TCF v2.2: What will change in your notice

The IAB recently approved iterations to the TCF framework policies, and a new version (TCF v2.2) will be enforced on November 20th, 2023. These changes are driven by the natural evolution of privacy laws and DPA guidelines, as well as increasing customer privacy concerns and needs. They will bring more transparency and standardization of information regarding the processing of personal data and how choices should be collected and respected.

The aim of this documentation is to present the main changes brought by TCF v2.2 and how they will be reflected in the Didomi console and in your consent notices.

✅ Removal of legitimate interest for 4 purposes

📋 New TCF V2.2 policy

Legitimate interest is no longer an acceptable legal basis for the following purposes:

• Purpose 3: Create a personalized ads profile
• Purpose 4: Select personalized ads
• Purpose 5: Create a personalized content profile
• Purpose 6: Select personalized content

• The legal basis will no longer be available in the vendor list for the above purposes, nor will it be available in the notice.
• It will no longer be possible to apply publisher restrictions on the legal basis for these 4 purposes, as only consent will be available.

• Publisher restrictions on the legal basis for these 4 purposes that were created before the migration will no longer be accessible from the console.
• Please note that consent re-collection will not be triggered by having a legal basis removed, and consents collected before migration are not impacted (i.e., they remain valid). However, legitimate interest choices will no longer be relevant, since vendors may no longer use legitimate interest as a legal basis for these 4 purposes.

👩‍🔧 Action required from you

None.

✅ Display legitimate interest at stake

📋 New TCF V2.2 policy

Each vendor can provide a dedicated link explaining their use of legitimate interest.

👉 Impact on Didomi console and consent notices

A new legitimate interest link will be displayed in the 3rd layer of the consent notice, in each vendor’s section, next to the privacy policy link. This will be only displayed if the information is available from the GVL.

👩‍🔧 Action required from you

None. 

✅ Multi-language privacy URLs

📋 New TCF V2.2 policy

Each vendor will have the possibility to declare different privacy URLs (privacy policy and legitimate interest at stake) per language.

👉 Impact on Didomi console and consent notices

In the third layer of the consent notice, the links to the privacy policy and legitimate interest at stake will be adjusted based on the notice language and on the languages declared by the vendor in the Global Vendor List (GVL).

Didomi will use the vendor URLs corresponding to the languages configured for the notice depending on their availability and in this order:

• Language currently displayed to the user
• Default language configured for the notice
• English
• Any language available

👩‍🔧 Action required from you

None.

✅ Display data categories

📋 New TCF V2.2 policy

The IAB defines a list of 11 categories of data that vendors can declare during the registration process. Since this new information must be displayed in the CMP, it is necessary to:

• Include categories of data processed by each vendor in the 3rd layer.
• Include a description for each category.

👉 Impact on Didomi console and consent notices

A new section is displayed in the 3rd layer of the consent notice for each vendor, including the list of categories of data processing used by the vendor and the description of each category.

👩‍🔧 Action required from you

None.

✅ Display retention period

📋 New TCF V2.2 policy

For each vendor, purpose retention periods must be disclosed. 

👉 Impact on Didomi console and consent notices

In the 3rd layer, below each vendor, the retention period (in days) will be displayed for each purpose and special feature, except for Purpose 1.

👩‍🔧 Action required from you

None.

✅ Improvement of purposes & features disclosures

📋 New TCF V2.2 policy

Improvements made to purpose and feature disclosures to facilitate end-user comprehension:

• New names for TCF purposes, special purposes, features, and special features
• New user-friendly descriptions for TCF purposes, special purposes, features, and special features
• Removal of “legal texts” (see below)
• Addition of illustrations (i.e., examples) for each purpose

👉 Impact on Didomi console and consent notices

On 2nd and 3rd layers:

• Existing texts (names and descriptions will be updated)
• Legal texts (and the information “i” icon next to the purpose description on notices are no longer available

• Illustrations/examples are included (grey square in the screenshots below)

👩‍🔧 Action required from you

None.

✅ Improved policies on withdrawal of consent

📋 New TCF V2.2 policy

Publishers should ensure the consent notice can be easily revisited by users at any time. In addition, where users have previously provided global consent, the CMP UI that is accessed should include a way for them to withdraw consent globally.

👉 Impact on Didomi console and consent notices

Pre-migration, users who revisited the CMP UI, arrived directly on the 2nd layer.
Post-migration, where 1) IAB integration is enabled and 2) there is a « disagree and close » option enabled on the 1st layer, a similar bulk action option will be enabled on the 2nd layer in the event that the user re-accesses the notice. This option cannot be disabled.

Note that this behavior also applies for « disagree and close » options for local exceptions such as France and Italy.

👩‍🔧 Action required from you

You must provide users with the possibility to visit the CMP UI from an easily accessible link or Call to Action (CTA).

Didomi offers several options, including:

• A footer link that you can obtain directly from the Console at the Publish stage of the notice configuration flow.

• Leverage our Privacy Hub widget to have a floating icon. It facilitates access to any privacy link you would like to share with site users, including a link to the consent notice. To implement the Privacy Hub, please refer to this documentation. Note that it the Privacy Hub is only available using a script, with limited customization options. 
  

✅ New purpose added

📋 New TCF V2.2 policy

Creation of an Purpose #11: “Use limited data to select content”.

👉 Impact on Didomi console and consent notices

• Consent will be re-collected if the notice includes vendors using this new purpose, as consent will be missing for this specific purpose. Note that automatic re-collection will be carried out taking into consideration the window for re-collecting consent specified in your notice configuration. 
• Some stacks will be automatically updated to include purpose 11.  According to the policy, the following stacks now include purpose 11: 12, 13, 14, 15, 16, 23, 24, 25, 26, 28, 30, 31, 32, 33, 34, 35, 36, 37, 41, 42, 43.

👩‍🔧 Action required from you

Please verify the number of days in the window (see above) before re-collecting consent if you do not wish to re-collect consent immediately after changes in your vendor list. 

✅ Console warning for “Enable all IAB vendors” option

📋 New TCF V2.2 policy

Display a warning about the impact of a large number of vendors on users’ ability to make informed choices.

👉 Impact on Didomi console and consent notices

A new warning is displayed next to the “Enable all IAB vendors” checkbox.

👩‍🔧 Action required from you

If possible, try to limit the number of vendors included in your notices.

✅ Display the number of vendors

📋 New TCF V2.2 policy

Disclose the number of vendors in the first and second layers of a consent notice by purpose and legal basis.

👉 Impact on Didomi console and consent notices

1st layer

The number of vendors is displayed by default in the first layer, in the Standard Text using a macro. The only obligation dictated by the IAB is to display the number of IAB vendors. You can decide if you wish to display by choose between one of our 2 macros. For clarity and transparency, we recommend you display the total count. 

Macro 1:

To dynamically display the count of all vendors, use the following macro: {numberOfPartners}

Macro 2:

To dynamically display the count of IAB vendors, use the following macro: {numberOfIABPartners}

2nd layer

In the 2nd layer, the total number of third-party vendors per purpose and per legal basis is indicated.

When you click on the number of vendors, you will access the list of vendors for this specific purpose and/or legal basis. IAB vendors are also tagged.

👩‍🔧 Additional information

To comply with IAB TCF requirements, Didomi has implemented by default the Macro1 into the standard text.

Here the following text : 

In case of a standard text without macro and with or without link you will have the count in the view our partners link:

✅ Deprecation of getTCData

📋 New TCF V2.2 policy

GetTCData is deprecated.

The TCF v2.2 Technical Specifications will now mandate vendors to use event listeners in order to ensure that any changes to TC Strings are proactively communicated to them and other vendors.

This reduces the number of calls that the vendor would need to make to the API in order to obtain the latest TC String using getTCData.

👉 Impact on Didomi console and consent notices

You are only impacted if you have a custom implementation using GetTCData method for checking vendor and purpose status depending on consent value. In this case, the status won’t be available anymore and it might break your website.

👩‍🔧 Action required from you

You need to get in touch with your IT team to re-validate any custom code you have running on your websites and check whether getTCData is being used. If so, it needs to be replaced with addEventListener, using the callback function to access the tcData object in order to get the same data as before but in a different place.

You will find more information about the steps to follow in our migration guide here.