IAB Tech Lab, in partnership with IAB Europe, is committed to continuous improvement and development of the Transparency and Consent Framework (TCF) to meet the needs of users and regulators. As such, the TCF is being updated to reflect the evolution of case law and Data Protection Authorities guidelines.
The TCF technical specifications are open for public comment until May 12th, 2023. Comments may be submitted via email to firstname.lastname@example.org. Outlined below are the technical changes included in TCF v2.2, which will be released mid-May.
Consent String Specification
There are no changes to the string specification. However, it’s important to note that, according to the upcoming updates to the TCF Policies, legitimate interest will no longer be an acceptable legal basis for Purposes 3-6. Consequently, TC Strings created under v2.2 must not include positive legitimate interest signals for these purposes in the core string. This requirement does not apply to the optional Publisher TC segment.
Updates to the TCF API
The getTCData command is deprecated in version 2.2. Therefore, vendors that currently rely on this command to obtain the TC string must now rely on event listeners to get the TC string. Using an event listener ensures that vendors always have the latest version of the TC string and reduces the number of calls that the vendor would need to make to the API.
Updates to the GVL
There are several changes to the Global Vendor List (GVL), and the GVL version is going to be incremented to version 3. These changes will provide greater transparency to end-users. Vendors will be required to update their registrations, and Consent Management Platforms (CMPs) will need to update their implementations to access the additional data included in the GVL.
Modification of the fields in the purposes, specialPurposes, features and specialFeatures objects.
In order to make the purposes pursued by TCF vendors much easier for end-users to understand, the ‘descriptionLegal’ field is replaced by the ‘illustrations’ field.
New field for taxonomy of categories of data
Vendors will be able to declare the categories of data they collect and process. In the updated version of the GVL, a new field, called ‘dataCategories’ is included that enumerates all of the potential categories of data. Additionally, for each vendor entry in the GVL, there is a new field called ‘dataDeclaration’ where the vendor-level declarations of categories of data are available.
Inclusion of data retention periods per purpose
For each vendor entry in the GVL, there is a new field called ‘dataRetention’, which allows vendors to declare how long they retain users’ data for each declared purpose. Vendors can define specific retention periods on a per-purpose and special-purpose basis, and/or define a standard retention period if it is the same for many or all of the declared purposes.
Support for multiple languages URL declaration
For each vendor entry in the GVL, there is a new field called ‘urls’, that allow for vendors to declare multiple URLs for their privacy policies and explanation of their legitimate interests at stake.
Below is an example of what v3 of the GVL JSON Object looks like with all of the updates described above:
Updates to the GPP
There are several commands available in the GPP that allow access to the TC String or data within it, but they should not be used. The GPP specifications will be updated to explicitly define that the getSection and getField commands should not be used to retrieve TC Strings or TC String data. Instead, event listeners must always be used.
Key Dates to Keep in Mind
- Mid-May – Finalization of the technical specifications
- June 30th – Deadline for vendors to update registration
- July 10th – Deadline for CMPs to host their scripts on a domain other than consensu.org subdomains
- September 30th – Deadline for supporting v2.2
To learn more about the updates, see the resources below.