In February last year, the Belgian Data Protection Authority (APD, “Autorité de Protection des Données”) issued a decision against IAB Europe related to the Transparency and Consent Framework (TCF), fining the organization 250k€ and instructing it to come up with a plan to solve the issues that were identified.
Since then, IAB Europe has come up with a plan to update its TCF, which will come into action over the following months. In this article, we review the context surrounding the APD decision, catching you up on the events from last before presenting IAB Europe’s action plan, and finally going over what these changes will mean in practice for Commanders Act users.
March 2023 update: On March 15th, 2023, IAB Europe confirmed that the Belgian APD has voluntarily suspended the six-month implementation period of IAB Europe’s action plan. As a result, the July 2023 deadline no longer applies. It’s now reported for Q4 2023
For more details and pending additional information, read the official IAB communication here.
More than a year ago, on February 2nd, 2022, the Belgian APD issued a decision against IAB Europe citing 4 issues with its Transparency and Consent Framework (what’s the TCF? Learn more here). According to the Belgian APD:
The Transparency & Consent (TC) string, the consent signal stored by players in the advertising industry, is personal information. As such, participants should establish a legal basis.
IAB Europe is a data controller of that information, whether or not it processes the consent information
IAB Europe is a joint controller with TCF participants (vendors, CMPs, publishers)
Security measures in place to protect the integrity of the consent signal were not sufficient
IAB Europe was subsequently fined and instructed to come up with an action plan to solve these issues. The IAB Europe, along with some TCF participants, has worked on the action plan and submitted it to the APD in April 2022. Despite additional procedural events in September, the action plan was reviewed on January 11th by the Belgian APD.
Of course, we will communicate with Commanders Act customers with specific action points before then.
Here are the main changes and obligations that will impact your Consent Management Platform if you’re using the TCF after April 2023:
New TC string special purpose
Users of the TCF will be required to add a new (special) purpose to the classification of purposes in the TCF, informing their users that they are capturing and sharing data subject choices via the TC String.
No more legitimate interest for targeted advertising
Going forward, users won’t be able to rely on legitimate interest for personalized advertising.
Specifically, the purposes impacted will be purpose 3 (create a personalized ads profile), purpose 4 (select personalized ads), purpose 5 (create a personalized content profile), and purpose 6 (select a personalized content profile).
Mandatory disclosures in the second layer of the CMP
After April, users of the TCF will be required to disclose new information in their CMP second layer:
The legitimate interests at stake
The categories of data collected and/or already held by Vendors
The retention periods (in the Vendors’ description)
Vendor-related changes
Publishers will be presented with a warning about the impact that a large number of vendors can have on the ability of users to make informed choices.
Additionally, the number of vendors will need to be disclosed in the first layer of the CMP. Finally, we will recommend using event listeners to ensure proactive communication of changed TC String to vendors.
As a Commanders Act customer, what do these changes in the TCF mean and what are you supposed to do? Don’t worry, we’ve got it all planned out.
Not a lot will be expected from Commanders Act customers. However, if you decide to continue using the Transparency and Consent Framework, you must know that consent notices/consent banners will be changing slightly (based on the changes listed in the previous section), and you should therefore be ready for it.
The migration from the TFC v2.2 will take place on November 20, 2023 serving as the hard deadline for the change. You will be must to regenerate your consent banners TCF before this deadline.
Once the migration will be complete, we will recommend that you recollect consent from your customers, as previously collected consent was deemed invalid following the Belgian APD decision. Additionally, you’ll most likely have to reduce your vendor list, and updating mobile SDK versions to get the new TCF various updates will be compulsory.
But don’t worry, we will remind you about this before the deadline.
To conclude, and while it’s important to be aware of the upcoming changes following this important industry decision, the impact on Commanders Act customers should be minimal, and we’re hoping to provide thorough assistance to everyone along the way If you wish to go further, you will be able to verify your TCF compliancy, since IAB Europe has released a new CMP Validator Chrome Extension available here that includes all requirements of TCF v2.2.
This page is to the attention the customers using the Commanders Act SDK with the IAB Consent Module in their mobile application
Here's the 2 steps to follow to remains compliant with the TCF on your mobile application
Requirements To be allowed to migrate on IAB TCF v2.2, your application must use the v5 of our SDKs If you're still using the v4, please refer to the main SDK Migration Guide
Simply download the latest versions of our TCIAB SDK Modules
Upload the latest version to update your offline json's
purposes-xx.json (required if you're using other languages then EN, this link example is for FR language)
your privacy json file updated (needs to be modified, following the step "Update the content of your privacy json file")
Upload your CDN json file
Your privacy json file updated needs to be uploaded on CDN Commanders Act, please contact your consultant or our support team to upload the latest version of your json on our servers. (the content of this json file needs to be updated, following the next step.)
Update the content of your privacy json file
Verify your vendor list "vendors": "15,48,501,506,520,539,512,895",
*if you left the "vendors" empty, it will be considered as ALL vendors by our SDK
Pay attention to your Vendor List, some Vendors aren't existing anymore in the GVL v3
Add the new required fields
texts -> generic -> "illustationsButton": "illustrations"
texts -> generic -> "dataCategoriesDef" : "Data Categories"
texts -> vendors -> "legIntClaimTitle": "Legal policies"
Full json example:
The value {total_number} in the "purposeTitle" is a dynamic field. The total number of your IAB vendors will be displayed here
The deadline to migrate is November 20, 2023
Step by step guide to remains compliant on the Web for TCF v2.2
Here's the 5 steps to follow to remains compliant with the TCF on your website
Verify/Update your IAB Vendors
The Vendors List has evolved, we recommend to verify your IAB Vendors selected.
Data Governance > Consent Management > Vendors
Setup an Accept All/Refuse all buttons in your privacy center
Sources > Privacy Banners > Edit (select your banner) > Privacy Center tab > Buttons
*don't forget to save your changes !
Generate a new version of your Consent banner
Sources > Privacy Banners > Edit (select your banner) > Generate
*We recommend to check the option 'reactivate the privacy', so all you users will have the new consent string format, including the new purpose and the updated vendors
Generate a new version of the Web Container related to you Consent Banner
Sources > Web Containers > Edit (select your container) > Generate
Deploy your latest versions of Web Container and Consent Banner
IAB Europe has released a new CMP Validator Chrome Extension available here
The deadline to migrate is November 20, 2023
The IAB TCF v2.2 has new requirements. This page listing the new elements of the CMP IAB TCF UI standard.
This is an informative page. Almost every listed points above are automatically managed by our Consent Module (only the buttons "accept all" and "refuse all" are not automatically added). Simply follow our Migration guides and to update you banner with these new requirement
The standard text has evolved with more precise list of usage of datas, and the total number of IAB TCF vendors must be displayed
If your banner has a custom text, you can use this function to display the number of vendors on the first layer
tC.privacy.getNbIabVendors()
The TCF will add a new (special) purpose to the classification of purposes in the TCF, informing their users that they are capturing and sharing data subject choices via the TC String. The name of this new special purpose is "Use limited data to select content" (ID 11)
purpose 3 (create a personalized ads profile)
purpose 4 (select personalized ads)
purpose 5 (create a personalized content profile)
purpose 6 (select a personalized content profile)
3 major changes for the information provided by the Vendors
They can provide a cookie policy url in multiple languages (the displayed url will be the same then the browser language)
They must show the data retention period for each purpose
They must show data they will collect
IAB TCF requirements are very strict. If you wish to display a custom text, we strongly recommend you to ask a validation from IAB team. You can also refer to this
If you don't have yet an accept all / refuse all buttons in your privacy center, you must add them manually. You can refer to the step n°2 of for setup help