Schedule a demo
back button

Back

What are the requirements of a TCF v2 compliant consent notice?

July 20, 2020byYannig Roth

What are the responsibilities of each party?

What about Didomi (or any other CMP)?

Didomi’s role is to provide tools and general guidance to get in compliance with various privacy regulations (GDPR, CCPA, etc.) and standards (IAB TCF, IAB CCPA, etc.) that companies implementing our CMP might be subject to. Didomi provides example configurations and texts that incorporate rules from different regulations and the IAB frameworks.

As an IAB-registered CMP, Didomi’s role is to ensure that the IAB frameworks are respected by all websites and mobile apps that implement them through the Didomi CMP. Didomi is held responsible by the IAB Europe through regular audits of our clients’ websites and mobile apps. While Didomi is here to help, we are not legally authorized to provide legal counsel and cannot be held responsible for a lack of compliance due to a misconfigured CMP.

And what about YOU (your organization, your DPO, you team)?

Every organization is different and you must customize the CMP and its texts to ensure that it is compliant and that the user information is complete by adding information about extra data processing that your organization is operating. To give you maximum control, Didomi allows you to customize the content of a consent notice.

We recommend working closely with Didomi, your legal department and the local IAB organizations to ensure that your configuration of the Didomi CMP is in compliance with the regulations that your organization is subject to and the IAB TCF framework.

When launching a consent notice, you must ensure that your texts and disclosures are compliant with the regulations and the IAB TCF framework. As non-compliance of your websites and mobile apps with the IAB TCF framework can impact Didomi’s standing as a CMP for all of Didomi’s clients, Didomi will proactively check the compliance of your consent notices and will work with you on ensuring that they are compliant. In rare cases and if compliance cannot be achieved through discussions engaged by Didomi with your organization, Didomi might temporarily disable consent notices or disable the IAB TCF support for notices that remain non-compliant.

Here are 10 TCF v2 requirements

Consent under GDPR must be informed, freely given, specific, and unambiguous.

The requirements listed below help ensuring that your consent notice is configured to respect the definition of a valid consent.

The list of requirements and the example texts provided are the minimal list of requirements for a valid notice running on the Didomi CMP. It does not guarantee a compliant notice with respect to the regulations and requires customization to fit the exact data processing and business practices of your organization.

The requirements include global GDPR requirements valid across all countries, and IAB TCF-driven requirements. For country-specific requirements, dedicated articles are available in our documentation.

Here is an example of a notice that meets all the requirements listed below (except for the full list of data processing and legal bases, that depends on your organization):

We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, for data processing like displaying personalized ads, measuring preferences of our visitors, etc.
You can make a choice here and change your preferences at any time in our Privacy Policy on this website.
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Requirement 1: Complete list of data processing and legal bases used by your organization and its partners

For the user to be fully informed, they must be given a chance to review the full list of all the data processing operated by your organization and your partners, as well as all the legal bases used for those data processing. This includes purposes and their legal bases, as well as special IAB TCF entities like features, special features, and special purposes.

Didomi provides an easy way to display an automated list of data processing and legal bases configured in the CMP:

While it is acceptable to list the data processing and legal bases in your custom texts, we recommend enabling that automated list to ensure that the list is always up-to-date from your notice configuration.

Requirement 2: Indicate that data is stored and accessed from the user device by your organization and by third-parties

Your notice must include information about the fact that information is stored and accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data) by your organization and by third-parties. Simply informing the user about your organization is not enough. While this is partly covered by informing the user on data processing related to cookies as part of the list of data processing, this information must be more explicitly detailed for the user to be fully informed.

Example: We and our partners store and access non-sensitive information from your device…

Requirement 3: Indicate that both your organization and third-parties are processing personal data from the user

The user usually have a direct relationship with your organization but a limited knowledge of the third-parties that you work with and how they might process their personal data. It is important for the user to be informed that third-parties are also processing their personal data on your website or mobile.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies, for data processing …

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, for data processing …

Requirement 4: Examples of personal data being processed

The user needs to be able to understand what personal data will be collected and processed. The text must include examples of such data, like “cookies” (for Web), “device identifiers” (for mobile apps), browsing data, information about your interests, etc.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers,…

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, and process personal data like IP addresses and cookie identifiers,…

Requirement 5: Link to the list of third-parties processing personal data

Your notice must include a link for the user to access the full list of third-parties that might process their personal data. Didomi automatically adds a “View our partners” link to all notices. The link added by Didomi will be automatically hidden if you specify your own link to Didomi.preferences.show() in your notice text.

Requirement 6: Consequences of consenting or not

As consent should be freely given, the user should be clearly informed of the consequences of consenting or not consenting. Keep in mind that there cannot be adverse consequences for not consenting. For instance, you cannot prevent users from accessing your website or mobile app if they do not consent to their personal data being processed.

Requirement 7: Right to modify consent choices

Users have the right to modify their consent choices it any time and should be informed of that right and how to exercise it. The instructions for modifying their choices should be clear and specific.

Example for Web: You can change your preferences at any time in our privacy policy on this website.

Example for Mobile Apps: You can change your preferences at any time in the Privacy menu of this app.

Requirement 8: Modifying consent choices

In addition to requirement 7 (the right to modify consent choices), a link should be added to your website or mobile app to show the Preferences again and allow the user to update or withdraw their consent choices. That link should preferably be added to all the pages / views of your website or mobile app, or in the privacy policy.

Add a link to Didomi.preferences.show() to allow the user to open the Preferences view.

Requirement 9: Legitimate interest

Your organization and third-parties might use legitimate interest as the legal basis for some data processing. If that is the case, the user must be informed of that fact and that they have the right to object to that data processing.

Example: Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Important note: this requirement does not apply to TCF v1.1 and only applies to TCFv2.

Requirement 10: Calls to action must be of equal visual prominence

Choices offered to the user (Agree / Disagree, Learn more, etc.) must be of equal visual prominence so as not to imply that one choice is better than the other.
This implies that the visual components used for those choices should be of the same nature. You cannot have one option displayed as a button while the other option is displayed as simple link.

For instance, if Agree and Learn More are the two options available, they should both be buttons or links. You cannot display an Agree button and Learn more link:

If you want to learn more from someone else than Didomi, the IAB Europe has detailed rules and examples in their CTA requirements documentation. But our team is happy to help you in the TCF v2 transition, of course. You will find dedicated TCF v2 resources in our Help Center as well as on this TCF v2 Transition Page (includes a 10-step transition checklist).

Related articles

July 1, 2020byYannig Roth

Are your websites and apps compliant? A look at Irish cookie consent regulation

Last April, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results of the audit were not good. The survey found that 35 of the 38 companies were not in compliance on…

Read more

CMP

compliance

Consent

Cookies

GDPR

July 15, 2020byYannig Roth

Google joining TCF v2… Here’s what it means for publishers

The IAB Tech Lab and IAB Europe released the second version of the Transparency & Consent Framework (TCF v2), marking a big win in terms of industry traction, as Google has announced that it will integrate the framework by August 15th 2020. Now that Google Ad Manager (Google’s Supply Side Platform, or SSP) is joining the TCF,…

Read more

CMP

Consent

IAB

TCF v2

July 1, 2020byYannig Roth

Are your websites and apps compliant? A look at UK cookie consent regulation

In July 2019, the Information Commissioner’s Office (ICO) published new guidance on the use of cookies to provide more clarity and certainty about how you can use cookies in your online service. As the Information Commissioner said, “the public has woken up to the potential of their personal data”, adding that “the ICO has covered an…

Read more

CMP

Cookies

GDPR

November 22, 2018byJawad Stouli

What CMPs can learn from the French data protection authority

On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns. On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among…

Read more

CMP

CNIL

Consent

Cookies

France

GDPR

IAB

Sanction

Vectaury

Warning

May 25, 2018byJawad Stouli

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers