Ready for the new Google Consent Mode v2? Learn more »

IAB TCF 2.0: Data protection-compliant use of cookies

Since the EU General Data Protection Regulation (GDPR) came into force in 2018 and also with the upcoming E-Privacy Regulation, website providers are obliged to obtain the consent of the visitor : Only then may cookies be set, which, among other things, monitor the surfing behavior of the user and analyze. Users of the website have the right to know the purposes for which cookies are set and what the data collected is used for. Furthermore, the user must be given the opportunity to refuse the use of cookies in an opt-in procedure. For this purpose, solutions and frameworks have been established in recent years that offer exactly this range of functions: querying consent to the use of cookies, including administration and documentation. For this purpose, so-called Consent Management Providers (CMP) were founded, which offer the appropriate platforms and solutions for the website operator. But who actually needs CMPs, what do the tools do, what are the differences – and what does the Interactive Advertising Bureau (IAB) have to do with it? You can find out this and more in this post.

Consent solution for IAB and TCF standard

What does a consent management provider do?

The international business association of the online advertising industry IAB developed and published the Transparency and Consent Framework (TCF) in 2018. Its aim is to standardize obtaining cookie consent and to provide information about user consent along the way digital advertising is played out. A large number of advertising technology providers are now involved in the online distribution of an advertising medium. Use the appropriate tools to see how many cookies are set at the same time by many advertising partners, for example on the websites of large publishing houses. They all need information about whether consent has been given or whether the use of cookies has been rejected.

Consent management providers such as Consentmanager offer exactly this solution with their tools. In this way, advertisers and operators of online shops obtain user approval as to whether their usage data may be stored and processed using cookies. Pop-up windows and banners of this type advising that data can be collected are ubiquitous on the web today. Buttons and/or selection options are offered with which the user agrees to the terms of use – or not. Here, a CMP ensures data protection-compliant and legally correct management of the declarations of consent and also for data comparison with other advertising partners.

Consent management providers based on the Interactive Advertising Bureau’s Transparency and Consent Framework (IAB TCF) determine which specific uses and advertising partners the user has consented to. A consent string is created from this data and stored in a browser cookie. This allows other CMPs to read out whether the user has already given their consent.

Every online business company that wants to reach European users and collects user data about them needs a consent management tool like consentmanager . This allows him to use analysis tools or social media widgets and pursue retargeting purposes. You cannot avoid a real opt-in, i.e. an actively given user consent for the use of cookies. IAB TCF 2.0 offers the necessary support for this.

History of the IAB TCF 2.0

The Interactive Advertising Bureau is a non-profit organization based in New York and was founded in 1996. It is a globally active trade association for the online advertising industry. According to its own description, the association represents the interests of online business by ensuring standardization and norms in the exchange of advertising-related data. In this way, the IAB serves to optimize the use of online advertising channels for the advertising industry. More than 40 international sub-organizations are currently organized in the IAB. In Germany, the IAB is represented by the Online Marketers Circle (OVK).

As mentioned at the beginning, the IAB organization published the Transparency and Consent Framework (IAB TCF) , which has now been further developed in version TCF 2.0 . The IAB TCF 2.0 understands the concept of the consent management provider as a platform with the support of which advertising companies centralize and manage data protection-compliant transparency as well as objections and consents of the end users.

Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste

Checkliste herunterladen

The three parties in the IAB TCF/TCF 2.0

When using the IAB TCF framework, three participants interact with each other: publishers, providers (vendors) and the consent management provider (CMP) . The publisher is the actual web provider and thus the first point of contact with which the user comes into contact. Publishers publish information (e.g. media houses, publishers, etc.) and finance their work in part or in full from third-party advertising. This is usually implemented using an advertising network that displays relevant advertisements to website visitors. In the context of the IAB-TCF or TCF 2.0, advertisers and networks are defined as providers.

Providers or vendors are said advertisers with whom the publisher has entered into a cooperation. The providers display advertising content on the publisher’s web pages and set cookies in the browser of the website visitor. This allows providers to place ads relevant to the target group in the form of personalized advertising.

The Consent Management Provider (CMP) provides the technology that ensures that the user’s consent to the storage and further processing of personalized data is obtained. In the IAB-TCF framework, the individual consent settings of the respective end users are transmitted to the providers who are active on the current website.

How the IAB TCF framework works

In practice, the IAB framework TCF 2.0 functions as a communication system that mediates user declarations of consent between the publisher, the third-party providers and the CMPs used on the publisher’s website. In the application built on top of the IAB framework (e.g. Consentmanager), the publisher selects his preferred providers who have registered in the framework. These appear in the so-called Global Vendor List (GVL) . To participate in the IAB TCF, the advertiser must accept a number of conditions, such as updating the code. In this way, the provider ensures that cookies are only set if there is a consent signal from a Consent Management Provider (CMP) or another legal basis authorizes the setting of a cookie. Furthermore, no personal data based on consent should be used until a consent signal is received from a participating CMP. This procedure ensures that only “whilte list” providers appear in the Global Vendor List who adhere to the rules of the IAB TCF.

As soon as a publisher registers in TCF 2.0, he selects the trustworthy providers from the GVL with whom he would like to cooperate.

A user’s consent status is stored in the form of a publisher (first party) cookie and is then shared in the advertiser information chain in the IAB TCF. After the website visitor has made his choice of consents, the cooperating advertising providers have access to the processing of the user data for their relevant and user-legitimated purposes.

Goals of the IAB TCF and innovations in the TCF 2.0

The TCF 2.0 upgrade released in 2020 is a revised version with new features and a number of adjustments to the current legal framework of the EU GDPR. Previously, version 1.1 of the “GDPR Transparency and Consent Framework” was published in March 2018, around the time when the General Data Protection Regulation came into force. The TCF offers a standardized software platform for the online query and transmission of user approval for the display of personalized advertising and the associated setting of cookies. The corresponding data is exchanged between publishers, advertisers and their technology partners.

The purpose of the framework is to create standards that agencies, advertisers and AdTech providers can use to distribute programmatic online advertising within the scope of the General Data Protection Regulation without violating the legal framework. If you want to collect personal data on a website and analyze it for advertising purposes, you not only have to inform the website visitors about the use of the collected data, but also obtain their consent for the use of the data.

With the new TCF 2.0 , publishers have more flexibility and control when integrating and collaborating with technology partners. A new publisher functionality makes it possible to restrict individual purposes for which personal data is processed per provider. With TCF 2.0, website visitors are given the opportunity to grant or reject consent in detail and to exercise their right to object to the further processing of their personal data. The user can grant detailed approvals as to the form in which the provider may use certain data processing functions, for example when obtaining precise geolocation data.

Nicht sicher ob Sie ein CMP brauchen?

Wenn Sie sich nicht sicher sind, ob Sie ein CMP brauchen oder nicht, treten Sie gern in Kontakt mit uns – wir werden Ihnen helfen die richtige Lösung für Ihr Unternehmen zu finden!

TCF 2.0 puts an increased focus on legitimate interests . In this way, vendors can refer to their legitimate interest for individual purposes, but the user still has the opportunity to object to this. Furthermore, the number of possible purposes for the use and analysis of tracking data has been increased from five to ten. Two of them are so-called special purposes – these are purposes that serve the security of the website and which the user can therefore not object to. As of TCF 2.0, individual special features require their own opt-in, for example when determining and processing geolocation data. And particularly important in times of “Mobile First”: TCF 2.0 contains specific information about the standardized storage of cookies within smartphone apps .

For whom does the use of a consent management provider make sense?

Cookies-based forms of advertising are particularly relevant for publishing houses that, for example, have to finance their journalistic content with online advertising. However, industry portals or magazine websites can also benefit from the TCF 2.0 and the services of a consent management provider. In short: all publishers who live in any form of advertising .

The use of a CMP is just as useful, for example, for online shops, private websites or service providers such as payment service providers. Because cookies are usually set there too, user analyzes can be carried out and legally effective user consent must be obtained.


Stay up to date!

Subscribe to Newsletter

This is how Consentmanager implements TCF 2.0 in compliance with GDPR

Consent Manager is based on the IAB TCF 2.0. The consentmanager team is actively involved in the TCF 2.0 developer group of IAB Europe and has contributed significantly to the specifications for TCF 2.0. Thus, consentmanager comes first for all further developments and modifications of the technical data.

With a free account, you can try out the consentmanager immediately and integrate it into your website . The system supports all common CMS systems. The system is very easy to use. Immediately after registration you can already enter the URL of your website and choose from trusted providers from the GVL list. Furthermore, you can adjust the visual design of the declaration of consent for cookies and tracking procedures with just a few mouse clicks.

Relevant GDPR requirements for TCF 2.0

The EU General Data Protection Regulation sets out strict requirements as to how personal data may be stored and processed. In order for your consent management to comply with the legal requirements, it must inform the web user which data is being processed and for what purpose. Furthermore, the user must be given a selection option – he must not be forced to accept cookies for the use of the website. Consent to data processing must be given through a clear action – even before the first data processing takes place or the first cookie is set. In addition, it is imperative that the user is given the opportunity to revoke consent once given.

Frequently Asked Questions (FAQ)

With regard to the level of punishment, the General Data Protection Regulation sets out clear guidelines. In the event of non-compliance with the GDPR, fines are set according to the following rules: either 4 percent of the company’s global annual turnover or a flat rate of up to 20 million euros – depending on which amount is higher. With Consentmanager you are always on the safe side.

no The legislator distinguishes between technically necessary cookies and those that are set for economic reasons , such as for affiliate purposes, tracking cookies or analysis tools. Only the latter require the consent (or rejection, if applicable) on the part of the user. Technically necessary cookies, on the other hand, are used for the proper functioning of a website, e.g. B. the shopping cart of an online shop. These do not require consent.

no Buttons for accepting, rejecting or posting must be offered, but no detailed selection must be made possible at first glance. In the first layer, only the data processing purposes of the third-party providers (Purposes) have to be displayed. There is currently no obligation for CMPs to already offer granular options at this point. However, the publisher can still offer this via the CMP and, if necessary, make adjustments if a change in the law requires this.

Basically anyone running a website can benefit from TCF 2.0 . However, the TCF is primarily of interest to the advertising industry and publishers who have a direct connection to end customers and whose core business consists of financing their own content through advertising. These can be visible advertisements on the website, but user information obtained and analyzes of surfing behavior can also be monetized. Contacts to third-party providers are established for this purpose via a CMP such as Consentmanager.

more comments

General, News, Videos

Webinar: Google Consent Mode v2 with Google and consentmanager

Join our exclusive webinar hosted by consentmanager in collaboration with Google on June 12, 2024 at 11:00 CET. Due to high demand for information on the latest Google requirements, this webinar will help you better understand Google Consent Mode v2. Dennis Gingele from Google and Jan Winkler from consentmanager will present the essential facts and […]
Image for the anniversary of the GDPR on 25 May with

6 years of GDPR: A celebration of its far-reaching impact

We are approaching the sixth anniversary (May 25, 2024) of the General Data Protection Regulation (GDPR), which has influenced data protection standards around the world since it came into force on May 25, 2018. The GDPR has not only fundamentally changed the security and management of personal data, but has also strengthened the rights of […]