Google joining TCF v2… Here’s what it means for publishersJuly 15, 2020byYannig Roth
The IAB Tech Lab and IAB Europe released the second version of the Transparency & Consent Framework (TCF v2), marking a big win in terms of industry traction, as Google has announced that it will integrate the framework by August 15th 2020. Now that Google Ad Manager (Google’s Supply Side Platform, or SSP) is joining the TCF, what does this mean for advertisers and publishers? This article outlines the key information you need to know and lists 12 points to remember about Google’s TCF v2 membership.
What is TCF v2, launched by the IAB?
The revised version of the framework focuses on improving the way publishers communicate to users how they use their data, to ensure consent requests are clearer, and users properly informed. It also aims to give publishers more control over how their ad tech vendor partners can use their data. The aim is to give the publishing and advertising industries “a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.” Users can now exercise a right to object if a business uses the legitimate interest (opt-out) basis, just as easily as revoking consent.
🔃 TRANSITION TO TCF V2 🔃
Who benefits the most from #TCFv2? 🤷♂️
Check out this clip by our CEO @Didomi_privacy from our latest webinar 👉 https://t.co/WGK1QolywT#gdpr #cybersecurity #publishers #brands #risk #dataprotection pic.twitter.com/NoH6BEc7T6
— Didomi (@Didomi_io) July 15, 2020
The second version of TCF (a.k.a. TCF v2, or TCF v2.0) includes 12 purposes, including two special features. The purposes relate to online ad delivery such as profiling, content and ad measurement. The special features are additional controls added for geolocation data and fingerprinting. These features also require an extra level of consent.
Google’s interoperability with TCF v2.0
As mentioned in Google Ad Manager’s help center, “Google will work [with] the TCF v2.0 to encompass several aspects of interoperability, including but not limited to:”
- Bidding on bid requests Google receives through Google Bid Manager or Adx.
- Sending bid requests from publishers using Google Ad Manager to third-party bidders.
- Allowing third-party ad tracking and third-party ad serving to occur.
But what will change exactly, and how to prepare for it?
To help you see more clearly, here are 12 key points to remember on the upcoming integration of Google to the framework:
1 – You’ll need a TCF v2-registered CMP to monetize with Google
To integrate with the IAB TCF v2, a publisher must implement a TCF v2-registered Consent Management Platform (CMP), such as Didomi, on their site or app. The CMP creates and sends the consent string (TC string), then Google’s ad tags and SDKs consume it and send it to Google ad technology providers. Note that publishers will not be able to choose to use Google outside of TCF, and therefore will not be able to continue to use Didomi’s integration to display non-personalized ads.
2 – TCF strings will automatically be consumed and passed
If you have already implemented an IAB TCF v2-registered CMP on your site or app, Google Ad Manager will automatically begin consuming the TC string from the CMP without any configuration from publishers. Passing TC strings to tags, programmatic and mediation partners will be done automatically.
In the context of passing the string to non-programmatic creatives, you must work with your creative provider to identify whether you need additional configuration (like macros) for your creatives to ensure they consume the TC string correctly.
3 – Without consent for “Purpose 1” no advertising will be broadcast by Google
If you do not have consent for “Purpose 1” in the TC string (in which the user allows Google to “store and/or access information on a device”), Google will drop the ad request and no ads will be served by Google, whether they are personalized or non-personalized, nor sent to third-party bidders. This will have an impact not only on your Google inventory, but on any ad on your website managed by Google.
4 – Consent strings must indicate consent (or legitimate interest)
For purposes 1 to 10, and for special purposes and features, the TC string must indicate that consent has been granted by, or legitimate interest has been established with, the user.
5 – Google will serve personalized versus non-personalized ads based on a set of criteria
Google will serve personalized ads when all of the following criteria are met: when end users grant Google consent to store and/or access information on a device (Purpose 1); create a personalized ads profile (Purposes 3); select personalized ads (Purposes 4).
Legitimate interest is established for Google to: select basic ads (Purpose 2); measure ad performance (Purpose 7); apply market research to generate audience insights (Purpose 9); develop and improve products (Purpose 10). If the consent requirements for personalized ads are not met, Google will serve non-personalized ads when the end user grants Google consent to Purpose 1; and legitimate interest is established for Google for Purposes 2, 7, 9 and 10.
6 – Global scope & out-of-band scope are not allowed when using Google for TCF purposes
This means they cannot be used on your websites and apps. In accordance with Google’s EU User Consent Policy, you must clearly identify each party that may collect, receive or use end users’ personal data as a result of your use of a Google product.
7 – TCF v2 and Google policies diverge on the scope of legal basis
The IAB’s TCF v2 provides options for publishers to choose the scope of a legal basis for the processing of personal data. Google policies require that publishers choose either (a) service-specific scope or (b) group-specific scope.
8 – Publishers can customise restrictions
Publishers can customize a variety of restrictions, and indicate their own preferences, which will take precedence over a vendor’s preferences, where applicable. As Google uses legitimate interest for certain purposes and does not mark them as flexible, it implies that a publisher adding a publisher restriction on the basis of legitimate interest for Google will block some purposes for Google (which we at Didomi do not recommend, as it is not good for publishers).
9 – Publishers should review the registration settings for the vendors they choose to work with
Say a vendor has registered flexibly with “legitimate interest” as the default lawful basis for a purpose where Google requires “consent”. If you want to work with that vendor via Google products, then you should choose consent for that vendor in the publisher restrictions of your CMP. Note that restrictions are only used to change the choices of the vendor. If a vendor has made a choice that the publisher is happy with, the publisher can leave it as it is.
10 – Bear in mind Real-Time Bidding (RTB) & Open Bidding
The IAB TCF v2 logic will apply to bid requests, bid responses and creatives, and cookie-matching requests. Google will allow bid requests to be sent and enable cookie matching when a vendor registers with “Consent” or, in limited cases, “Not used” for Ads Personalization (Purposes 3 and 4 in the TC string). Additionally, the user must have given Google consent for Purposes 1, 3, and 4.
11 – Surface all Ad Tech Partners (ATPs) in your CMP
Ensure that you are surfacing all of your ATPs in your CMP. This will ensure that Google can continue to make call outs to all partners in your waterfall.
12 – Publishers will be able to continue to use vendors that are not on the Global Vendor List (GVL)
Google will provide us with more information soon, but they have pointed out already that they will continue to accept ad tech providers that publishers have selected from existing monitoring tools. On our side, Didomi will integrate the GVL, including all vendors outside the TCF, to pass on the consent. Google’s compliance with TCF v2 consolidates the legitimacy of the framework and the importance of having a number of shared rules and common definitions for more security and transparency – it is great news for all actors in the programmatic chain!
Didomi is registered with – and compliant for – the TCF v2, we are here to guide you and help you in your transition process. Please contact us if you’d like to have more information on the subject!
PS: We’ll organize a webinar soon to help you in the transition:
🚨 LESS THAN 1 MONTH TO GO🚨
Are you ready for the transition from TCF v1 to #TCFv2? 🤷
Here's your final chance to prepare 👉 https://t.co/5CFbVzXJEq#dataprotection #cybersecurity #risk #GDPR #IAB #consent
— Didomi (@Didomi_io) July 15, 2020