Summary
On March 30th, we organized the third Yes We Trust webinar of 2023, talking about the latest changes with the Transparency and Consent Framework (TCF) of the Interactive Advertising Bureau (IAB).
To discuss this key topic for publishers and organizations in the adtech space specifically, and to answer questions from attendees, we've gathered a team of highly-qualified speakers: Privacy Director at IAB Europe Ninon Vagner, Xandr Staff System Architect and IAB Europe Framework Signals Working Group Julien Delhommeau, and Thomas Adhumeau, Chief Privacy Officer at Didomi and Chair of the IAB Europe’s TCF DPA Outreach.
The talk was broken down into 4 main sections:
In the end, participants in the webinar were able to ask questions directly to the speakers. Watch the recording below to get all your answers, or read the rest of the article for a quick summary of some of the most important highlights.
What is the Transparency and Consent Framework (TFC)
To open the webinar, Thomas Adhumeau of Didomi went over what the TCF is, and why it was originally created by the Interactive Advertising Bureau (IAB):
"The Transparency and Consent Framework is the protocol the advertising industry came up with when the GDPR was first introduced. The main challenge that companies in the adtech industry or in the advertising industry were facing before the GDPR came into force was that the adtech vendors, that more often than not act as data controllers of the data they receive from bid requests, did not have a direct relationship with users or data subjects - users of the publishers’ websites, but they needed to establish a legal basis. They needed to obtain consent or to establish a legitimate interest, but they couldn ‘t do it for many reasons, one of them was that even publishers didn’t know that those vendors would eventually be involved in the personal information data processing. That’s why the industry came up with this protocol." - Thomas Adhumeau, Chief Privacy Officer at Didomi |
In a nutshell, the TCF has four pillars:
-
Policies, created for TCF participants to comply with (CMPs, publishers or adtech vendors)
-
Vendor list, in which you can find all the vendors that are TCF participants, with all the relevant information that will then go into CMPs
-
Consent Management Platforms (CMP), which are pillars of the TCF
-
Specifications, for all the signals being sent to TCF participants
Now that that's settled, let’s look at some of the context surrounding the Belgian decision last year.
The Context behind the Belgian APD and the TFC
In February 2022, the Belgian Data Protection Authority (APD, “Autorité de Protection des Données”) released a decision against IAB Europe, issuing a EUR250k fine and instructing the organization to come up with a plan to solve the issues identified with the TCF.
The Belgian APD argued that:
-
The Transparency & Consent (TC) string, the consent signal stored by players in the adtech industry, is personal information, and participants should establish a legal basis.
-
IAB Europe is a data controller of that information, whether it processes the consent information or not
-
IAB Europe is a joint controller with TCF participants (vendors, CMPs and publishers)
-
Security measures in place to protect the integrity of the consent signal were not sufficient
IAB Europe submitted its plan to update the TCF the following April, a plan which was approved in January 2023 by the Belgian DPA. For a full breakdown of the history behind the APD and the TCF, head to this article.
On March 15th, 2023 however, IAB Europe confirmed that the Belgian APD has voluntarily suspended the six-month implementation period of IAB Europe’s action plan. The original deadline of July 2023 does not apply anymore, and IAB Europe is currently awaiting for a new deadline from the Belgian APD in order to implement changes based on the TCF action plan.
The new, projected deadline (depending on the Market Court decision) is around the end of Q3, beginning of Q4 2023, at the earliest.
What is going to change in 2023 for the TCF?
Based on the suggestions from IAB Europe, the main three areas we can expect to change for the TCF going forward are the user-facing standard text, which will be replaced by more comprehensive, user-friendly content, restrictions over legitimate interest for specific purposes (Purposes 3, 4, 5, and 6), and a disclosure of the number of vendors on the first layer of the CMP.
The second layer of the CMP will also be impacted, with mandatory disclosures including:
-
Vendor’s legitimate interest at stake (where applicable)
-
Categories of data collected by Vendors
-
Retention periods of the data (in the vendors’ description)
-
The possibility to direct users’ to Vendors’ privacy policies URLs in their language
Finally, the last two changes will be for CMPs to present a warning to publishers about the impact that a large number of Vendors can have on the ability of users to make informed choices, and an obligation to use event listeners to make sure vendors are proactively updated with the latest changes to the TC String.
What should publishers using the TFC do today to get ready?
Not much is expected from publishers, as the changes will be relevant to CMPs and vendors for the most part.
However, they will be expected to reduce their vendor list, a change that won’t be mandatory by IAB Europe but highly recommended. Additionally, mobile publishers will have to update their SDK on mobile, because the update of the CMP notice won’t be automatic and will have to be done through the SDK.
In one of the surveys conducted during the webinar, the majority of attendees reported considering working on reducing their vendor list:
On the other hand, the audience also expressed concern in regards to the impact of TCF changes on their consent rates:
However, Julien Delhommeau closed the event by reassuring publishers in the audience that most of the work-to-be-done will be on the CMP side:
"We've discussed at length how most of the efforts will be on CMPs and vendors, I just want to reiterate one more time that in my perspective I believe that 80% of the work from the TCF changes will be done by the CMPs, 15% will be done by vendors, and maybe 5% will be done by publishers. And these 5% will really just be about working with the CMPs to update the script, updating the SDK, and working on the length of their vendor list. That really shouldn't be too much work and we will also be careful with the timeline to ensure that everyone (vendors, CMPs, and publishers) will be given enough time to work through the changes that they'll be asked to implement." - Julien Delhommeau, Xandr Staff System Architect and IAB Europe Framework Signals Working Group |
What do you think about the upcoming TCF changes? What are some of your concerns? Are you using the TCF and if so, are you ready for the upcoming transition? The Yes We Trust community is free and open to all data privacy enthusiasts, head to LinkedIn to continue the conversation:
Sign up for the next Yes We Trust webinar
For more valuable data privacy content, make sure to also sign up for the next Yes We Trust webinar, later this month, which will tackle the topic of how to reduce data privacy risks under CPRA and GPC: