IAB Transparency & Consent Framework v2.0

On 21 August, 2019, IAB Europe and the IAB Tech Lab announced the version 2.0 of the Transparency & Consent Framework (TCFv2.0, hereinafter referred to simply as TCF in this document). It’s a policy that enables companies operating in the EU law area to streamline their GDPR compliance initiatives within the programmatic advertising ecosystem.

 

Integration of TCF

According to TCF guidelines, publishers use a consent layer provided by Consent Management Platforms (CMP) to obtain the visitor's consent for their personal data.
It can be specified differentially for various purposes (purposes) and vendors (data processors). The consent itself is represented as a “consent string”, which has a standardised format and can be interpreted by the TCF vendors. When a vendor receives it together with the other data, it has to decide whether and what type of data processing or forwarding was allowed by the end user.

Users consent is submitted via passing the TC String in the tracking URL. When a creative is rendered, the src address of <img> tag is sent by the browser via HTTP GET request to Ingenious Server. Also when user clicks on this creative, click request is also sent to Ingenious tracking server.

In terms of TCF, the only instance able and allowed to generate consent strings is the Consent Management Platform (CMP). The publisher has two ways to implement a CMP functionality:

  • Build: Develop an in-house CMP and register it as internal CMP on IAB Europe and

  • Outsource: use a external CMP service registered with IAB Europe.

Signalling

To work as TCF publisher with Ingenious customers, partner have to provide the consent signal by setting values of parameters gdpr and gdpr_consent in the tracking URL.

TCF can be activated on platform level and then partners can activate it for particular ad spaces.

If both platform and ad space have activated TCF, Ingenious suggest parameters for TCF signalling and macros to the advertiser's On-Page Tracking Code and to Creatives Tracking Code on publisher's side.
Note: tracking codes already built in to partners or advertisers system are not replaced automatically when TCF is activated or deactivates.

Macros

The supported URL parameters and the corresponding macros should be added only once and are defined below:

URL parameter

Corresponding Macro

Representation in URL

URL parameter

Corresponding Macro

Representation in URL

gdpr

GDPR

&gdpr=${GDPR}

gdpr_consent

GDPR_CONSENT_XXXXX

&gdpr_consent=${GDPR_CONSENT_XXXXX}

XXXXX means here the numeric Vendor ID. E.g. &gdpr_consent=${GDPR_CONSENT_123} for Vendor ID 123.

Values to fill in the macros:

Macro

possible values

purpose

Macro

possible values

purpose

${GDPR}

0 / 1

0 gdpr does not apply; 1 gdpr applies

${GDPR_CONSENT_XXXXX}

URL-safe base64-encoded Transparency & Consent string.

Only meaningful if gdpr=1

Encodes the TC string, as obtained from the CMP JS API or OpenRTB


Nested calls and redirects

If the URL contains another URL to use for redirect to the next vendor in the supply chain and use same method for TCF signalling, the redirect URL in the trg parameter should be URL encoded after adding of TCF params for the next vendor.

Vendor Registration

The registered Vendor ID of Ingenious Technologies is: 871

In order to register on IAB TCF v2.0 Global Vendor List (GVL) we claimed Purposes, Special Purposes, Features and Special Features described in https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/, see “Appendix A: Purposes and Features Definitions”. The lawful bases could be chosen as Consent, Legitimate Interests or Flexible. Wherever we specified Legitimate Interest or Flexible as lawful basis, the Legitimate Interests is documented in our Privacy Policy https://www.ingenioustechnologies.com/privacy-policy/.

ID

Purpose Name

Allowable Lawful Basis

Ingenious Choice

ID

Purpose Name

Allowable Lawful Basis

Ingenious Choice

P1

Store and/or access information on a device

Consent

Consent

P7

Measure ad performance

Consent, Legitimate Interests

Flexible (both is possible)

ID

Special Purpose Name

Allowable Lawful Basis

Ingenious Choice

ID

Special Purpose Name

Allowable Lawful Basis

Ingenious Choice

SP1

Ensure security, prevent fraud, and debug

Legitimate Interests

Legitimate Interests

SP2

Technically deliver ads or content

Legitimate Interests

Legitimate Interests

ID

Feature Name

Ingenious Choice

ID

Feature Name

Ingenious Choice

F1

Match and combine offline data sources.

No

F2

Link different devices

Yes

F3

Receive and use automatically-sent device characteristics for identification

Yes

ID

Special Feature Name

Ingenious Choice

ID

Special Feature Name

Ingenious Choice

SF1

Use precise geolocation data

No

SF2

Actively scan device characteristics for identification

No


If there is a need for different set of TCF purposes and features, custom Vendor IDs can be set on Platform level by our Customer Success.

The current Vendor List can be accessed under https://iabeurope.eu/vendor-list-tcf-v2-0/

Example

The resulting URL in the tracking codes on the partner side looks like:http://trackignurl.com/amc=a.b.c.d&gdpr=1&gdpr_consent=${GDPR_CONSENT_123}

Partner's task is to replace these macros with the appropriate values described in the table below. For macro ${GDPR_CONSENT_XXXXX}, publisher must also check that the ID in the macro name is a valid Vendor ID. TC Strings must always be propagated as received from CMP without modification.

In example, if the TC String is: COvFyGBOvFyGBAbAAAENAPCAAOAAAAAAAAAAAEEUACCKAAA.IFoEUQQgAIQwgIwQABAEAAAAOIAACAIAAAAQAIAgEAACEAAAAAgAQBAAAAAAAGBAAgAAAAAAAFAAECAAAgAAQARAEQAAAAAJAAIAAgAAAYQEAAAQmAgBC3ZAYzUw

then the partner’s logic should replace the macro in the URL with the actual TC String so that the URL originally containing the macro is modified as follows when making the call to Ingenios Tracking:http://trackignurl.com/amc=a.b.c.d&gdpr=1&gdpr_consent=COvFyGBOvFyGBAbAAAENAPCAAOAAAAAAAAAAAEEUACCKAAA.IFoEUQQgAIQwgIwQABAEAAAAOIAACAIAAAAQAIAgEAACEAAAAAgAQBAAAAAAAGBAAgAAAAAAAFAAECAAAgAAQARAEQAAAAAJAAIAAgAAAYQEAAAQmAgBC3ZAYzUw

 

TCF settings on platform level

TCF can be enabled on platform level by our Customer Success. It is possible to choose own TCFv2.0 vendor ID or use Ingenious Vendor ID. This vendor ID is used for TCF macros in tracking links provided to partners in ad media code.

TCF settings on ad space level

When the platform has the TCF functionality activated, partners can control the TCF logic on ad space level.

There are three modes of TCF logic which can be set for the ad space

  1. Inactive mode- This means that TCF macros are neither added to tracking links nor is tracking traffic treated restrictively. There is no TCFv2.0 based filtering for this ad space.

  2. Setup mode without traffic restrictions - TCF macros appear in the ad media tracking links and can be used for setup and testing. Tracking system interprets and stores the TCF signals but there aren’t any restrictions in the request data storage and processing.

  3. Restrictive mode - Ad media tracking links are generated containing macros for TCF. If GDPR applies and there is no sufficient consent, our system will restrict the amount of stored and processed request information according to purposes enabled by enduser.

Inactive Mode

If the platform operator has activated TCF functionality for the platform, the partner will be able to configure TCF mode on the ad space edit page.

The initial TCF mode is set to “Inactive mode” and does not change the default behaviour. This means that neither TCF macros are attached to the tracking links for creatives delivered through this ad space, nor is tracking traffic restricted. No tracking requests based on TCF consensus will be restricted.

Attention: Even if the partner sends reasonable filled GDPR parameters with a request, request processing will not be affected. It is necessary that the option must be set to “Restrictive mode” if requests are to be restricted based on TCF.

Setup mode

If setup mode is activated for the ad space, TCF params (s. Macros ) appear in ad media tracking code and product data feed urls. Partner is to properly obtain and set these params by obtaining the TC String from his CMP.

The parameter &gdpr_consent=${GDPR_CONSENT_XXXXX} contains the vendor id the consent String has to contain the consent for. We interpret the TCF parameters and pass them along with the request for diagnostics. The TCF params are also forwarded on redirects.

In the setup mode we don’t restrict the way we store and process the actual request.

Restrictive mode

IMPORTANT!
Before partner enablies restrictive mode it is required, that their Consent Management Platform is set up to obtain user consent for the Vendor IDs configured in your platform TCF settings. By default it is the Vendor ID 871 of Ingenious Technologies AG. If your platform is configured to use custom vendor ID, please inform partners about it.

If restrictive mode is not activated, both parameters gdpr and gdpr_consent are not applied during the tracking request processing.

In restrictive mode, we restrict the request handling in accordance to TCF policies and TCF features enabled for the given vendor id in the submitted consent string.

Validation of TCF settings

Both Setup and Restrictive modes can be validated using tracking preview mode (https://ingenioustechnologies.atlassian.net/wiki/spaces/KB/pages/2235498513/Preview+Mode )

Example:

Wenn calling a click code with following parameters appended

&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT_871}&preview_mode=1

the response JSON object will contain the following error information

"error" : { "code" : 401 , "reason" : "TCF2MissingTCString"}

TCF parameters

Parameter gdpr

  • If no value is provided, geoIP lookup takes place and GDPR applies for EU IP addresses.

  • If the parameter is set to 0 GDPR does not apply to request handling

  • If the parameter is set to 1, GDPR applies and we handle request in restrictive way

A valid consent string Is compulsory when GDPR applies. Following restrictions are applied if we don’t encounter users consent for the purposes.

  • No consent on Purpose 1 - don’t create new cookies, ignore existing cookies

  • No consent on Purpose 7 - don’t process given tracking request (optout)

Common Infos about TCFv2.0

The Transparency and Consent Framework (TCF) was created to help all parties who display and manage digital advertising and develop targeted content comply with the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) when processing personal data and/or accessing and/or storing information on a user’s device. Developed by IAB Europe in collaboration with organisations and professionals in the digital advertising and publishing industries, the first version of the TCF was launched on 25 April 2018. It provides a means of transmitting signals of consent from a user to vendors working with publishers using a Consent Management Platform (CMP). CMPs centralize and manage transparency for, and consent and objections of the end user. The user is therefore the principal focus of the TCF, designed to give them both transparency over the use of their data and control over how their data could be used if consent is given.

How does the TCF work?

The Framework consists of open-source technical specifications managed by the IAB Tech Lab, and policies managed by IAB Europe. It has been designed to standardise the provision of notice about personal data processing, and the transmission of signals about user choices and transparency related to data processing, so that the digital advertising supply chain can continue to function in a way that aligns with GDPR requirements. The Framework thus facilitates providing transparency and obtaining consent, and makes this information available across the digital advertising supply chain. To enable Consent Management Platforms (CMPs) to send consent signals, and technology providers (vendors) to receive relevant signals under a common Framework of policy adherence, IAB Europe requires registration to a central registry: the Global Vendor List (GVL) for vendors and CMP list for CMPs. The GVL centralises participating vendors in one location, complete with identification number and information about the ways companies intend to comply with the law. Publishers can use the GVL to view which vendors are a part of the Framework, and determine which vendors to include in the transparency and consent user interfaces they make available on their sites.

What is the TCF V2.0?

Successful management of technical frameworks requires continual consultation with its users and the broad base of stakeholders. For the TCF, that includes publishers, advertisers, media agencies, and technology providers. Over the past 12 months, stakeholder feedback has been sought, most notably from the publisher community, providing valuable feedback on how the framework can be improved and better serve the community. This has driven the creation and purpose of TCF v2.0. In addition, feedback from regulators on the TCF was sought and incorporated. Launched on the 21st August 2019, TCF v2.0 has been developed to provide both users and publishers with greater transparency and control.

What are the new benefits of the TCF v2.0?

TCF v2.0 continues to support the overall drive of the TCF to increase user transparency and choice, management by digital properties of consent and compliance and industry collaboration that centres on standardisation. Specifically TCF v2.0 is supporting more:

  • Choice - through revised definitions and descriptions of data processing purposes that combine greater granularity (now increased from 5 to 10 purposes with the addition of 2 special purposes, and 2 features and 2 special features) that will enable users to make informed choices regarding the processing of their personal data

  • Transparency - with a more complete accommodation of the “legitimate interests” legal basis for data processing and the introduction of signals that allow CMPs to offer users a streamlined means of exercising the “right to object” to processing on the basis of a “legitimate interest”

  • Control - with new, granular controls for publishers about the data processing purposes permitted by them on a per vendor basis

  • Compliance - through greater support for the users of the framework in their application of the policies, terms and conditions and technical specifications with increased investment by IAB Europe in the resource to support this

What does the TCF provide for Advertisers and Agencies?

Advertisers like publishers are Website operators that have a direct relationship with end users. This relationship can be via website, app or other content. Where digital advertisements are displayed or user information is collected and used for digital advertising, measurement and analytics, or content personalisation then the operator is required to capture user consent preferences and make sure that the consent signal is shared across the ecosystem of vendors that the website operator is working with.

Advertisers must read and follow TCF Policy, specifically Policy that relates to the user interface that ensures a consistent presentation of the purpose and legal basis for which the vendors they wish to work with may process personal data based on a user’s visit to the publisher’s website, app or other content.

Website operators need to select a CMP that provides a consent solution that meets their specific needs. Alternatively, website operators can choose to become a CMP and build their own consent solution.

Development of a consent solution is not a simple task and requires developers with advanced skills in JavaScript, reading/writing of cookies, network configuration and the differences between browsers, especially around security setting defaults and responsive UX rendering. CMPs must also respond quickly to changes in IAB Europe TCF specifications and Policies. They must also pass the annual CMP validation test that ensures compliance with TCF specifications and Policies.

What does the TCF provide for Publishers?

The TCF is designed to help digital property operators, such as publishers and advertisers, work with technology providers (vendors) that provide data-driven services which support both their operations and commercial activities. It supports a diverse array of companies in the digital advertising supply chain in their compliance with data protection laws when accessing and/or storing information on a user’s device or processing personal data. Central to the design of the framework is the opportunity it gives digital property operators to communicate to their users what data is being collected, how a digital property and its vendors intend to use it, and which vendors intend to use it and how users can exercise complete control over this process. Delivering the transparency and user choice requirements found in data protection laws of the European Union’s General Data Protection Regulation (GDPR) is core to the operation of a digital property. The TCF was designed to support the digital advertising industry meet both the needs of the consumer at the same time as providing a commercially sustainable future for suppliers of the digital services that users wishes to access.

Publishers following the TCF Policy specifically perform the following:

  • Select and control vendors they want to work with;

  • Provide users with transparency into the vendors selected by the publisher, and the purposes for which they process data;

  • Request and obtain informed consent to process data, or establishing other legal bases to process data;

  • Transparently pass information relating to user choices to the ecosystem;

  • Either act as a CMP (in which case they would need to register as a CMP in the TCF) or utilise the services of a CMP registered with the TCF;

  • Support the use of data for measuring campaign effectiveness and the use of contextual advertising that requires access to user devices.

Further reading