Requirements of a TCFv2.2-compliant consent notice

On a website or in a mobile app, the consent notice is generally the first interface with which users interact. Often, users encounter the consent notice even before accessing the main content of the site. That's where most users get informed on purposes and vendors that consent is collected for, and how users will make a choice to give or deny consent. 

As a result, the content of a consent notice is key to ensuring compliance with GDPR, local recommendations from data protection authorities, and the IAB Transparency and Consent Framework.

Note that Didomi provides Standard Texts for IAB TCF v2.2 consent notices. If you want to change this text, please read our dedicated documentation here.

This article walks you through the minimum requirements imposed by IAB Europe that must be met for consent notices when using the TCFv2.2 integration. The requirements listed on this page do not apply if you do not enable the TCFv2.2 integration although they are a good list of requirements for any consent notice to be in compliance with GDPR.

It is not an exhaustive list and implementing all the recommendations from this article does not guarantee compliance with regulations.

1- Responsibilities of each party

A- Didomi

Didomi's role is to provide tools and general guidance to get in compliance with various privacy regulations (GDPR, CCPA, etc.) and standards (IAB TCF, IAB CCPA, etc.) that companies implementing our CMP might be subject to.
Didomi provides example configurations and texts that incorporate rules from different regulations and the IAB frameworks.

As an IAB-registered CMP, Didomi's role is to ensure that the IAB requirements are respected by all websites and mobile apps that implement them through the Didomi CMP. Didomi is held responsible by the IAB Europe through regular audits of our clients' websites and mobile apps.

While Didomi is here to help, we are not legally authorized to provide legal counsel and cannot be held responsible for a lack of compliance due to a misconfigured CMP.

B- Your organization

Every organization is different and you must customize the CMP and its texts to ensure that it is compliant and that the user information is complete by adding information about the extra data processing that your organization is operating. To give you maximum control, Didomi allows you to customize the content of a consent notice.

We recommend working closely with your legal department, and where necessary with the IAB Europe to ensure that your configuration of the Didomi CMP is in compliance with the regulations that your organization is subject to and the IAB TCF.

When launching a consent notice, you must ensure that your texts and disclosures are compliant with the regulations and the IAB TCF framework.

IAB Europe conducts regular audits of CMPs and the websites where the TCF framework is implemented. In cases of non-compliance, Didomi could receive warnings, and after several warnings, we could be completely excluded from the TCF. This exclusion would impact not only the concerned client but also all of our clients. To avoid this situation, we will work closely with our clients to address and improve any compliance issues and prevent these warnings. However, in the event of persistent non-compliance and disagreement, we reserve the right to disable the consent notice to avoid exclusion by IAB Europe

2- Requirements

Consent under GDPR must be informed, freely given, specific, and unambiguous.

The requirements listed below help to ensure that your consent notice is configured to respect the definition of valid consent as defined by IAB Europe in the context of the TCF.

The list of requirements and the example texts provided are the minimal list of requirements for a valid notice running on the Didomi CMP. It does not guarantee a compliant notice with respect to the regulations and requires customization to fit the exact data processing and business practices of your organization. It does not guarantee a compliant notice with respect to the TCF either.

Here is an example of a notice text that meets all the requirements listed below (except for the full list of data processing and legal bases, that depends on your organization):

With your agreement, we and our 21 partners use cookies or similar technologies to store, access, and process personal data like your visit on this website, IP addresses and cookie identifiers. Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can withdraw your consent or object to data processing based on legitimate interest at any time by clicking on “Learn More” or in our Privacy Policy on this website.

Requirement 1 - Complete list of data processing and legal bases used by your organization and its partners

For the user to be fully informed, they must be given a chance to review the full list of all the data processing operated by your organization and your partners, as well as all the legal bases used for those data processing.
This includes purposes and their legal bases, as well as special IAB TCF entities like features, special features, and special purposes.

Didomi provides an easy way to display an automated list of data processing and legal bases configured in the CMP:

Screenshot 2024-07-05 at 15.06.56

While it is acceptable to list the data processing and legal bases in your custom texts, we recommend enabling that automated list to ensure that the list is always up-to-date from your notice configuration.
Find the complete list of purposes and features in Summary of Purposes/Features: IAB TCF v2.2 (Current Version)

Requirement 2 - Indicate that data is stored and accessed from the user device by your organization and by third-parties

Your notice must include information about the fact that information is stored and accessed from the user’s device (e.g. use of cookies, device identifiers, or other device data) by your organization and by third-parties. Simply informing the user about your organization is not enough.
While this is partly covered by informing the user on data processing related to cookies as part of the list of data processing, this information must be more explicitly detailed for the user to be fully informed.

Example: We and our partners store and access non-sensitive information from your device ...

Requirement 3 - Indicate that both your organization and third-parties are processing personal data from the user

The user usually have a direct relationship with your organization but a limited knowledge of the third-parties that you work with and how they might process their personal data. It is important for the user to be informed that third-parties are also processing their personal data on your website or mobile. 

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies, for data processing ...

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, for data processing ...

Requirement 4 - Examples of personal data being processed

The user needs to be able to understand what personal data will be collected and processed. The text must include examples of such data, like "cookies IDs" (for Web), "device identifiers" (for mobile apps), browsing data, information about your interests, etc.

Example for Web: We and our partners store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like IP addresses and cookie identifiers, ...

Example for Mobile Apps: We and our partners store and access non-sensitive information from your device, like devices identifiers, and process personal data like IP addresses and cookie identifiers, ...

Requirement 5 - Link to the list of third-parties processing personal data

Your notice must include a link for the user to access the full list of third-parties that might process their personal data.

Didomi automatically adds a "View our partners" link to all notices. The link added by Didomi will be automatically hidden if you specify your own link to Didomi.preferences.show() in your notice text.

Requirement 6 - Consequences of consenting or not

As consent should be freely given, the user should be clearly informed of the consequences of consenting or not consenting.

Keep in mind that there cannot be adverse consequences for not consenting. For instance, you cannot prevent users from accessing your website or mobile app if they do not consent to their personal data being processed.

Requirement 7 - Right to modify consent choices

Users have the right to modify their consent choices at any time and should be informed of that right and how to exercise it. The instructions for modifying their choices should be clear and specific.

Example for Web: You can change your preferences at any time in our privacy policy on this website.

Example for Mobile Apps: You can change your preferences at any time in the Privacy menu of this app.

Requirement 8 - Modifying consent choices

In addition to requirement 7 (Right to modify consent choices), a link should be added to your website or mobile app to show the Preferences again and allow the user to update or withdraw their consent choices.
That link should preferably be added to all the pages / views of your website or mobile app, or in the privacy policy.

Add a link to javascript:Didomi.preferences.show() to allow the user to open the Preferences view.

Requirement 9 - Legitimate interest

Your organization and third-parties might use legitimate interest as the legal basis for some data processing. If that is the case, the user must be informed of that fact and that they have the right to object to that data processing.

Example: Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can object to those data processing by clicking on “Learn More”.

Important note: this requirement does not apply to TCF v1.1 and only applies to recent versions.

Requirement 10 - Calls to action must be of equal visual prominence

Choices offered to the user (Agree / Disagree, Learn more, etc.) must be of equal visual prominence so as not to imply that one choice is better than the other. While calls to action do not need to be identical, to ensure they are clearly visible, they must have matching text treatment (font, font size, font style) and, for the text of each, a minimum contrast ratio of 5 to 1.

For instance, if Agree and Learn More are the two options available, they should both be buttons or links. You cannot display an Agree button and Learn more link:

 

 

The IAB Europe has detailed rules and examples in their CTA requirements documentation

Requirement 11 - Number of vendors

In the 2.2 TCF version, you must display the number of partners you are working with on the first view. You can use our macros to do so.

This information needs to be made available at the first layer of the CMP - i.e. it should be accessible before the user is able to give consent.

NB : While the TCF does not impose a specific limit on vendors, you should be mindful of the number of vendors you partner with. An unreasonably high number of vendors listed is risky, because it prevents users from making the most informed decision.

Requirement 12 - Display data categories

The IAB defines a list of 11 categories of data that vendors can declare during the registration process. It is necessary to:

  • Include categories of data processed by each vendor in the 3rd layer.
  • Include a description for each category.

A new section is displayed by default in the 3rd layer of the consent notice for each vendor, including the list of categories of data processing used by the vendor and the description of each category.

Screenshot 2023-10-04 at 16.31.05Screenshot 2023-10-04 at 16.31.54

Requirement 13 - Display purpose retention periods

For each vendor, purpose retention periods must be disclosed (except for purpose 1).

In Didomi console, in the 3rd layer, below each vendor, the retention period (in days) is displayed for each purpose and special feature, except for Purpose 1.

Screenshot 2023-10-04 at 16.34.48Capture d’écran 2023-06-30 à 17.23.46