TCF v2.0: everything you need to know
May 17, 2021
This post is for general informational purposes only and does not constitute legal advice.
The Transparency & Consent Framework (TCF) was launched by the IAB Europe to help digital advertising comply with GDPR. Since the framework’s launch way back in April 2018, however, interpretations of the regulations have evolved. For v2.0, additional guidance from regional Data Protection Authorities (DPA) has been incorporated, along with a ton of stakeholder feedback. Sourcepoint has been an active participant in all of these discussions.
In addition to improved transparency and control for publishers and consumers, the new version eliminates ambiguity and better supports legitimate interest data processing.
Let’s walk through the details.
New Global Vendor List (GVL) registration
The TCF isn’t just about the relationship between the publisher and the consumer. It also defines a way for publishers and vendors to interact with each other.
Vendors have to register for what’s called the Global Vendor List (GVL). Registration requires vendors to declare all the processing purposes they might use consumer data for. The publisher builds their own vendor list in their CMP with the information from the GVL.
Vendors declare the legal basis by which they’re using information per purpose. This means that they can declare consent for one purpose, but legitimate interest for another.
A legal basis of consent means the consumer must consent to that purpose in the CMP. Legitimate interest means that the data processor has a reason to process the data that outweighs the concerns of the individual — and therefore only disclosure is required.
It’s the publisher’s role to collect the appropriate consent from their audience and then pass that information on to their data partners (in the form of the Transparency & Consent (TC) string).
Flexible legal bases
Under TCF v1, each purpose had one of two declared legal bases: legitimate interest or consent. The new framework allows vendors to select from three legal bases for data processing: consent as sole legal basis, legitimate interest as sole legal basis, or consent or legitimate interest.
With a flexible basis, the vendor assigns either consent or legitimate interest as the default. This flexibility allows for the variations among different DPAs’ interpretations of GDPR, and gives publishers greater control over how vendors present themselves on their properties.
Flexible legal bases can be declared by vendors for all purposes except Purpose 1, which is a special case because it deals with sensitive data, and thus is only allowed with consent.
NEW data processing purposes
This is one of the most significant changes in TCF v2.0. A big effort was made to provide more specificity around data processing purposes.
Ten purposes instead of five
In addition to creating a brand new purpose — “Develop and improve products” — the new list breaks out the more generic purposes into multiple purposes.
For example, in v1, publishers processed data for the blanket category of “personalization.” In v2.0, however, there is a distinction between personalization for the purpose of creating an ads profile and personalization for the purpose of creating a personalized content profile—arguably a big difference from the consumer point of view!
More control for consumers
All of this additional detail means that consumers can make more informed decisions about how they want their data to be used.
New data usage categories: special purposes and special features
V2.0 defines two new data usage categories: special purposes and special features . They are treated differently from purposes in a few ways.
Special purposes are essential to the functioning of the property, and therefore operate under legitimate interest. They’re so essential that the framework doesn’t allow the consumer to opt-out directly on the publisher’s property. Instead, the consumer may contact the vendor directly to opt out.
Special features represent data that is particularly sensitive. Because of that, the consumer must opt-in separately.
Remember: Features — which have not changed from v1 — are uses of data for which the consumer has already consented under other purposes.
New UI elements: Stacks
Stacks are groupings of purposes designed to appear in the first-layer message.
What’s a first-layer message? The TCF policies refer to the “so-called layered approach”, which is when a digital property shows the consumer progressively more detail about how their data is used. The first-layer message is the notice that a consumer sees when they first arrive on the property.
The second-layer message, which here at Sourcepoint we refer to as the Privacy Manager, is what the user would see if they clicked to manage their options. It allows them to make more fine-grained adjustments to their consent preferences.
Stacks appear in the first-layer message to make it easier for consumers to quickly understand what information is being collected by a publisher, without having to scroll through a lot of text.
If the consumer is interested in learning more detail, they can expand a stack to see a detailed, user-friendly description, and then click through to the second layer to make more choices.
Keep in mind
Stack descriptions are predefined by the IAB and can only be changed under very certain circumstances.
Additionally, because stacks are designed to simplify communication with the consumer and thereby reduce redundancy, you can’t include a purpose in more than one stack. You also can’t present a purpose both inside a stack and outside of one.
One of the criticisms of the original TCF was that when a vendor declared a legal basis in their GVL registration, the publisher had to use it as-is. If there were processing purposes that the vendor declared, but that the publisher didn’t want to use, there was no way around it.
Publishers can switch from the default legal basis
As we discussed above, when vendors register with flexible legal bases, they assign either consent or legitimate interest as the default. The new publisher controls allow you to select the legal basis most appropriate for your audience, per purpose per vendor.
Publishers can write rules about purposes
Publishers can now write rules to allow only certain vendors to process data for certain purposes (e.g., only vendors X and Y are allowed to do Purpose 3).
Keep in mind
You can only alter a legal basis that the vendor declares as flexible. If the vendor hasn’t declared a flexible legal basis, then you should evaluate whether you want to be working with that vendor for that purpose.
Consumers can object to legitimate interest processing
Finally, consumers can now exercise their right to object (RTO) to data processing on the basis of legitimate interest processing — directly in the CMP — either by vendor and/or purpose.
Previously, consumers could only object to data processing on the basis of legitimate interest by contacting the vendor directly. In most cases, this wasn’t very convenient for the consumer. This change empowers consumers to exercise their RTO with minimal friction.
That’s it for our overview of what’s new in TCF v2.0. We believe this version of the framework provides much more transparency and control for both the consumer and the publisher. If you have questions about your specific implementation, please contact us.
Latest Blog Posts
FTC's new privacy expert commissioner and $1B in funding....
It’s not just GDPR and CCPA anymore. Data protection...
Oklahoma proposes a privacy law and Congress seeks to...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with the latest privacy and media news.