This is good news for end users, advertisers and publishers.
In 2018, the EU’s General Data Protection Regulation (GDPR) arrived, sending shockwaves through the digital advertising ecosystem. To help mitigate some of the operational challenges stemming from the regulation, IAB Europe created the Transparency & Control Framework (TCF); a set of guidelines that aim to help the digital advertising industry adapt to the post-GDPR world.
On the 21st of August this year, we released the latest version of the TCF. Version 2.0 is the outcome of a rigorous 12-month review, and based on close consultation with the publishing community and other key stakeholders. It aims to bring new levels of control, choice and flexibility to all players within the European advertising industry.
One of the specific goals of this update was to make the framework more useful to Europe’s publishers. Here, I want to review some of the innovations we have made in this respect; but first, here’s a quick reminder about some of the details of the TCF is and how it came to be.
TCF for publishers: a recap
In a nutshell, our framework allows each part of the digital advertising value chain to collectively meet the consent provisions of GDPR by providing a mechanism by which people can give or withhold their consent for their data to be used in specified ways.
Users make this choice through a Consent Management Platform (CMP), which is accessed on the publishers’ site and is run by either the publisher or by a specialist CMP partner.
The publisher effectively becomes the interface between the end user (i.e. the data subject) and the ad tech vendor. Publishers select the vendors they want to work with and use the CMP to communicate this list to end users, along with a list of purposes these vendors would like to process their data for (personalisation, for example, or ad selection). Where vendors are processing data based on ‘legitimate interest’ this fact is also communicated to end users. Data subjects are empowered to give or withhold consent over how their data is used through the CMP and publishers use the TCF to communicate these decisions to the relevant vendors.
The TCF therefore provides a scalable and efficient means to ensure that publishers’ preferred technology partners have a legal basis for processing their users’ personal data and that publishers can transmit information to their customers and partners in an interoperable manner throughout the ecosystem.
TCF 2.0: giving more control to publishers
Based on the feedback of publishers, our main aim with the new version of the TCF was to increase the control publishers have over which purposes vendors can use to justify the basis for their data processing activities.
The new framework allows vendors to select one of three legal bases for data processing: ‘legitimate interest’ (i.e. where there is an overriding benefit to the processing of personal data, fraud prevention for example), ‘consent’ (i.e. the data owner has given their consent for their data to be processed in a specific way), or ‘flexible’ (i.e. it could be on the basis of legitimate interest and/or consent).
The aim of the ‘flexible’ option is to take account of the fact that the EU contains a large number of legal jurisdictions each one of which may interpret GDPR in a different way – it allows vendors to operate in different markets based on a different legal basis. Importantly, however, we have given publishers final say over which legal basis they would prefer vendors to use for each purpose, so they can have more control over how vendors present themselves on the publishers’ properties.
With the new version of the framework, publishers are empowered to create different rules and limitations for data processing for their partners. They can explicitly designate which purposes vendors can and cannot process data for and communicate this information to vendors via the TCF consent string. This increases transparency: vendors can now clearly see the permissions they have been granted by publishers, providing a solid basis on which they can operate in a GDPR compliant manner.
A better approach for users
Another benefit of the new TCF is that it allows publishers to communicate with end users more clearly and precisely. We have expanded the number of purposes to which data can be used from five to 12, thereby enabling more granularity. So, for example, instead of giving consent to the potentially ambiguous purpose of ‘personalisation’ users can now specify whether they consent to ‘create a personalised ad profile’ and/or ‘create a personalised content profile’.
However, we recognise that in some cases users will not want this level of granularity. We have therefore made it possible for publishers to present them with ‘stacks’ of purposes: groupings that enable users to quickly give or withhold consent to several related purposes at once. Here, the TCF allows publishers to present this information in simple, user-friendly language. This is at no detriment to end users – simply by hovering their cursor over each stack they can access the granular information and the more exact legal descriptions.
Benefits for all
The new TCF therefore gives new levels of control and transparency to publishers. It is our belief that the approach provides a simple mechanism for GDPR compliance that will better inform end users and provide a solid base for the digital advertising industry to continue to thrive. This is good news for end users, advertisers and publishers.
Filip Sedefov, Senior Manager, Privacy & Data Protection at IAB Europe