Requirements of a TCFv2.2-compliant consent notice

On a website or in a mobile app, the notice is the first and main consent UI that users interact with. That's where most users get informed on purposes and vendors that consent is collected for, and how users will make a choice to give or deny consent. 

 

 

As a result, the content of a consent notice is key to ensuring compliance with GDPR, local recommendations from data protection authorities, and the IAB TCF framework.

Note that Didomi provides Standard Texts for IAB v2.2 consent notices. If you want to change this text, please read our dedicated documentation here.

This article walks you through the minimum requirements that Didomi requires your consent notices to meet to use our TCFv2.2 integration. The requirements listed on this page do not apply if you do not enable the TCFv2.2 integration although they are a good list of requirements for any consent notice to be in compliance with GDPR.

It is not an exhaustive list and implementing all the recommendations from this article does not guarantee compliance with regulations.

1- Responsibilities of each party

A- Didomi

Didomi's role is to provide tools and general guidance to get in compliance with various privacy regulations (GDPR, CCPA, etc.) and standards (IAB TCF, IAB CCPA, etc.) that companies implementing our CMP might be subject to.
Didomi provides example configurations and texts that incorporate rules from different regulations and the IAB frameworks.

As an IAB-registered CMP, Didomi's role is to ensure that the IAB frameworks are respected by all websites and mobile apps that implement them through the Didomi CMP. Didomi is held responsible by the IAB Europe through regular audits of our clients' websites and mobile apps.

While Didomi is here to help, we are not legally authorized to provide legal counsel and cannot be held responsible for a lack of compliance due to a misconfigured CMP.

B- Your organization

Every organization is different and you must customize the CMP and its texts to ensure that it is compliant and that the user information is complete by adding information about the extra data processing that your organization is operating. To give you maximum control, Didomi allows you to customize the content of a consent notice.

We recommend working closely with Didomi, your legal department, and the IAB Europe to ensure that your configuration of the Didomi CMP is in compliance with the regulations that your organization is subject to and the IAB TCF framework.

When launching a consent notice, you must ensure that your texts and disclosures are compliant with the regulations and the IAB TCF framework.
As non-compliance of your websites and mobile apps with the IAB TCF framework can impact Didomi's standing as a CMP for all of Didomi's clients, Didomi will proactively check the compliance of your consent notices and will work with you on ensuring that they are compliant. In rare cases and if compliance cannot be achieved through discussions engaged by Didomi with your organization, Didomi might temporarily disable consent notices or disable the IAB TCF support for notices that remain non-compliant.

2- Requirements

Consent under GDPR must be informed, freely given, specific, and unambiguous.

The requirements listed below help to ensure that your consent notice is configured to respect the definition of valid consent.
The list of requirements and the example texts provided are the minimal list of requirements for a valid notice running on the Didomi CMP. It does not guarantee a compliant notice with respect to the regulations and requires customization to fit the exact data processing and business practices of your organization.

The requirements include global GDPR requirements valid across all countries and IAB TCF-driven requirements. For country-specific requirements, dedicated articles are available in our documentation.

Here is an example of a notice text that meets all the requirements listed below (except for the full list of data processing and legal bases, that depends on your organization):

We and our 20 partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, for data processing like displaying personalized ads, measuring preferences of our visitors, etc.
You can make a choice here and change your preferences at any time in our Privacy Policy on this website.
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Requirement 1 - Complete list of data processing and legal bases used by your organization and its partners

For the user to be fully informed, they must be given a chance to review the full list of all the data processing operated by your organization and your partners, as well as all the legal bases used for those data processing.
This includes purposes and their legal bases, as well as special IAB TCF entities like features, special features, and special purposes.

Didomi provides an easy way to display an automated list of data processing and legal bases configured in the CMP:

 

 

While it is acceptable to list the data processing and legal bases in your custom texts, we recommend enabling that automated list to ensure that the list is always up-to-date from your notice configuration.

Requirement 2 - Indicate that data is stored and accessed from the user device by your organization and by third-parties

Your notice must include information about the fact that information is stored and accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data) by your organization and by third-parties. Simply informing the user about your organization is not enough.
While this is partly covered by informing the user on data processing related to cookies as part of the list of data processing, this information must be more explicitly detailed for the user to be fully informed.

Example: We and our partners store and access non-sensitive information from your device ...

Requirement 3 - Indicate that both your organization and third-parties are processing personal data from the user

The user usually have a direct relationship with your organization but a limited knowledge of the third-parties that you work with and how they might process their personal data. It is important for the user to be informed that third-parties are also processing their personal data on your website or mobile. 

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies, for data processing ...

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, for data processing ...

Requirement 4 - Examples of personal data being processed

The user needs to be able to understand what personal data will be collected and processed. The text must include examples of such data, like "cookies" (for Web), "device identifiers" (for mobile apps), browsing data, information about your interests, etc.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, ...

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, and process personal data like IP addresses and cookie identifiers, ...

Requirement 5 - Link to the list of third-parties processing personal data

Your notice must include a link for the user to access the full list of third-parties that might process their personal data.

Didomi automatically adds a "View our partners" link to all notices. The link added by Didomi will be automatically hidden if you specify your own link to Didomi.preferences.show() in your notice text.

Requirement 6 - Consequences of consenting or not

As consent should be freely given, the user should be clearly informed of the consequences of consenting or not consenting.

Keep in mind that there cannot be adverse consequences for not consenting. For instance, you cannot prevent users from accessing your website or mobile app if they do not consent to their personal data being processed.

Requirement 7 - Right to modify consent choices

Users have the right to modify their consent choices it any time and should be informed of that right and how to exercise it. The instructions for modifying their choices should be clear and specific.

Example for Web: You can change your preferences at any time in our privacy policy on this website.

Example for Mobile Apps: You can change your preferences at any time in the Privacy menu of this app.

Requirement 8 - Modifying consent choices

In addition to requirement 7 (Right to modify consent choices), a link should be added to your website or mobile app to show the Preferences again and allow the user to update or withdraw their consent choices.
That link should preferably be added to all the pages / views of your website or mobile app, or in the privacy policy.

Add a link to javascript:Didomi.preferences.show() to allow the user to open the Preferences view.

Requirement 9 - Legitimate interest

Your organization and third-parties might use legitimate interest as the legal basis for some data processing. If that is the case, the user must be informed of that fact and that they have the right to object to that data processing.

Example: Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Important note: this requirement does not apply to TCF v1.1 and only applies to recent versions.

Requirement 10 - Calls to action must be of equal visual prominence

Choices offered to the user (Agree / Disagree, Learn more, etc.) must be of equal visual prominence so as not to imply that one choice is better than the other.
This implies that the visual components used for those choices should be of the same nature. You cannot have one option displayed as a button while the other option is displayed as simple link.

For instance, if Agree and Learn More are the two options available, they should both be buttons or links. You cannot display an Agree button and Learn more link:

 

 

The IAB Europe has detailed rules and examples in their CTA requirements documentation

Requirement 11 - Number of vendors

In the 2.2 TCF version, you must display the number of partners you are working with on the first view. You can use our macros to do so.

This information needs to be made available at the first layer of the CMP - i.e. it should be accessible before the user is able to give consent.

NB : While the TCF does not impose a specific limit on vendors, you should be mindful of the number of vendors you partner with. An unreasonably high number of vendors listed is risky, because it prevents users from making the most informed decision.