Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
In February last year, the Belgian Data Protection Authority (APD, “Autorité de Protection des Données”) issued a decision against IAB Europe related to the Transparency and Consent Framework (TCF), fining the organization 250k€ and instructing it to come up with a plan to solve the issues that were identified.
Since then, IAB Europe has come up with a plan to update its TCF, which will come into action over the following months. In this article, we review the context surrounding the APD decision, catching you up on the events from last before presenting IAB Europe’s action plan, and finally going over what these changes will mean in practice for Commanders Act users.
March 2023 update: On March 15th, 2023, IAB Europe confirmed that the Belgian APD has voluntarily suspended the six-month implementation period of IAB Europe’s action plan. As a result, the July 2023 deadline no longer applies. It’s now reported for Q4 2023
For more details and pending additional information, read the official IAB communication here.
More than a year ago, on February 2nd, 2022, the Belgian APD issued a decision against IAB Europe citing 4 issues with its Transparency and Consent Framework (what’s the TCF? Learn more here). According to the Belgian APD:
The Transparency & Consent (TC) string, the consent signal stored by players in the advertising industry, is personal information. As such, participants should establish a legal basis.
IAB Europe is a data controller of that information, whether or not it processes the consent information
IAB Europe is a joint controller with TCF participants (vendors, CMPs, publishers)
Security measures in place to protect the integrity of the consent signal were not sufficient
IAB Europe was subsequently fined and instructed to come up with an action plan to solve these issues. The IAB Europe, along with some TCF participants, has worked on the action plan and submitted it to the APD in April 2022. Despite additional procedural events in September, the action plan was reviewed on January 11th by the Belgian APD.
Of course, we will communicate with Commanders Act customers with specific action points before then.
Here are the main changes and obligations that will impact your Consent Management Platform if you’re using the TCF after April 2023:
New TC string special purpose
Users of the TCF will be required to add a new (special) purpose to the classification of purposes in the TCF, informing their users that they are capturing and sharing data subject choices via the TC String.
No more legitimate interest for targeted advertising
Going forward, users won’t be able to rely on legitimate interest for personalized advertising.
Specifically, the purposes impacted will be purpose 3 (create a personalized ads profile), purpose 4 (select personalized ads), purpose 5 (create a personalized content profile), and purpose 6 (select a personalized content profile).
Mandatory disclosures in the second layer of the CMP
After April, users of the TCF will be required to disclose new information in their CMP second layer:
The legitimate interests at stake
The categories of data collected and/or already held by Vendors
The retention periods (in the Vendors’ description)
Vendor-related changes
Publishers will be presented with a warning about the impact that a large number of vendors can have on the ability of users to make informed choices.
Additionally, the number of vendors will need to be disclosed in the first layer of the CMP. Finally, we will recommend using event listeners to ensure proactive communication of changed TC String to vendors.
As a Commanders Act customer, what do these changes in the TCF mean and what are you supposed to do? Don’t worry, we’ve got it all planned out.
Not a lot will be expected from Commanders Act customers. However, if you decide to continue using the Transparency and Consent Framework, you must know that consent notices/consent banners will be changing slightly (based on the changes listed in the previous section), and you should therefore be ready for it.
The migration from the TFC v2.2 will take place on November 20, 2023 serving as the hard deadline for the change. You will be must to regenerate your consent banners TCF before this deadline.
Once the migration will be complete, we will recommend that you recollect consent from your customers, as previously collected consent was deemed invalid following the Belgian APD decision. Additionally, you’ll most likely have to reduce your vendor list, and updating mobile SDK versions to get the new TCF various updates will be compulsory.
But don’t worry, we will remind you about this before the deadline.
To conclude, and while it’s important to be aware of the upcoming changes following this important industry decision, the impact on Commanders Act customers should be minimal, and we’re hoping to provide thorough assistance to everyone along the way If you wish to go further, you will be able to verify your TCF compliancy, since IAB Europe has released a new CMP Validator Chrome Extension available here that includes all requirements of TCF v2.2.
Step by step guide to remains compliant on the Web for TCF v2.2
Here's the 5 steps to follow to remains compliant with the TCF on your website
Verify/Update your IAB Vendors
The Vendors List has evolved, we recommend to verify your IAB Vendors selected.
Data Governance > Consent Management > Vendors
Setup an Accept All/Refuse all buttons in your privacy center
Sources > Privacy Banners > Edit (select your banner) > Privacy Center tab > Buttons
*don't forget to save your changes !
Generate a new version of your Consent banner
Sources > Privacy Banners > Edit (select your banner) > Generate
*We recommend to check the option 'reactivate the privacy', so all you users will have the new consent string format, including the new purpose and the updated vendors
Generate a new version of the Web Container related to you Consent Banner
Sources > Web Containers > Edit (select your container) > Generate
Deploy your latest versions of Web Container and Consent Banner
IAB Europe has released a new CMP Validator Chrome Extension available here
The deadline to migrate is November 20, 2023
Format of the Commanders Act Consent cookie.
The received via the onsite API is now the official way to access the consent settings of Commanders Act Consent with JavaScript. The direct usage of the consent cookie is deprecated.
Commanders Act Consent stores the consent of website visitors in a 1st party cookie.
This article only explains the consent cookie. you can find a list of all Commanders Act Consent cookies.
The default name of the consent cookie is TC_PRIVACY. It can be configured in Data Governance > Consent > Settings.
The cookie is set as a 1st party cookie. The subdomain/domain of the cookie can be configured in Data Governance > Consent > Settings
The value consist of multiple fields separated by @ symbols. The separator can be configured in Data Governance > Consent > Settings .
The consent cookie format is not 100% guaranteed to stay stable. We try to keep the format as stable as possible and extend it with "append only approach (adding new information with a new @)", but changes might happen in the unforeseeable future due to limited storage space in cookies.
The cookie value follows following pattern (optional elements are wrapped in []).
<status>@<privacy_version>[|<tcf_version>]|<banner_id>|<site_id>@<consent_categories>@<blocked_on_categories>@<updated_timestamp>,<creation_timestamp>,<to_expire_timestamp>[@<tcf_vendor_consent_string>]
0@002|12|3441@1%2C3@4@1592900933049@1592900933049
1@012|26|4221@@4@1592900933049@1592900933049
Good to know: special characters such as "@" or "|" are encoded in the cookie value %2C = "," %7C = "|" %40 = "@"
Google is a TCF 2.0 member, and Google Ad Manager (GAM), Adsense, and Admob can use the IAB TCF API to get the user consent status (the TC string) from Commanders Act CMP.
To enable Google ACM vendors go to Data Governance > Consent Management > Settings and follow
GAM's recorded errors GAM displays an error message in your GAM Console if it is unable to collect a TC string from the CMP:
The specific errors found are detailed in a report, which you can compare to the GAM documentation in the Troubleshooting TCF 2 implementation post.
We've mentioned some of the most common error codes we've seen while integrating with GAM below.
1.x (1.1 or 1.2 or 1.3) : Google is not approved as a vendor regarding consent or legitimate interest. 1.x errors are to be anticipated, it's normal to expect a certain amount of these errors as they mean that the user has refused permission for Google, main Google purposes, or that you have publisher restrictions that prohibit Google from running.
The rate of negative consent for a given website or mobile app should be approximately matched by the 1.x errors.
Checklist for determining why 1.x errors are so common:
Verify that your 1.x errors as a percentage of all ad requests are approximately equal to your negative consent rate (within a 5 points margin). For instance, if Commanders Act Consent Analysis reports a 90% consent rate per page view, a typical 1.x error rate is beetween 5% to15%.
Examine whether the IAB TCF 2 was implemented on your website or mobile app prior to September 2020.
Check to see if there are publisher restrictions. If so, make sure they don't affect Google or do so in a way that's compliant with Google's requirements : .
Errors are found in the following ways:
1.1 Errors: Google is not permitted as a vendor along with consent or legitimate interest.
1.2 errors: For EEA countries and the UK, there is no consent for Purpose 1. Before determining whether or not the TC string causes an error, Google will always check whether Purpose 1 has permission before determining whether or not Google, as a vendor, is allowed.
Description of the Consent Object format that is used by the onsite API to receive and update consent.
The Consent Object is a standardized way to represent consent throughout all methods of the onsite JavaScript API (similar to the IAB TCF consent string). The object holds a meta property that includes metadata like the validity of the cookie and a consent property that holds that current consent settings stored on the browser.The onsite API and Consent Object is the official way to access the consent settings of Commanders Act CMP with JavaScript. The direct usage of the is deprecated.
The meta property includes metadata and context for the consent that was provided on a browser.
The consent property includes detailed information about the consent provided on the browser.
Category and Vendor IDs are prefixed with an identifier in case they are managed by a consent framework.
Publishers using Google AdSense, Ad Manager, or AdMob must use a CMP certified by Google and must integrate the IAB’s TCF
In addition to the Google , publishers and developers using Google AdSense, Ad Manager, or AdMob will be required to use a Consent Management Platform (CMP) that has been certified by Google and has integrated with the (TCF) when serving ads to users in the European Economic Area or the UK.
source:
Commanders Act CMP provides you all the keys to be compliant with this new requirement. Depending on your configuration, you’ll fit into one of these use cases:
Go on page: “Data Governance > Consent Management > Settings”
Situation #2: Activate the Google ACM option
Situation #3: Activate the IAB TCF Compliancy & the Google ACM options
Go on page: “Data Governance > Consent Management > Vendors”
Situation #2 and #3 : Add your Google ACM Vendors
Go on page: “Data Governance > Consent Management > Settings”
Situation #2: not required if you already have a TCF privacy banner with “Google Advertising Products Vendors”
Situation #3: Activate the IAB TCF Compliancy & the Google ACM options
Go on page: “Sources > Privacy Banners”
Situation #2 and #3: • Select your banner, go on tab Generate & Deploy • Generate your new version of the privacy banner It’s ready to be deployed in production!
Field
Description
0
Visitor is optin.
002
Visitor provided optin on banner version 002.
12
Banner ID is 12.
3441
Site ID is 3441.
1%2C3
Visitor provided optin for categories 1 and 3.
4
The category 4 is blocked on.
1592900933049
Visitor provided optin on Tue Jun 23 2020 08:28:53.
Field
Description
1
Visitor is optout
012
Visitor provided optin on banner version 012.
26
Banner ID is 26.
4221
Site ID is 4221.
Visitor provided optout to all categories.
4
The category 4 is blocked on.
1592900933049
Visitor provided optout on Tue Jun 23 2020 08:28:53.
Property
Description
Type
meta.version
Version of the Consent Object.
String
meta.tcfPolicyVersion
Version of the IAB TCF consent.
String
meta.siteId
Commanders Act site id associated to the consent.
String
meta.bannerId
Banner id associated to the consent.
String
meta.bannerVersion
Banner version associated to the consent.
String
meta.consentId
Id of the consent stored in the TCPID cookie.
String
meta.dateCreated
Timestamp when the consent was provided (UNIX Epoch in Milliseconds).
Number
meta.dateUpdated
Timestamp when the consent was updated the last time (UNIX Epoch in Milliseconds).
Number
meta.dateExpires
Timestamp when the consent will expire (UNIX Epoch in Milliseconds).
Number
Property
Description
consent.status
Global status of the consent that can have one of the following values: all-on: All consent categories have been accepted.all-off: All consent categories have been refused (except blocked on).mixed: Some consent categories have been refused.unset: No consent has been provided yet.
consent.categories[category_id].status
Status of an individual category:on: Consent was provided.off: Consent was rejected.unset: No consent has been provided yet (In case neutral button position is configured it will switch to neutral button position for this category).category_id is the category id configured under Data Governance > Consent Management > Settings > Categories.
consent.categories[category_id].required
The property was set to blocked on and the status is always on.
consent.vendors[vendor_id].status
Status of an individual vendor:on: Consent was provided.off: Consent was rejected.unset: No consent has been provided yet (In case neutral button position is configured it will switch to neutral button position for this vendor).vendor_id is the vendor id configured under Data Governance > Consent Management > Settings > Vendors.
Framework
Prefix
tcf2_
IAB TCF 2 framework. Special features are additionally prefixed with sf_
acm_
Google's Additional Consent Mode vendors.
Field
Description
Example Value
<status>
Status that indicates if a visitor provided his optin or optout.
1: Visitor is optout
0: Visitor is optin
<privacy_version>
Version of the privacy banner the visitor interacted with.
008
<tcf_version>
Version of the IAB TCF framework. Only available in case IAB is activated for the account and an IAB banner is used to manage consent. It follows this format:<tcf_global_vendor_list_specification_version>|<tcf_policy_version>|<tcf_global_vendor_list_version>
2|2|42
<banner_id>
ID of the privacy banner the visitor interacted with.
12
<site_id>
ID of the site in the Commanders Act Platform.
34
<consent_categories>
Comma-separated-list of optin, or optout categories. Meaning depends on <status> field. E.g. when <status> is 0 then the visitor provides consent for the listed categories. The value is URL encoded. Therefore the comma separator is replaced with %2C. Some old banner versions might have the value ALL in case all categories are opted out.
2%2C12%2C13
<blocked_on_categories>
Comma-separated-list of blocked on categories. The value is URL encoded. Therefore the comma separator is replaced with %2C. These categories are not repeated in the <consent_categories> field.
2%2C12
<updated_timestamp>
UNIX timestamp for when the consent was last updated
<creation_timestamp>
UNIX timestamp in milliseconds when the consent was provided.
1592900933049
<to_expire_timestamp>
UNIX timestamp for when the consent will expire
<tcf_vendor_consent_string>
Vendor consent information (e.g. for IAB TCF vendors). Only available when vendors are activated for the account and in case vendors are used in the banner. The value is compressed and encoded to keep the cookie size small.
AAAAAjkb23...
This page is to the attention the customers using the Commanders Act SDK with the IAB Consent Module in their mobile application
Here's the 2 steps to follow to remains compliant with the TCF on your mobile application
Requirements To be allowed to migrate on IAB TCF v2.2, your application must use the v5 of our SDKs If you're still using the v4, please refer to the main SDK Migration Guide
Simply download the latest versions of our TCIAB SDK Modules
Upload the latest version to update your offline json's
purposes-xx.json (required if you're using other languages then EN, this link example is for FR language)
your privacy json file updated (needs to be modified, following the step "Update the content of your privacy json file")
Upload your CDN json file
Your privacy json file updated needs to be uploaded on CDN Commanders Act, please contact your consultant or our support team to upload the latest version of your json on our servers. (the content of this json file needs to be updated, following the next step.)
Update the content of your privacy json file
Verify your vendor list "vendors": "15,48,501,506,520,539,512,895",
*if you left the "vendors" empty, it will be considered as ALL vendors by our SDK
Pay attention to your Vendor List, some Vendors aren't existing anymore in the GVL v3
Add the new required fields
texts -> generic -> "illustationsButton": "illustrations"
texts -> generic -> "dataCategoriesDef" : "Data Categories"
texts -> vendors -> "legIntClaimTitle": "Legal policies"
Full json example:
The value {total_number} in the "purposeTitle" is a dynamic field. The total number of your IAB vendors will be displayed here
The deadline to migrate is November 20, 2023
For its own operations, our Consent Module sets 1st party cookies to store the user's consent and to report anonymous consent statistics.
These cookies are necessary for the proper functioning of the collection of consent and the reporting of anonymous statistics. To this regard they are exempt from the obligation of consent.
Consent storage cookies differ depending on the banner template used:
standard templates: TC_PRIVACY & TC_PRIVACY_CENTER
IAB TCF templates (local storage) : TC_PRIVACY_IAB_VENDORLIST & TC_PRIVACY_TCF
A 1st party cookie is set to be able to collect anonymous statistics of consent: TCPID. We have worked together with the CNIL France to design the setting and processing of this cookie to strictly comply with the rules of the RGPD and in particular the rules enacted by the CNIL in 2019.
In order to be exempt from consent in accordance with article 82 of the Data Protection Act, these tracers must:
have a purpose strictly limited to measure the audience of the site or application (performance measurement, detection of navigation problems, optimization of technical performance or its ergonomics, estimation of the power of the necessary servers, analysis of content consulted) for the exclusive account of the publisher
be used to produce anonymous statistical data only
Conversely, to be exempt from consent, these tracers must not:
lead to a cross-checking of the data with other processing or the data to be transmitted to third parties
do not allow the aggregate tracking of the user's navigation across different applications or websites. Any solution using the same identifier across several websites (for example via cookies placed on a third-party domain loaded by several websites) to cross, split or measure a unified coverage of a content is excluded.
To put in place solutions that respect people's rights, the CNIL also recommends that:
users are informed of the implementation of these tracers, for example via the privacy policy of the site or the mobile application
the lifespan of the tracers is limited to a period allowing a relevant comparison of audiences over time, as is the case with a period of 13 months, and that it is not automatically extended on new visits
the information collected through these tracers is kept for a maximum period of 25 months
the above-mentioned retention periods are subject to periodic review in order to be limited to what is strictly necessary
for FR market : link the Consent Statistics to a category of cookies which can be turn off by the users on 'refuse all'
for FR market : if you decide to do not link the Consent Statistics to a cookies category, you will be must to provide to your users another way to be Optout of Consent Statistics. We provide an FR implementation guide for Optout statistics, as recommended for CNIL compliance
A subcontractor can provide a benchmark service to multiple publishers if:
the data is collected, processed and stored independently for each publisher
tracers are completely independent from each other
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale or sharing of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:
The right to correct inaccurate personal information that a business has about them; and
The right to limit the use and disclosure of sensitive personal information collected about them.
Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
It is required under CPRA to retain a minimum amount of data that is only essential for the organization to fulfill its requirements. In addition, businesses should not keep data for longer than necessary; if they do, a justification must be presented, and they must notify the user. The criteria to Comply with CPRA remained almost the same as in CCPA, but with a slight change:
Businesses should comply if they obtain a revenue of more than $25 million or gain 50% from selling personal data.
Businesses should comply if they process data of more than 100,000 users instead of 50,000.
The California Privacy Protection Agency was created to enforce the CPRA starting July 1, 2023. It is responsible for raising awareness about data privacy and ensuring that consumers’ rights are protected while implementing penalties on non-compliant entities.
For more information, please visit the official CCPA website https://oag.ca.gov/privacy/ccpa
To to be compliant with CCPA, simply follow these steps:
Create a dedicated ccpa banner: use the "footer with privacy center" template
Add your text about cookies: must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. Don't forget to integrate a link for your cookie policy.
Add a button with this exact text : “Do Not Sell My Personal Information” This button should Optout the user (value refuse all) or open a privacy center with one category “Personalized advertisement”. Please note: this category is a requirement (must contains all tags that can sell personal information).
Set your consent duration for at least 12 months
Enable the Global Privacy Control option on your Commanders Act site
Integrate in your website footer a link or a button to manage consent choices
example of html code to integrate:
<a href="#" onclick="tC.privacyCenter.showPrivacyCenter();return false">privacy center</a>
Update your Privacy Policy: Businesses that sell personal information about California residents, or allow information to be collected on their websites or apps, need to provide information in their privacy policies about that collection or sale. The CA Attorney General has provided draft regulations on how and what information should be included in privacy policies, which you can find here.
The Global Privacy Control is an initiative aimed at enabling users to easily exercise their privacy preferences across multiple websites and online services. It is designed to give users more control over how their personal information is collected, used, and shared online.
The GPC operates through a browser signal or an HTTP header that users can activate to indicate their privacy preferences. When a user enables the GPC signal in their browser, it sends a request to websites and online services, indicating that the user wishes to opt out of the sale or sharing of their personal information.
For more information, you can visit their website
Simply follow these 2 easy steps:
1 - Enable on the option Global Privacy Control directly on your CCPA Banner
2- Regenerate and Deploy your Consent Banner
You already have
a TCF privacy banner
with Google Vendors?
You already use an IAB TCF banner template, but you have no Google ACM Vendors?
You don’t
currently use
an IAB TCF banner template
Status: You’re already compliant. Nothing to do
Status: You’re 3 steps away from being compliant. Follow the instructions below
Status: You’re 4 steps away from being compliant. Follow the instructions below
Please download our implementation guide for Commanders Act Consent exempted statistics for CNIL compliance of France market
The IAB TCF v2.2 has new requirements. This page listing the new elements of the CMP IAB TCF UI standard.
This is an informative page. Almost every listed points above are automatically managed by our Consent Module (only the buttons "accept all" and "refuse all" are not automatically added). Simply follow our Migration guides for Web and for App to update you banner with these new requirement
The standard text has evolved with more precise list of usage of datas, and the total number of IAB TCF vendors must be displayed
If your banner has a custom text, you can use this function to display the number of vendors on the first layer
tC.privacy.getNbIabVendors()
IAB TCF requirements are very strict. If you wish to display a custom text, we strongly recommend you to ask a validation from IAB team. You can also refer to this cmp UX UI requirements guide
If you don't have yet an accept all / refuse all buttons in your privacy center, you must add them manually. You can refer to the step n°2 of this page for setup help
The TCF will add a new (special) purpose to the classification of purposes in the TCF, informing their users that they are capturing and sharing data subject choices via the TC String. The name of this new special purpose is "Use limited data to select content" (ID 11)
purpose 3 (create a personalized ads profile)
purpose 4 (select personalized ads)
purpose 5 (create a personalized content profile)
purpose 6 (select a personalized content profile)
3 major changes for the information provided by the Vendors
They can provide a cookie policy url in multiple languages (the displayed url will be the same then the browser language)
They must show the data retention period for each purpose
They must show data they will collect
Description of how to interact with IAB consent API
If you are using IAB TCF option (see to setup IAB TCF on your account), you will be able to use IAB TCF's __tcfapi where your privacy banner is deployed.
That function is defined in your container and in your privacy banner so that you can use it before your privacy banner has finished loading. It is sometimes referred by IAB as the TCF API stub.
IAB TCF consent is encoded in a format called the Consent-String.
The recommended way of getting the value of TCF's consent-string (tcData.tcString in the example below) is by using the addEventListener command.
Sometimes you do not want to be notified of consent updates. You can achieve this by using the more advanced code below:
This an optional extension to IAB TCF.
Once setup in Consent Management Settings, an additional addtlConsent property will be available on the tcData object.
Reference:
You can use this copy-paste a Consent-String on this page: .
Reference:
Reference:
