The Transparency and Consent Framework (TCF): 5 major changes in version 2.2

The Interactive Advertising Bureau (IAB) Europe has implemented significant modifications to the Transparency and Consent Framework (TCF), and the latest iteration, TCF 2.2, introduces five noteworthy changes. As a registered Consent Management Platform (CMP) on IAB’s TCF v2.2  we’re here to help keep you updated:

1. No more ‘legitimate interests’ (for some purposes)

A major issue raised with the previous iteration of the TCF was that vendors could rely on the legal basis of “legitimate interests” for certain ad-personalization activities.

Under TCF 2.2, vendors can only rely on users’ consent for four of the TCF’s ten data processing purposes, namely:

● Purpose 3: Create a personalized ads profile
● Purpose 4: Select personalized ads
● Purpose 5: Create a personalized content profile
● Purpose 6: Select personalized content

Each of these purposes relates to the personalization of ads and content. The upshot is that people must be allowed a free, informed choice around whether they want personalized ads.

However, the TCF 2.2 still allows vendors to rely on legitimate interests (or consent) in respect of several purposes, including:

● Purpose 2: Use limited data to select advertising
● Purpose 7: Measure advertising performance
● Purpose 8: Measure content performance
● Purpose 9: Understand audiences through statistics or combinations of data from different sources
● Purpose 10: Develop and improve services

This means that while vendors may process data for these purposes without consent, users can still opt out of the processing.

Reliance on legitimate interests is also still allowed in respect of the “special purposes”, namely:

● Special purpose 1: Ensure security, prevent and detect fraud, and fix errors
● Special purpose 2: Deliver and present advertising and content

The special purposes are deemed to be “essential” or “strictly necessary” to enable the delivery of services and content. Unlike with the data processing purposes, users are unable to opt out of the special purposes.

2. More accessible information for users

The TCF 2.2 makes changes to the information presented to users. The names and descriptions of purposes have been updated in order to give users a better understanding of what they’re opting into or out of.

For example, in the case of Purpose 2:

• The name has changed:
  • From: “Select basic ads”
  • To: “Use limited data to select advertising”
• The “user-friendly text” has changed:
  • From: “Ads can be shown to you based on the content you’re viewing, the app you’re using, your approximate location, or your device type”
  • To: “Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).”
• There are now two “illustrations” giving real-life examples of how data might be processed for this purpose. Here’s a summary of each illustration:
  • A car company uses non-precise location data to promote electric vehicles to users in a particular city.
  • An art supplies company uses contextual data to promote its products on appropriate pages and identifies whether a user has seen the ad before.

3. Improved vendor transparency

Under TCF 2.2, a vendor must provide additional information to users regarding:

• The categories of data it collects
• The period for which it retains data collected in pursuit of each purpose
• Its legitimate interests (where relevant)

That last point (termed the “legitimate interests at stake” in the TCF) requires a vendor to disclose not only the fact that it is relying on legitimate interests to process data, but also to disclose the nature of its legitimate interests.

4. Consent management platform (CMP) transparency

Consent management platforms (CMPs) will also have to disclose new information under the TCF 2.2, namely the total number of vendors involved in the processing.

This information must be presented on the first layer of a user interface (UI) such as a cookie banner.

5. Easier consent withdrawal process

Under the GDPR, consent must “as easy to withdraw as to give”. The TCF 2.2 requires publishers and CMPs to work together to make this principle a reality.

As such, if a user consents to a purpose on the first layer of a cookie banner, the publisher and CMP must enable the user to withdraw consent in a similarly convenient manner. This might mean providing an unobtrusive, floating UI icon that can be easily accessed by the user.