The TCF 2.0 (Tranparency and Consent Framework) standard, and what you should know about it

Posted . Visible to the public.

The Interactive Advertising Bureau (IAB) Show archive.org snapshot is a European marketing association which has introduced a standard how advertising can be served to users in line with the General Data Protection Regulation (GDPR). This standard is called the TCF 2.0 (Transparency and Consent Framework). If you want to integrate any kind of advertising into a website, chances are the advertising network will require your website to implement that standard. This is a very brief overview of what this means:

The basic idea in the TCF 2.0 framework is that an advertising network wants to have assurance that you properly collected consent from a user, depending on the needs of the advertising network. Since there are so many legal requirements for collecting consent, the advertising network does not want to trust you (as the developer of the website) to do it properly, but wants to have better proof.

To this end, the advertising network (e.g. "Google Advertising Products") will register with the IAB as a vendor, and indicate what kind of consent it requires. Consent is modeled as a list of purposes defined by the IAB. A purpose is something like

  • "vendor X is allowed to select a basic advertisement according to a rough geographic region of the user", or
  • "vendor X is allowed to serve personalized advertising based on user behavior", or
  • "vendor X is allowed to use user data to improve its algorithm" etc.

As a website developer, you then have to integrate a consent form (i.e. a "cookie banner") that allows the user to consent or reject to these purposes. This form has to come from a registered third party provider called a consent management platform (CMP). Your website will load this CMP via a JavaScript tag which will then directly render the form.

The form will show the user detailed information on what your website will do, and what they can consent or not consent to (while at the same time make it as annoying as possible, so the maximum number of users will simply consents to everything). You can see an example at https://www.handelsblatt.com/ Show archive.org snapshot (click "Datenschutzeinstellungen" in the footer, if you have been there before).

When a user provides (or withholds consent), the CMP will then provide a consent string, which is a token that encodes the exact consent the user has given for a specifc vendor. This token can then be passed along to the advertising network, which can then decide whether (and how) any advertisements can be served. For example, an ad manager can decide to serve personalized ads only if the user consented to it, and serve non-personalized advertisements otherwise. See https://www.consentstringdecoder.com/ Show archive.org snapshot for an example string.

The CMP will even inject a standardized JavaScript function called __tcfapi into your website. This can be used by any other third-party code to query consent on its own, if it so desires.

There is one important detail about consent: As a website owner, you can claim to have "legitimate interest" for a certain purpose, e.g. you have "legitimate interest to serve the user a geo-targeted advertisement", as opposed to "you need explicit consent from the user so serve a geo-targeted advertisment". A purpose granted via legitimate interest will require more steps for a user to reject, i.e. it will default to "given" even if the user tries to customize their consent. Whether legitimate interest is allowable depends on the vendor and the purpose. For example, Google will accept legitimate interest for geo-targeted advertisements, but will require explicit consent to store cookies on the user's device.

There is also a technical specification of the standard on Github Show archive.org snapshot

Tobias Kraze
Last edit
Tobias Kraze
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to makandra dev (2021-11-08 09:57)