as features.
For the two special features (geolocation and active fingerprinting), in turn, a separate opt-in by the user is required.
Vendors who wish to participate in the TCF must be listed in the Global Vendor List (GVL). Only vendors registered with the TCF are included in this list; the IAB, in turn, sets out mandatory requirements for registration. Vendors can be both processors and controllers. The TCF does not make a decision on this. The user can give his or her consent to all or individual vendors.
Publishers can compile a list of their partners from the participants listed in the GVL. The GVL is updated weekly and contains a version number. This number makes it possible to determine beyond doubt on the basis of which list a user has given his consent – and in particular which vendors were listed at the time.
To date, none of the purposes explicitly allow the data received to be passed on within the circle of vendors. In order to make this possible, the industry is basing its decision on the consideration that the user has already given his or her consent to the selected vendors for the same purposes. Individual questions should be carefully weighed out in this context.
How is the TCF used?
For each of the above purposes, the TCF provides a user friendly text and the legal text. With the help of these versions it is possible to create an easily understandable entry level. These text modules may not be deviated, the reproduction of the legal text (if necessary on a second level of the CMP) is mandatory.
The scope for which a legal basis is given can refer to a single digital property, e.g. the website of an individual company, to a defined group of digital properties, e.g. the websites of a group of companies, or to all digital properties that include the global scope.
The CMP may also list vendors who do not participate in the TCF, but must make this clear visually.
In technical terms, the TCF creates a uniform standard for all players. The TCF Consent String (TC-String) plays a central role. Among other things, this string documents the user’s interactions with the Consent Management Platform (CMP); it also contains information for displayed processing purposes based on legitimate interest. Only CMPs certified by the IAB may generate or modify a TC-String. A TC-string may only be created after the user has given his or her consent. If a vendor (only) relies on a legitimate interest, the string will contain information on which purpose a CMP has indicated to the user and thus established, as well as any opt-outs of the user.