TCF v2.2: What will change in your notice

TCF v2.2 features will be delivered at the beginning of September (cf. implementation calendar). Please bear in mind that there may be changes in this documentation (including screenshots) before the delivery date.

 

The IAB recently approved iterations to the TCF framework policies, and a new version (TCF v2.2) will be enforced on November 20th, 2023. These changes are driven by the natural evolution of privacy laws and DPA guidelines, as well as increasing customer privacy concerns and needs. They will bring more transparency and standardization of information regarding the processing of personal data and how choices should be collected and respected.

The aim of this documentation is to present the main changes brought by TCF v2.2 and how they will be reflected in the Didomi console and in your consent notices.

The new guidelines for TCF v2.2 include changes to the notice design. Even where no specific action is needed on your part, we still recommend that you double-check that your notice is properly rendered, especially if you are using specific CSS customization.

✅ Removal of legitimate interest for 4 purposes

📋 New TCF V2.2 policy

Legitimate interest is no longer an acceptable legal basis for the following purposes:

  • Purpose 3: Create a personalized ads profile
  • Purpose 4: Select personalized ads
  • Purpose 5: Create a personalized content profile
  • Purpose 6: Select personalized content
👉 Impact on console & notice
  • The legal basis will no longer be available in the vendor list for the above purposes, nor will it be available in the notice.
  • It will no longer be possible to apply publisher restrictions on the legal basis for these 4 purposes, as only consent will be available.
Capture d’écran 2023-06-30 à 11.24.47
  • Publisher restrictions on the legal basis for these 4 purposes that were created before the migration will no longer be accessible from the console.
  • Please note that consent re-collection will not be triggered by having a legal basis removed, and consents collected before migration are not impacted (i.e., they remain valid). However, legitimate interest choices will no longer be relevant, since vendors may no longer use legitimate interest as a legal basis for these 4 purposes.

👩‍🔧 Action required from you

None.

✅ Display legitimate interest at stake

📋 New TCF V2.2 policy

Each vendor can provide a dedicated link explaining their use of legitimate interest.

    👉 Impact on Didomi console and consent notices

    A new legitimate interest link will be displayed in the 3rd layer of the consent notice, in each vendor’s section, next to the privacy policy link. This will be only displayed if the information is available from the GVL.

    Screenshot 2023-10-04 at 16.28.13-1Screenshot 2023-10-04 at 16.33.42

    👩‍🔧 Action required from you

    None. 

    ✅ Multi-language privacy URLs

    📋 New TCF V2.2 policy

    Each vendor will have the possibility to declare different privacy URLs (privacy policy and legitimate interest at stake) per language.

    👉 Impact on Didomi console and consent notices

    In the third layer of the consent notice, the links to the privacy policy and legitimate interest at stake will be adjusted based on the notice language and on the languages declared by the vendor in the Global Vendor List (GVL).

    Didomi will use the vendor URLs corresponding to the languages configured for the notice depending on their availability and in this order:

    • Language currently displayed to the user
    • Default language configured for the notice
    • English
    • Any language available

    👩‍🔧 Action required from you

    None.

     

    ✅ Display data categories

    📋 New TCF V2.2 policy

    The IAB defines a list of 11 categories of data that vendors can declare during the registration process. Since this new information must be displayed in the CMP, it is necessary to:

    • Include categories of data processed by each vendor in the 3rd layer.
    • Include a description for each category.

    👉 Impact on Didomi console and consent notices

    A new section is displayed in the 3rd layer of the consent notice for each vendor, including the list of categories of data processing used by the vendor and the description of each category.

    Screenshot 2023-10-04 at 16.31.05Screenshot 2023-10-04 at 16.31.54

    👩‍🔧 Action required from you

    None.

    ✅ Display retention period

    📋 New TCF V2.2 policy

    For each vendor, purpose retention periods must be disclosed. 

    This requirement is not applicable to Purpose 1.

    👉 Impact on Didomi console and consent notices

    In the 3rd layer, below each vendor, the retention period (in days) will be displayed for each purpose and special feature, except for Purpose 1.

    Screenshot 2023-10-04 at 16.34.48Capture d’écran 2023-06-30 à 17.23.46

      👩‍🔧 Action required from you

      None.

      ✅ Improvement of purposes & features disclosures

      📋 New TCF V2.2 policy

      Improvements made to purpose and feature disclosures to facilitate end-user comprehension:

      • New names for TCF purposes, special purposes, features, and special features
      • New user-friendly descriptions for TCF purposes, special purposes, features, and special features
      • Removal of “legal texts” (see below)
      • Addition of illustrations (i.e., examples) for each purpose

      👉 Impact on Didomi console and consent notices

      On 2nd and 3rd layers:

      • Existing texts (names and descriptions will be updated)
      • Legal texts (and the information “i” icon next to the purpose description on notices are no longer available

      Capture d’écran 2023-08-28 à 15.05.55

      • Illustrations/examples are included (grey square in the screenshots below)

      Screenshot 2023-10-04 at 16.36.32

      👩‍🔧 Action required from you

      None.

      Where two illustrations (examples) are available for a purpose, the IAB allows you to modify one of these. This option is not yet available on the Didomi Console but will be added soon.

      ✅ Improved policies on withdrawal of consent

      📋 New TCF V2.2 policy

      Publishers should ensure the consent notice can be easily revisited by users at any time. In addition, where users have previously provided global consent, the CMP UI that is accessed should include a way for them to withdraw consent globally.

      👉 Impact on Didomi console and consent notices

      Pre-migration, users who revisited the CMP UI, arrived directly on the 2nd layer.
      Post-migration, where 1) IAB integration is enabled and 2) there is a « disagree and close » option enabled on the 1st layer, a similar bulk action option will be enabled on the 2nd layer in the event that the user re-accesses the notice. This option cannot be disabled.

      Note that this behavior also applies for « disagree and close » options for local exceptions such as France and Italy.

      👩‍🔧 Action required from you

      You must provide users with the possibility to visit the CMP UI from an easily accessible link or Call to Action (CTA).

      Didomi offers several options, including:

      • A footer link that you can obtain directly from the Console at the Publish stage of the notice configuration flow.

      • Leverage our Privacy Hub widget to have a floating icon. It facilitates access to any privacy link you would like to share with site users, including a link to the consent notice. To implement the Privacy Hub, please refer to this documentation. Note that it the Privacy Hub is only available using a script, with limited customization options. 

      ✅ New purpose added

      📋 New TCF V2.2 policy

      Creation of an Purpose #11: “Use limited data to select content”.

      👉 Impact on Didomi console and consent notices

      • Consent will be re-collected if the notice includes vendors using this new purpose, as consent will be missing for this specific purpose. Note that automatic re-collection will be carried out taking into consideration the window for re-collecting consent specified in your notice configuration. 
      • Some stacks will be automatically updated to include purpose 11.  According to the policy, the following stacks now include purpose 11: 12, 13, 14, 15, 16, 23, 24, 25, 26, 28, 30, 31, 32, 33, 34, 35, 36, 37, 41, 42, 43.

      👩‍🔧 Action required from you

      Please verify the number of days in the window (see above) before re-collecting consent if you do not wish to re-collect consent immediately after changes in your vendor list. 

      ✅ Console warning for “Enable all IAB vendors” option

      📋 New TCF V2.2 policy

      Display a warning about the impact of a large number of vendors on users’ ability to make informed choices.

      👉 Impact on Didomi console and consent notices

      A new warning is displayed next to the “Enable all IAB vendors” checkbox.

      Capture d’écran 2023-07-07 à 17.02.07

      👩‍🔧 Action required from you

      If possible, try to limit the number of vendors included in your notices.

      ✅ Display the number of vendors

      📋 New TCF V2.2 policy

      Disclose the number of vendors in the first and second layers of a consent notice by purpose and legal basis.

      👉 Impact on Didomi console and consent notices

      1st layer

      The number of vendors is displayed by default in the first layer, in the Standard Text using a macro. The only obligation dictated by the IAB is to display the number of IAB vendors. You can decide if you wish to display by choose between one of our 2 macros. For clarity and transparency, we recommend you display the total count. 

      Macro 1:

      To dynamically display the count of all vendors, use the following macro: {numberOfPartners}

      Macro 2:

      To dynamically display the count of IAB vendors, use the following macro: {numberOfIABPartners}

      2nd layer

      In the 2nd layer, the total number of third-party vendors per purpose and per legal basis is indicated.

       Screenshot 2023-10-04 at 16.36.32

      When you click on the number of vendors, you will access the list of vendors for this specific purpose and/or legal basis. IAB vendors are also tagged.Screenshot 2023-10-04 at 16.41.34Screenshot 2023-10-04 at 16.41.48

      👩‍🔧 Additional information

      To comply with IAB TCF requirements, Didomi has implemented by default the Macro1 into the standard text.

      Here the following text : 

      With your agreement, we and <a href="javascript:Didomi.preferences.show('vendors')" class="didomi-notice-view-partners-link-in-text">our {numberOfPartners} partners</a> use cookies or similar technologies to store, access, and process personal data like your visit on this website, IP addresses and cookie identifiers. Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can withdraw your consent or object to data processing based on legitimate interest at any time by clicking on “Learn More” or in our Privacy Policy on this website.

       

      If you want to use a different Macros or remove the current macro you will need to submit for a new standard text

      In case of a standard text without macro and with or without link you will have the count in the view our partners link:

      ✅ Deprecation of getTCData

      📋 New TCF V2.2 policy

      GetTCData is deprecated.

      The TCF v2.2 Technical Specifications will now mandate vendors to use event listeners in order to ensure that any changes to TC Strings are proactively communicated to them and other vendors.

      This reduces the number of calls that the vendor would need to make to the API in order to obtain the latest TC String using getTCData.

      👉 Impact on Didomi console and consent notices

      You are only impacted if you have a custom implementation using GetTCData method for checking vendor and purpose status depending on consent value. In this case, the status won’t be available anymore and it might break your website.

      👩‍🔧 Action required from you

      You need to get in touch with your IT team to re-validate any custom code you have running on your websites and check whether getTCData is being used. If so, it needs to be replaced with addEventListener, using the callback function to access the tcData object in order to get the same data as before but in a different place.

      You will find more information about the steps to follow in our migration guide here.