April 7, 2020

What are the differences between IAB TCF 1.0 and IAB 2.0

In August 2019, the Interactive Advertising Bureau (IAB) Europe released the Transparency and Consent Framework (TCF) version 2.0. 

In August 2019, the Interactive Advertising Bureau (IAB) Europe released the Transparency and Consent Framework (TCF) version 2.0. 

This development comes slightly over a year after the release of IAB’s TCF 1.0 in April 2018, just a month before the EU’s General Data Protection Regulation (GDPR) came into effect. 

The release of IAB’s Transparency Consent Framework 1.0 through a collaboration between IAB Europe and IAB Tech Lab was in response to the GDPR introducing the requirement of consumer consent for the use of ad targeting data being available and shared across the digital advertising sector.

Although the Interactive Advertising Bureau’s TCF 1.0 created a basic framework for communication of consent from the data subject to several relevant companies in the advertising technology supply chain, it had shortcomings in some key areas. The shortcomings include lack of;

  • publisher cooperation and control
  • provisions for legitimate interest
  • self-enforcement
  • Participation by the biggest player in this ecosystem

IAB 2.0 addresses the issues raised concerning TCF 1.0 while maintaining the benefits of an industry standard. 

Essentially, the sectoral standard in this context is meeting GDPR requirements and respecting consumer rights, while allowing publishers to harness the revenue and effectiveness of programmatic advertising.

The key differences between IAB 2.0 and IAB 1.0 include;

  • Increased control for publishers
  • Inclusion of legitimate interest provisions
  • Better self-enforcement and regulation
  • Improved collaboration with data protection bodies, vendors, and publishers
  • Participation from the biggest player in the industry

Increased Control for Publishers

Compared to IAB Transparency Consent Framework 1.0, IAB 2.0 will give publishers more control over the advertisers they collaborate with and the choice of the various legal bases vendors can utilize on the personal information belonging to the publishers’ users.

While vendors can sign up to process using consent or legitimate interest as their legal basis, publishers will have the freedom to overrule this preference and compel a vendor to only process using a particular legal basis. In some cases, publishers can require vendors not to process at all. 

Furthermore, through partnering with a Consent Management Platform (CMP), publishers can opt to get rid of specific vendors that they do not want to collaborate with from the Transparency and Consent String (TC String). 

Consequently, IAB’s TCF 2.0 makes it possible for publishers to have the comfort necessary to depend on a specific CMP solution.

Inclusion of Legitimate Interest Provisions

According to GDPR provisions, legitimate interest is a valid legal basis for processing personal information. As such, several publishers utilize legitimate interest as their primary legal basis. 

However, with IAB TCF 1.0, publishers who use legitimate interest as the basis for processing personal data were unable to apply it for their purposes. Similarly, there was a lack of initiative to embrace it for use by their vendors.

The implication of this aspect is the emergence of risks for both vendors and publishers due to the lack of an industry standardized approach for consumers to object processing as needed when legitimate interest is used as the legal basis for processing. For this reason, consumers were unsure of what was happening to their information.

With IAB 2.0, publishers can meet the requirements of legitimate interest through their CMP by providing adequate transparency to consumers regarding the processing of their data. Furthermore, they can allow data subjects to object processing, on a granular basis, in a way that is communicated downstream.

Another crucial challenge with utilizing legitimate interest is that the current version of the ePrivacy Directive requires ad tech firms to seek consent for accessing a device and setting cookies. After the CJEU cookie ruling, businesses are required to seek consent per GDPR provisions. 

However, before IAB’s TCF 2.0, publishers did not have a clear way of gaining consent to deploy cookies and access devices when using legitimate interest as the legal basis for other kinds of processing.

Lastly, IAB’s TCF 2.0 allows jurisdiction-focused consent to address unique cases such as Germany where the ePrivacy Directive is not in effect, which means businesses are not obliged to seek consent to deploy cookies.

Better Self-Enforcement and Regulation

Another crucial improvement publishers can look forward to concerning IAB’s TCF 2.0 is the ability to self-regulate.

Firstly, the second version will oblige advertising vendors to identify and use signals from registered CMPs solely. In case a publisher wants to come up with a private CMP, they will still need to meet the established standards and seek certification from IAB Europe. 

Secondly, Consent Management Platforms will be expected to keep records of the UI deployed on any specific publishers at any time and make it easily accessible. The impact of this requirement will be enhanced transparency and the ability of vendors to guarantee that the data displayed to data subjects is accurate.

Thirdly, IAB’s TCF 2.0 will provide a CMP validator that can be utilized to establisher whether the Consent Management Platform meets compliance requirements.

Lastly, the second version improves on IAB’s TCF 1.0 by introducing additional ways to remove anyone who doesn’t comply with the guidelines. This aspect is vital since both participants and regulators are subject to high standards. 

Improved Collaboration with Data Protection Bodies, Vendors, and Publishers

One of the core criticisms of the IAB’s TCF 1.0 was the fact that it was too friendly to vendors at the expense of publishers. 

However, after working closely with publishers, IAB’s TCF 2.0 will give publishers the control they require. This aspect is in response to the fact that as the core owner of the interaction with data subjects, publishers had to deal with unique problems that were not resolved in the first version.

Additionally, the participation of several Data Protection Agencies in the development of IAB’s TCF 2.0 addressed some of the unclear areas regarding the enforcement of data protection regulations eliminating the risk of the Framework being challenged successfully. 

Participation from the Biggest Player in the Industry

One of the key stumbling blocks to the adoption of IAB’s TCF 1.0 was the absence of Google, which is the largest player in this industry. However, the tech giant was involved in the development of TCF 2.0 and has pledged to join the framework once the new version is rolled out. 

For personalized support on how to use Secure Privacy as your Consent Management Platform for IAB 2.0 book a call with us today and speak to an expert.

Read more blog posts about cookie consent.

Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023

Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.

  • GDPR
  • Europe GDPR

Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4

Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.

  • USA
the 10 pipeda principles

10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance

Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.

  • Canada
  • Canada PIPEDA