What are the requirements of a TCF v2 compliant consent notice?July 20, 2020byYannig Roth
What are the responsibilities of each party?
What about Didomi (or any other CMP)?
Didomi’s role is to provide tools and general guidance to get in compliance with various privacy regulations (GDPR, CCPA, etc.) and standards (IAB TCF, IAB CCPA, etc.) that companies implementing our CMP might be subject to. Didomi provides example configurations and texts that incorporate rules from different regulations and the IAB frameworks.
As an IAB-registered CMP, Didomi’s role is to ensure that the IAB frameworks are respected by all websites and mobile apps that implement them through the Didomi CMP. Didomi is held responsible by the IAB Europe through regular audits of our clients’ websites and mobile apps. While Didomi is here to help, we are not legally authorized to provide legal counsel and cannot be held responsible for a lack of compliance due to a misconfigured CMP.
And what about YOU (your organization, your DPO, you team)?
Every organization is different and you must customize the CMP and its texts to ensure that it is compliant and that the user information is complete by adding information about extra data processing that your organization is operating. To give you maximum control, Didomi allows you to customize the content of a consent notice.
We recommend working closely with Didomi, your legal department and the local IAB organizations to ensure that your configuration of the Didomi CMP is in compliance with the regulations that your organization is subject to and the IAB TCF framework.
When launching a consent notice, you must ensure that your texts and disclosures are compliant with the regulations and the IAB TCF framework. As non-compliance of your websites and mobile apps with the IAB TCF framework can impact Didomi’s standing as a CMP for all of Didomi’s clients, Didomi will proactively check the compliance of your consent notices and will work with you on ensuring that they are compliant. In rare cases and if compliance cannot be achieved through discussions engaged by Didomi with your organization, Didomi might temporarily disable consent notices or disable the IAB TCF support for notices that remain non-compliant.
Here are 10 TCF v2 requirements
Consent under GDPR must be informed, freely given, specific, and unambiguous.
The requirements listed below help ensuring that your consent notice is configured to respect the definition of a valid consent.
The list of requirements and the example texts provided are the minimal list of requirements for a valid notice running on the Didomi CMP. It does not guarantee a compliant notice with respect to the regulations and requires customization to fit the exact data processing and business practices of your organization.
The requirements include global GDPR requirements valid across all countries, and IAB TCF-driven requirements. For country-specific requirements, dedicated articles are available in our documentation.
Here is an example of a notice that meets all the requirements listed below (except for the full list of data processing and legal bases, that depends on your organization):
We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, for data processing like displaying personalized ads, measuring preferences of our visitors, etc.
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.
Requirement 1: Complete list of data processing and legal bases used by your organization and its partners
For the user to be fully informed, they must be given a chance to review the full list of all the data processing operated by your organization and your partners, as well as all the legal bases used for those data processing. This includes purposes and their legal bases, as well as special IAB TCF entities like features, special features, and special purposes.
Didomi provides an easy way to display an automated list of data processing and legal bases configured in the CMP:
While it is acceptable to list the data processing and legal bases in your custom texts, we recommend enabling that automated list to ensure that the list is always up-to-date from your notice configuration.
Requirement 2: Indicate that data is stored and accessed from the user device by your organization and by third-parties
Example: We and our partners store and access non-sensitive information from your device…
Requirement 3: Indicate that both your organization and third-parties are processing personal data from the user
The user usually have a direct relationship with your organization but a limited knowledge of the third-parties that you work with and how they might process their personal data. It is important for the user to be informed that third-parties are also processing their personal data on your website or mobile.
Example for Web: We and our partners store and access non-sensitive information from your device, like cookies, for data processing …
Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, for data processing …
Requirement 4: Examples of personal data being processed
The user needs to be able to understand what personal data will be collected and processed. The text must include examples of such data, like “cookies” (for Web), “device identifiers” (for mobile apps), browsing data, information about your interests, etc.
Example for Web: We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers,…
Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, and process personal data like IP addresses and cookie identifiers,…
Requirement 5: Link to the list of third-parties processing personal data
Your notice must include a link for the user to access the full list of third-parties that might process their personal data. Didomi automatically adds a “View our partners” link to all notices. The link added by Didomi will be automatically hidden if you specify your own link to Didomi.preferences.show() in your notice text.
Requirement 6: Consequences of consenting or not
As consent should be freely given, the user should be clearly informed of the consequences of consenting or not consenting. Keep in mind that there cannot be adverse consequences for not consenting. For instance, you cannot prevent users from accessing your website or mobile app if they do not consent to their personal data being processed.
Requirement 7: Right to modify consent choices
Users have the right to modify their consent choices it any time and should be informed of that right and how to exercise it. The instructions for modifying their choices should be clear and specific.
Example for Mobile Apps: You can change your preferences at any time in the Privacy menu of this app.
Requirement 8: Modifying consent choices
Add a link to Didomi.preferences.show() to allow the user to open the Preferences view.
Requirement 9: Legitimate interest
Your organization and third-parties might use legitimate interest as the legal basis for some data processing. If that is the case, the user must be informed of that fact and that they have the right to object to that data processing.
Example: Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.
Important note: this requirement does not apply to TCF v1.1 and only applies to TCFv2.
Requirement 10: Calls to action must be of equal visual prominence
Choices offered to the user (Agree / Disagree, Learn more, etc.) must be of equal visual prominence so as not to imply that one choice is better than the other.
This implies that the visual components used for those choices should be of the same nature. You cannot have one option displayed as a button while the other option is displayed as simple link.
For instance, if Agree and Learn More are the two options available, they should both be buttons or links. You cannot display an Agree button and Learn more link:
If you want to learn more from someone else than Didomi, the IAB Europe has detailed rules and examples in their CTA requirements documentation. But our team is happy to help you in the TCF v2 transition, of course. You will find dedicated TCF v2 resources in our Help Center as well as on this TCF v2 Transition Page (includes a 10-step transition checklist).
📆 TRANSITION TO TCF V2 📆
— Didomi (@Didomi_io) July 16, 2020