Planet49 and TCF v2.1 changed cookie notices: How to update your CMP

• What is TCF v2.1?
• What is the Planet49 ruling?
• How did the Planet49 ruling inform TCF v2.1?
• How does TCF v2.1 affect my CMP implementation?
• Do I need to collect re-consent for vendors?
• Should I be concerned about long cookie lifespans?

What is TCF v2.1? I just migrated to TCF v2.0!

TCF v2.1 is a policy amendment to TCF v2.0 defined by new requirements for disclosing the maximum storage duration of cookies and other means of access information to users. 

The newest policy amendments are in response to a Court of Justice of the European Union (CJEU) ruling on what’s known as the Planet49 case. 

Vendors were required to update their GVL registration with required disclosure information by Sept. 30, 2020, and CMPs were required to implement support for the new policy and specifications by Jan. 31, 2021. Digital properties without the support to display the required disclosures will be in violation of the new policy specifications. Fortunately, Sourcepoint’s support for 2.1 is already live, making it easy to update your Sourcepoint CMP.

What is the Planet49 ruling?

Planet49, a small German gaming company, offered a promotional online lottery in 2013. The registration form for the lottery included a pre-ticked box for opting into the use of cookies. Users could opt out by unticking the box and still participate in the lottery. 

The CJEU ruled in 2019 that pre-ticked boxes and other forms of implicit consent which counted inaction as an opt-in action were not valid means to collect consent for processing data under GDPR or the ePrivacy Directive. The ruling clarified that valid consent must be an affirmative, explicit, and specific action taken by the user. 

It also introduced requirements to better inform users about the details of cookies created on their devices, such as the lifespan of the cookie and what third-party vendors have access to their data. 

How did the Planet49 ruling inform TCF v2.1?

In August 2020, the IAB approved policy amendments to TCF v2.0 to match the part of the Planet49 ruling that requires vendors and CMPs to inform users about how their data is accessed and how long it is stored. TCF v2.1 features updated technical specifications for a Device Storage & Access Disclosure which helps TCF vendors and CMPs comply with the policy amendments summarized:

1. Vendors must disclose the maximum storage duration of cookies created on devices
2. Vendors must disclose whether they use other (non-cookie) means of storage/access 
3. CMPs must disclose the maximum duration of vendor cookies and whether vendors use non-cookie methods of storage/access.
4. CMPs must disclose more detailed information about data storage and access if provided by vendors

How does TCF v2.1 affect my CMP implementation?

Sourcepoint’s support for TCF v2.1 is already live. Required declarations for max duration of cookie storage and alternative methods of storage have been added to each respective vendor’s configuration and disclosed in GDPR TCF v2 Privacy Managers. 

To complete their updates, all Sourcepoint clients need to access their Vendor List(s) and click Save to display detailed information about cookies, where vendors make this available. This step ensures compliance with the TCF v2.1 requirement for CMPs to display any optional vendor cookie and local storage declarations.   

Do I need to collect re-consent for vendors? 

The update requires new disclosures about cookies, but does not require collecting re-consent — unless your vendors have changed their declared legal bases. 

Saving the vendor list to complete the update will also save any changes made to legal bases. So be sure to review and approve any legal bases changes for IAB vendors before clicking Save. 

Should I be concerned about long cookie lifespans? 

By exporting the vendor list from the UI, you’ll be able to identify vendors with long lifespan cookies. You may decide to remove vendors with unreasonable lifespans from your vendor list to avoid user complaints. Alternatively, you may contact vendors to understand why they’ve set up long lifespans.

Under GDPR, consent for cookies must be renewed at least once a year. Though in practice, there are technology ecosystem factors that impact cookie lifespans beyond vendor declarations. For example, Safari’s Intelligent Tracking Prevention (ITP) feature clears cookies after 7 days when turned on. 

In some environments, cookie lifespans can refresh every time a user revisits the site. We will keep you updated as new policy information is released on how to properly disclose information about cookie lifespan refreshes.

Get in touch

As of Jan. 31, 2021, you are in breach of TCF policies if your CMP is not displaying appropriate disclosures about storage duration and access. If you’re interested in learning more about Sourcepoint’s support for the TCF, contact us to get set up.