Deadline October 1, 2023 - The implementation period for the IAB TCF 2.2 expires

What is the IAB TCF?

Consent Framework ("TCF") is an industry standard for online marketing. In Germany, it is now used on almost every website and in a large number of apps. The IAB TCF contains rules on how the various players - e.g. the providers of consent management platforms, website operators or the providers of marke-ting and tracking tools - work together. In this respect, it serves to ensure overall compliance with data protection law. Details on the IAB TCF can be found in our Updates No. 131, No. 128 and No. 76.

Update to IAB TCF 2.2 with implementation deadline

As of May 16, 2023, the new rules of version 2.2 of the IAB TCF are in effect. For these, an implementation period until the end of September 2023 has been introduced. From October at the latest, all players registered under the IAB TCF - i.e. primarily providers of marketing and tracking tools and of consent management platforms - must comply with the new rules. The background to the revision was also the supervisory proceedings of the Belgian data protection authority against the IAB (as have reported Update No. 131). In this context, the authority im-posed various requirements on the IAB for the revision of the IAB TCF. These have now been implemented in version 2.2.

The most important changes at a glance

The following changes should be familiar to all online marketing stakeholders:

• Legal basis: in IAB TCF 2.1, providers had the option to specify both consent and legitimate interest as the legal basis for the various processing purposes defined in the IAB TCF. Under IAB TCF 2.2, legitimate interest is now no longer considered an acceptable legal basis for pur-poses 3 and 4 (creation and use of profiles for personalized advertising) and purposes 5 and 6 (creation and use of profiles for personalized content). For these purposes, providers - and thus also website operators - are now dependent on consent.
   
• Better understandability of assigned wording: IAB TCF 2.2 introduces improved labels, descriptions and explanations for purposes and functions. Instead of complex legalese, users now receive explanations and real-world examples that make it easier for them to understand the implications of their consent.
   
• New Purpose #11: "Use of Restricted Data for Content Selection" is introduced as a new data processing purpose #11. This involves the selection and delivery of non-promotional content based on real-time data (e.g., information about page content or imprecise location data) and controlling the frequency or order in which content is presented to a user (frequency capping). This does not, however, include the creation or use of profiles to select personalized content.
   
• Additional provider information: Under IAB TCF 2.2, providers are required to provide addi-tional details about how they process data. These details include:
  
  - The categories of data collected
  - The retention periods for each purpose
  - The legitimate interests involved (if applicable)
   
• Transparency about the number of tracking and marketing tools used: To date, the first layer of a Consent Management Platform ("CMP") often does not inform the website visitor about the number of tracking and marketing tools for which consent should be given. The number of tools included varies considerably in practice: while some websites have only one simple tracker built in, others use over 150 "vendors" (this is the IAB TCF technical term for tracking and marketing tool providers) to optimize marketing sales. In previous versions of the IAB TCF, it was not mandatory to report the number of vendors on the first layer. This changes with the IAB TCF 2.2: The number of tool providers used must now be clearly visible even be-fore the user enters his settings. This allows a user to see right away how many other actors are receiving their data.
   
• Facilitate consent revocation: The IAB TCF 2.2 emphasizes the importance of user control: for example, it requires website operators and CMP providers to ensure that users can revisit the CMP interface at any time, even after providing consent, and revoke their consent without fuss. This can be done, for example, via a floating icon or link in the footer. If the consent prompt initially presented to users includes a call to action that allows users to consent to all purposes and providers with one click (e.g., "Agree All"), an equivalent call to action should be provided when users revisit the CMP interface to revoke consent to all purposes and providers with one click (e.g., "Decline All").

Significance for practice - what to do now?

Overall, it is to be welcomed that the IAB TCF 2.2 significantly raises the level of data protec-tion through the numerous innovations. As a result, it is now even easier than before to argue to data protection supervisory authorities that compliance with the IAB TCF leads to sufficient GDPR and TTDSG (German Telecommunications Telemedia Data Protection Act) compliance.

Website operators should now urgently check whether they have taken the above implementa-tion measures. Some of the changes are also "automatic" from the website operator's perspec-tive, as this is primarily the responsibility of the vendors and CMP providers. This applies, for example, to the change from legitimate interest to consent for certain data processing purpo-ses. Nevertheless, a website operator should check whether the above changes have actually been implemented on their website by October 2023. Many CMPs are highly "configurable" and by implementing an individual configuration, a significant part of the responsibility is trans-ferred from the CMP provider to the website operator. Externally, the website operator is in any case responsible for (almost) everything that happens on his website for all areas of law.