“I’m a CMP. Am I doing it right?” #2 CMP UI/UX Requirements / Part 3

CMPs must adhere to TCF Policies and UI/UX requirements

Last year’s enforcement decision by the CNIL against French mobile ad tech company Vectaury has sent shockwaves through the CMP community, due to Vectaury’s CMP being deemed by the French regulator to be in breach of GDPR requirements for valid consent. Key shortcomings of Vectaury’s CMP could have been easily avoided had it followed TCF Policies for CMPs more closely. We therefore urge all CMPs to ensure that they are implementing TCF Policies correctly. This is even more important given the responsibility CMPs have for the Publisher’s they work for, as well as for the Vendors who rely on the consent signals they create.

In addition to the need to register CMPs with the Framework in order to be able to send TCF-compliant consent signals, the signals CMPs generate are only reliable if they comply with the law. IAB Europe and its members have been making considerable efforts in understanding legal requirements of the GDPR with respect to consent and published a Working Paper on Consent since adoption of the GDPR in 2016. These efforts have been woven into the TCF Policies, notably into Appendix B on UI/UX Guidelines and Requirements. The TCF FAQs give further clarity on UI requirements (see p. 11-13 and p. 22).

In summary, these are some key elements of a compliant CMP UI under the TCF Policies:

  • Initial layer of the UI must be prominently displayed, covering all or substantially all of the content of the page or app. Information to be provided on this initial layer of the UI must at minimum include:
    • Multiple parties will be accessing and/or storing information, such as cookies, on the user’s device and process their personal data and examples of the type personal data.
    • A link to the enumerated list of named third parties (Vendors).
    • The Purposes for which the Publisher and its third party Vendors wish to access and/or store information, such as cookies, on the user’s device and process their personal data using the standard names provided in the Vendor List.
    • An explanation that the user is asked to provide their consent and can change their mind at any time and withdraw consent, as well as an explanation of how to do so (e.g. link at the footer of the page or in the privacy policy that allows resurfacing the CMP UI). A user should also be informed of the consequence of consenting and/or not consenting.
    • Calls to action of equal visual prominence that at a minimum include a way to consent and a way to access advanced options and information.
  • Options and information that must at minimum be provided in secondary layers of the UI includes:
    • Users must be able to review the Purposes, including their standard definitions, and (if applicable) exercise granular choices regarding these Purposes.
    • Users must be able to review the enumerated list of named third parties (Vendors), and have access to information made available on the Vendor List by Vendors. This information must at a minimum, include:
      • Vendor’s name
      • Link to Vendor’s privacy policy
      • The Purposes for which the Vendor processes personal data
      • The legal basis or bases relied upon by the Vendor by Purpose
      • The Features the Vendor relies on when processing personal data

Moreover, it should be noted that consent signals, by their very nature can only be created on the basis of a clear affirmative user interaction with the CMP that unambiguously signifies their consent to the processing. Creation of consent signals by CMPs or others absent such a clear user interaction is therefore not permitted.

“I’m a CMP. Am I doing it right?” #1 CMP Registration and CMP IDs – IAB Europe’s new blog series to help CMPs / Part 2

CMPs must register with IAB Europe and use their assigned ID

Last week, IAB Europe communicated to Vendors and CMPs registered for participation in the TCF a reminder that the Framework’s Policies requires that all CMPs register with IAB Europe, and that Vendors only work with CMPs in compliance with the Policies. The communication alerted TCF participants to the fact that any signals not associated with a valid CMP ID should be considered invalid for purposes of the TCF. This means that Publishers who operate or use CMPs that have not registered their CMP with IAB Europe, or have failed to tag their consent strings with their assigned CMP ID, will very likely see a change in Vendor behavior moving forward.

The requirement that CMPs register with IAB Europe is necessary because of CMPs’ importance in the TCF as the entity that provides transparency to users about how their data is processed and request users’ consent to data processing. Vendors rely on the signals created by CMPs to know whether information has been disclosed to users and whether users have given their consent to processing. These signals are only reliable when generated by CMPs in accordance with the technical specifications and Policies of the Framework, including UI/UX requirements. As originators of consent strings, CMPs must be clearly identified by their CMP IDs to enable Vendors reading consent strings to trace their origins. The CMP ID is only assigned to a CMP once registration is completed and approved by IAB Europe.

When CMPs register with IAB Europe, they contractually agree to adhere to the technical specification and Policies of the Framework, which allows IAB Europe to ensure and support CMP adherence to the Policies.

Without the Framework and its standardising function there is no scalable way of passing consent strings and other information in a reliable and interoperable way. Without registration, participation by CMPs in the Framework is not possible and CMPs cannot send TCF-compliant consent signals.

CMPs are therefore strongly urged to ensure that (1) they have completed registration with IAB Europe using the registration portal for CMPs; (2) they comply with the TCF’s technical specification and Policies; and (3) consent strings they generate include the CMP ID that has been assigned to them by IAB Europe. IAB Europe maintains a list of CMPs and their assigned CMP IDs, which can be consulted to determine which CMPs are registered and what their CMP ID is.

Introducing “I’m a CMP. Am I doing it right?” – IAB Europe’s new blog series to help CMPs / Part 1

Things are going well, but there are opportunities for improvement

Since its release in Spring 2018, the IAB Europe Transparency & Consent Framework (TCF) has seen significant uptake. Already, it is the largest collaborative effort by the advertising industry to programmatically provide users with notice and choice about how their data is processed. It has been a key pillar in the advertising industry’s General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) compliance efforts. More than 460 registered Vendors are receiving and responding to consent signals created by Internet users interacting with over 170 registered Consent Management Platforms (CMPs) spanning thousands of websites and apps. EU users have more transparency and control than ever before.

Despite its success, the TCF remains a relatively new standard with potential for improvement. This is why IAB Europe and its members have been working on a Version 2 since the TCF’s initial release. Version 2 will add new capabilities, including some intended to provide  Publishers with greater control over how Vendors collect and process the personal data of Internet users visiting their websites or apps. It will also provide more flexibility to Vendors in supporting Publisher and Advertiser needs. And, of course, TCF Version 2 will further enhance transparency and control for Internet users.

IAB Europe and its members have also been monitoring the way companies implement the TCF and continue to identify opportunities for improvement. As the TCF is relatively new, it is only natural that despite best efforts some companies and implementations fall short of expectations. For the TCF to be successful, it is critical that all involved implement it correctly, which is why IAB Europe’s first priority is to ensure that CMPs are educated about the proper use and implementation of the Framework. We want to achieve this by continuing and improving our education efforts in the market. But to ensure adherence to technical specifications and Policies and enhance trust in the reliability of the Framework we must ultimately do even more. That is why in the coming months IAB Europe will also be leading a CMP compliance review program, working closely with CMPs to support adherence and compliance with TCF technical specification and Policies.

But what do we mean by CMPs? When IAB Europe refers to CMPs it refers to a defined term in the context of the TCF. Specifically, we mean the entity responsible for providing transparency to users about which Vendors want to process their personal data and for which Purposes using information published on the Global Vendor List (GVL), requesting user’s consent to the processing of their personal data, and creating and sending signals about user choices to Vendors in the form of a consent string.

CMPs must register with IAB Europe, and agree to adhere to TCF technical specifications and Policies, including UI/UX requirements. CMPs within the TCF receive a unique CMP ID that identifies a consent string as having been generated by a specific, identified, registered CMP. IAB Europe maintains a public list of registered CMPs and their assigned CMP IDs, which can be consulted to determine which CMPs are registered and what their CMP IDs are. It is not possible for non-registered CMPs to send TCF-compliant consent strings.

While IAB Europe will be providing more detailed formal implementation instructions to CMPs in the coming months as it finalizes updates to the TCF, this blog series will focus on some of the most common issues we have identified with respect to CMPs.