What are the differences between IAB TCF 1.0 and IAB 2.0
In August 2019, the Interactive Advertising Bureau (IAB) Europe released the Transparency and Consent Framework (TCF) version 2.0.
This development comes slightly over a year after the release of IAB’s TCF 1.0 in April 2018, just a month before the EU’s General Data Protection Regulation (GDPR) came into effect.
The release of IAB’s Transparency Consent Framework 1.0 through a collaboration between IAB Europe and IAB Tech Lab was in response to the GDPR introducing the requirement of consumer consent for the use of ad targeting data being available and shared across the digital advertising sector.
Although the Interactive Advertising Bureau’s TCF 1.0 created a basic framework for communication of consent from the data subject to several relevant companies in the advertising technology supply chain, it had shortcomings in some key areas. The shortcomings include lack of;
- publisher cooperation and control
- provisions for legitimate interest
- Participation by the biggest player in this ecosystem
IAB 2.0 addresses the issues raised concerning TCF 1.0 while maintaining the benefits of an industry standard.
Essentially, the sectoral standard in this context is meeting GDPR requirements and respecting consumer rights, while allowing publishers to harness the revenue and effectiveness of programmatic advertising.
The key differences between IAB 2.0 and IAB 1.0 include;
- Increased control for publishers
- Inclusion of legitimate interest provisions
- Better self-enforcement and regulation
- Improved collaboration with data protection bodies, vendors, and publishers
- Participation from the biggest player in the industry
Increased Control for Publishers
Compared to IAB Transparency Consent Framework 1.0, IAB 2.0 will give publishers more control over the advertisers they collaborate with and the choice of the various legal bases vendors can utilize on the personal information belonging to the publishers’ users.
While vendors can sign up to process using consent or legitimate interest as their legal basis, publishers will have the freedom to overrule this preference and compel a vendor to only process using a particular legal basis. In some cases, publishers can require vendors not to process at all.
Furthermore, through partnering with a Consent Management Platform (CMP), publishers can opt to get rid of specific vendors that they do not want to collaborate with from the Transparency and Consent String (TC String).
Consequently, IAB’s TCF 2.0 makes it possible for publishers to have the comfort necessary to depend on a specific CMP solution.
Inclusion of Legitimate Interest Provisions
According to GDPR provisions, legitimate interest is a valid legal basis for processing personal information. As such, several publishers utilize legitimate interest as their primary legal basis.
However, with IAB TCF 1.0, publishers who use legitimate interest as the basis for processing personal data were unable to apply it for their purposes. Similarly, there was a lack of initiative to embrace it for use by their vendors.
The implication of this aspect is the emergence of risks for both vendors and publishers due to the lack of an industry standardized approach for consumers to object processing as needed when legitimate interest is used as the legal basis for processing. For this reason, consumers were unsure of what was happening to their information.
With IAB 2.0, publishers can meet the requirements of legitimate interest through their CMP by providing adequate transparency to consumers regarding the processing of their data. Furthermore, they can allow data subjects to object processing, on a granular basis, in a way that is communicated downstream.
Another crucial challenge with utilizing legitimate interest is that the current version of the ePrivacy Directive requires ad tech firms to seek consent for accessing a device and setting cookies. After the CJEU cookie ruling, businesses are required to seek consent per GDPR provisions.
However, before IAB’s TCF 2.0, publishers did not have a clear way of gaining consent to deploy cookies and access devices when using legitimate interest as the legal basis for other kinds of processing.
Lastly, IAB’s TCF 2.0 allows jurisdiction-focused consent to address unique cases such as Germany where the ePrivacy Directive is not in effect, which means businesses are not obliged to seek consent to deploy cookies.
Better Self-Enforcement and Regulation
Another crucial improvement publishers can look forward to concerning IAB’s TCF 2.0 is the ability to self-regulate.
Firstly, the second version will oblige advertising vendors to identify and use signals from registered CMPs solely. In case a publisher wants to come up with a private CMP, they will still need to meet the established standards and seek certification from IAB Europe.
Secondly, Consent Management Platforms will be expected to keep records of the UI deployed on any specific publishers at any time and make it easily accessible. The impact of this requirement will be enhanced transparency and the ability of vendors to guarantee that the data displayed to data subjects is accurate.
Thirdly, IAB’s TCF 2.0 will provide a CMP validator that can be utilized to establisher whether the Consent Management Platform meets compliance requirements.
Lastly, the second version improves on IAB’s TCF 1.0 by introducing additional ways to remove anyone who doesn’t comply with the guidelines. This aspect is vital since both participants and regulators are subject to high standards.
Improved Collaboration with Data Protection Bodies, Vendors, and Publishers
One of the core criticisms of the IAB’s TCF 1.0 was the fact that it was too friendly to vendors at the expense of publishers.
However, after working closely with publishers, IAB’s TCF 2.0 will give publishers the control they require. This aspect is in response to the fact that as the core owner of the interaction with data subjects, publishers had to deal with unique problems that were not resolved in the first version.
Additionally, the participation of several Data Protection Agencies in the development of IAB’s TCF 2.0 addressed some of the unclear areas regarding the enforcement of data protection regulations eliminating the risk of the Framework being challenged successfully.
Participation from the Biggest Player in the Industry
One of the key stumbling blocks to the adoption of IAB’s TCF 1.0 was the absence of Google, which is the largest player in this industry. However, the tech giant was involved in the development of TCF 2.0 and has pledged to join the framework once the new version is rolled out.
For personalized support on how to use Secure Privacy as your Consent Management Platform for IAB 2.0 book a call with us today and speak to an expert.
Read more blog posts about IAB.
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection