How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance

22 Jul 2024
On June 3, 2024, the Interactive Advertising Bureau Europe (IAB Europe) announced then new Transparency & Consent Framework (TCF) version 2.2 Policies amendments. This update includes the introduction of Special Purpose 3 - “Save and communicate privacy choices.” These amendments are designed to align with the requirements of the ePrivacy Directive and the GDPR, meeting regulatory expectations. The Transparency & Consent Framework (TCF) Steering Group approved this new iteration to help online ecosystem players maintain compliance.

About IAB Europe and TCF
The Interactive Advertising Bureau Europe (IAB Europe) is the regional branch of the Interactive Advertising Bureau (IAB) that focuses on the digital advertising and marketing industries in the European market. Like IAB Global, IAB Europe aims to support and promote the growth of the digital advertising ecosystem through research, education, technical standards, and various industry initiatives. IAB Europe is the European-level association for the digital marketing and advertising ecosystem. IAB Europe, through its membership of national IABs and media, technology, and marketing companies, leads political representation and promotes industry collaboration. Its mission is to deliver frameworks, standards, and industry programs.

The Transparency and Consent Framework (TCF) consists of a set of technical specifications and policies that publishers, advertisers, technology providers, and other interested parties may voluntarily choose to adhere to. The goal of the Framework is to help players in the online ecosystem meet certain requirements of the ePrivacy Directive (and its successor, the upcoming ePrivacy Regulation) and the General Data Protection Regulation (GDPR). It does so by providing a way to inform users about the storing and accessing of information on their devices, the processing of their personal data, the purposes for which their personal data is processed, and the companies seeking to process their data for these purposes. The Framework also provides users with choices regarding these aspects and signals to third parties what information has been disclosed to users and what their choices are.

Achieving the goals of the Framework requires the standardization of technology, such as how information is disclosed and how user choices are stored and signaled to participants. It also involves standardizing the information provided to users, the choices given to users, and the behaviors that participants engage in when interacting with users or responding to requests between participants.

TCF v2.2 Policies amendments
The TCF Working Groups have developed a new “Special Purpose 3” to help participants establish a legal basis for processing users’ privacy choices recorded in the form of a TC String, especially when this data is considered personal. Below is a summary of the key amendments:
 
  1. Inclusion of Special Purpose 3 (“Save and communicate privacy choices”) to the TCF purposes taxonomy This purpose is intended to cover the processing of TC Strings to verify the consent and/or objection status of a Vendor and/or Purpose to respect users’ privacy choices. Vendors can declare this purpose at registration level, subject to having conducted and documented a legitimate interest assessment (LIA) that demonstrates users’ interests and fundamental rights do not override the legitimate interests pursued.
  2. New secondary layer UI requirement for CMPs When providing transparency about Purposes, Special Purposes, Features, Special Features, and Vendors in connection with a legitimate interest, a single secondary layer must be provided that allows the user to review the storage and access information relating to the CMP’s recording of Signals, including the maximum device storage duration.
  3. Policies Versioning The Policies version has been incremented from 4.0.a to 5.0. The new Policies can be found here.

Implementation Timeline
TCF participants must comply within a short timeline with these amendments. Specifically, the deadline for Vendors to update their Global Vendor List (GVL) registration was July 3, 2024. Vendors must declare Special Purpose 3 by logging into the GVL registration portal, which has been updated to include this new purpose.

Additionally, CMPs have until October 4, 2024, to implement the new policies. Compliance with the new requirements will be verified as part of IAB Europe’s regular monitoring of CMPs’ live installations following the implementation deadline.

Publishers are also encouraged to oversee the necessary steps for affected participants to ensure up-to-date compliance with the new requirements.

Background of Changes: Adherence to the CJEU Judgement
In the case DOS-2019-01377, the Belgian Belgian Data Protection Authority (BDPA) issued a decision on the merits, against IAB Europe for breaching various provision of the GDPR in relation to large-scale processing of personal data, concerning the conformity of the Transparency & Consent Framework (TCF) with the GDPR and ePrivacy Directive and, specifically, the responsibility of IAB Europe and others various actors involved.
On 7 March 2024, the Court of Justice of the European Union (CJEU) rendered its judgement in case C-604/22, which concerned two sets of preliminary questions on the interpretation of the General Data Protection Regulation (GDPR) raised by the Belgian Market Court regarding the case between IAB Europe and the BDPA. The ruling establishes that TC Strings may constitute personal data if certain circumstances are met, particularly if it can be associated with other identifiable data points that may make it possible to identify the individual concerned with reasonable means.

In response to the CJEU's reasoning, the TCF Working Groups have developed the new “Special Purpose 3” intended to facilitate how TCF participants establish a legal basis for processing users’ privacy choices recorded in the form of a TC String when participants consider the latter to be personal data.
The official decision of the CJEU can be found over here.

MORE RELATED NEWS

Saudi Arabia Data Protection Compliance: National Register for Controllers and Data Protection Officer Requirements
Raphael Legal and Privacy Minders Author the Cyprus Chapter in the ICLG Data Protection Guide 2024
How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance
ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33
Email: info@privacyminders.com

Click here to Subscribe