When the second version of IAB Europe’s Transparency and Consent Framework (TCF) for GDPR compliance comes out of beta on March 31, it still won’t integrate with Google.
But that’s because IAB Europe has decided to give companies until June 30 before the previous version of the TCF is deprecated and TCF 2.0 becomes the only show in town.
Google said in a statement that “it remains committed to the integration with IAB TCF 2.0” and that it’s aligning its integration with the new timeline set out by IAB Europe in order to effect “the smoothest transition possible.”
The TCF steering group is extending support for V1 until the end of June to give publishers and vendors more time to get comfortable with the new specs. That decision was made before the coronavirus outbreak.
TCF 2.0 has been in the works for the better part of a year and incorporates changes based on feedback from publishers and interactions with data protection authorities (DPA) across Europe.
IAB Europe had around 600 vendors signed up for TCF 1.0. Roughly 300 of those have already registered for the new version, which demonstrates an eagerness among vendors to be seen as compliant by their publisher partners, said Townsend Feehan, CEO of IAB Europe.
“We’ve seen a steady uptick, even in the last couple of weeks,” she said, noting that the work-from-home situation hasn’t hindered the trade org’s ability to troubleshoot, coach and answer policy questions over Slack and email. The IAB Tech Lab is fielding any questions that come in about the technical implementation.
But do European regulators actually think that the TCF is a viable compliance tool? They’ve never given it their blessing, and some of their previous warnings – such as in the case of ill-fated French ad tech company Vectaury – cast doubt on whether consent strings are kosher under GDPR.
According to Feehan, though, data protection authorities are actually receptive to the framework. IAB Europe has met with six different DPAs, including Ireland, the United Kingdom and Spain, to go over TCF 2.0 in detail, and although their public pronouncements have been “guarded,” it’s a different story behind closed doors, she said.
“We’ve seen DPAs become better acquainted with the TCF over the course of a single conversion and develop quite a positive attitude towards it,” Feehan said.
Unfortunately, the only one way to get an official stamp of approval is by engaging in a lengthy certification process under GDPR involving a rigorous review by multiple DPAs and, eventually, the European Data Protection Board itself.
IAB Europe is planning to kick off that process in the coming weeks, and Feehan is hoping for the best.
Short of “that kind of official imprimatur,” however, the framework will remain in a kind of limbo or “twilight zone,” she said, despite the fact that “I think a lot of DPAs actually do see the TCF as the best thing in the market right now to comply with the law at scale.”
“What’s really frustrating is that the TCF is also a really good instrument that DPAs can use to enforce the law,” Feehan said. “It provides an auditable record for transactions, and that should be really appealing to the DPAs.”
TCF 2.0 cheat sheet: What’s new
One of the most significant additions to TCF 2.0 is more support for legitimate interest as a legal basis in addition to explicit consent – a top request from publishers. And TCF 2.0 includes an integrated right to object, meaning that users will be able to signal whether or not they’re cool with data processing based on legitimate interest.
The new version also provides more – and more detailed – data processing purposes so that it’s clearer to users what data is being processed and why. In the first version, for example, all you had was “personalization;” in 2.0, personalization is broken out into two types: “create personalized ads profile” or “create personalized content profile.”
This addition was made with both DPAs and publishers in mind.
“DPAs care about making sure that consent is informed and specific and that the information presented to people is simple and user-friendly,” Feehan said, “while publishers can get that much more control over what they allow ad tech intermediaries to do.”
And users can switch purposes on and off per vendor, and read more user-friendly explanations of each purpose before consenting.
“We’re trying to reconcile the apparently contradictory imperatives of ease of understanding and simplicity along with granularity while maintaining a standardized approach,” Feehan said.
In that vein, TCF 2.0 introduces the concept of “stacks” into the UI, which describes multiple data use cases, designed to be both understandable for consumers and provide detailed information for those that want it.
For example, a stack like “Personalized ads and ads measurement” cover four purposes at once: basic ads selection, creating a personalized ads profile, showing personalized ads and ad measurement. Users can click to see a user-friendly definition for each purpose. Gluttons for punishment can also read the full legal definition of each use case.
3/27/20: Story updated to include Google's statement.