TCF 2.2 publishers’ guide: updates, insights, and best practices

Navigating the GDPR and ad tech regulation is an ongoing challenge for app publishers, especially when delivering targeted ads to consumers.

The Internet Advertising Bureau Europe (IAB) launched the updated Transparency and Consent Framework version 2 (TCF v2.2) in May 2023, bringing with it a slew of new obligations and guidelines. The update is a response to criticism of the TCF v2.0 and has significant implications for how online advertising works for both publishers and advertisers.

In this guide, we’ll share what the TCF v2.2 is, how it impacts your app, and provide best practices for a smooth transition to the updated framework.

IAB TCF v2.2 is the latest set of Transparency and Consent Framework (TCF) changes and guidelines. The Framework was launched in 2016 to enhance transparency and customer control over personal data processing by publishers and advertisers in the digital advertising ecosystem.

This updated version gives consumers more control over their personal data, particularly in the context of advertising and content personalization.

With these changes, app publishers should be cautious, not only about how they collect and share users’ consented data but also how their vendors and technology partners process that data.

The deadline to comply with the updated TCF v2.2 was originally September 30, 2023. This was delayed two months to November 20 to give companies more time to meet the requirements.

If you still haven’t updated your app to comply with the new framework, you need to act now.

Noncompliance will not stop your CMP from working correctly, however, not being able to signal valid consent per recent requirements could result in restrictions or losing access to important platforms, like Google’s advertising services. In today’s data-conscious digital markets, you can’t simply sweep rogue mobile advertising placements or poor data privacy practices under the rug.

Vendors and other third parties that rely on valid consent for their services to operate will take notice. Noncompliance may damage your business or customer relationships and reduce potential ad revenue.

If you missed the deadline, update your consent practices to align with TCF v2.2 requirements as soon as possible. The quickest way to do this is to implement a reputable CMP, like Usercentrics Apps CMP, that’s tailored to these requirements right out of the box, and is also registered with the IAB.

By demonstrating your adherence to current data protection and privacy standards, you’ll help restore your vendor functionality and build user trust.

The TCF v2.2 gives power back to users who can share, refuse, or revoke consent at any time. To avoid the risk of noncompliance, app publishers must adhere to standards when collaborating with third-party vendors.

App publishers need to pay close attention to the following areas.

Under the TCF v2.2, app publishers are required to explicitly mention what technologies they use to collect personal data, and how they process it.

App developers must disclose the user data they collect, for what purposes, and what third parties it may be shared with, among other requirements.

Publishers also need to provide users with the ability to refuse consent or to change or withdraw previously granted consent at any time. This needs to be as easy to do as to give consent.

Thanks to the TCF v2.2, app publishing companies can now exercise more control over how their vendors and tech partners access and handle user data.

For example, publishers can set custom requirements specifying how every vendor can process the user data collected on their website. App companies can also limit the purpose of data processing to a single activity, such as ad personalization or visitor analytics.

Vendors can register as capable of operating under multiple legal bases, and publishers can specify their preferred legal bases for partnering with vendors. This enables vendors and publishers to navigate markets with varying legal requirements for processing personal data.

The TCF v2.2 requires publishers to provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies. Additionally, for consent requests to be valid, users must be provided with the following information for each vendor:

• purposes (for data processing) and any special purposes
• associated legal bases for the purposes
• retention period for personal data re. fulfilling each stated purpose
• features and special features
• categories of data collected and processed

If a publisher is using legitimate interest as their legal basis, they must provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies, as well as the following information for each vendor:

• purposes (for data processing) and special purposes
• associated legal bases for the purposes and a link to each vendor’s explanation of its legitimate interest(s) at stake
• retention period for personal data re. fulfilling each stated purpose
• features and special features
• categories of data collected and processed

By providing this information in advance of data processing, individuals are empowered to make informed decisions about their data.

While not an absolute legal requirement, app publishers are advised to work with vendors that comply with the TCF v2.2 and are on the IAB’s vendors list. By doing so, all parties involved agree to adhere to the same standards, which reduces the overall risk of noncompliance.

Refer to the TCF v2.2-compliant CMP list to verify whether your CMP provider meets to the TCF v2.2’s requirements.

Usercentrics is a leading Google-certified CMP that complies with TCF v2.2 standards and is on the IAB’s list. Thousands of apps in 180+ countries rely on our platform to support them in achieving compliance with the GDPR, CCPA, LGPD, POPIA, and other laws and frameworks.

The TCF v2.2 can impact app companies’ revenue. If informed users decide to opt out of personalized ads, app publishers could lose programmatic ad revenue.

Publishers that get most of their traffic in the EU could experience this revenue drop the most due to the region’s regulations and requirements being levied by large digital platform providers. Even so, it’s best to adopt the TCF v2.2 no matter where you operate, since most programmatic ad platforms will eventually stop advertising on websites and applications that haven’t implemented it.

Not meeting the latest standards and requirements could result in an even greater revenue hit from critical third parties. For example, Google now requires European advertisers to use a certified CMP that integrates with the TCF v2.2, or else they will not be able to do personalized advertising.

Let’s explore the benefits and challenges that app publishers face with TCF v2.2.

App publishers face both opportunities and challenges as the ad tech ecosystem adopts these TCF policies. The benefits of implementing the TCF v2.2 framework include:

• improved collaboration as data protection authorities and vendors move toward industry standards for collecting, managing, and exchanging user data
• greater control, flexibility, and security, since the TCF v2.2 enables publishers to choose what data they share with vendors on a per-vendor basis
• removal of legitimate interest provisions means publishers are more likely to need a Consent Management Platform (CMP) to meet consent requirements for advertising and personalization
• better consumer privacy protection, as the TCF v2.2 puts control back in users’ hands to grant or deny consent for use of the personal data that publishers collect and process

Some challenges app publishers must keep in mind while migrating to TCF v2.2.

• In-house CMP solutions aren’t enough: Considering managing compliance with an in-house solution? You’ll face technical and legal challenges. Publishers will likely need full-time resources to achieve and maintain compliance with the GDPR. Privacy compliance requirements are publishers’ responsibility if they collect personal data, but a CMP can help meet technical and legal needs and cut down on resource requirements on the publishers’ side, e.g. via automated functionality.
• Lower consent rates: Users can see and avoid apps that don’t meet TCF v2.2 UI requirements, or don’t abide by UX best practices,. This may be more likely for those using home-grown CMPs or some third-party ones. A Usercentrics study that reviewed hundreds of apps available in the EU showed that 90 percent of them were not compliant with the GDPR or ePrivacy Directive. That’s why it’s best to switch to a TCF v2.2-compliant CMP that offers ad result optimization features.
• Keeping up with regulations: The influx of new privacy laws and the evolution of existing ones is another challenge for publishers, who may need to comply with multiple regulations, including the CCPA and GDPR. Handling numerous frameworks and laws compliantly and in a user-friendly way is a challenge. Using a single CMP platform to meet different compliance requirements makes this much easier.

Tackling these challenges becomes easier when publishers team up with a TCF v2.2-compliant CMP partner to handle user consent collection, storage, and management.

A CMP makes it easier for publishers to obtain the consent they need once they’ve determined which of the processing activities they do requires it. It can then find preferred vendors, or publishers can select them up manually, and display data processing purposes in multiple languages.

A CMP also securely stores user consent choices, enabling users to change them or withdraw previously granted consent. It also equips companies to provide the required information in the event of an audit by data protection authorities or a data subject access request.

Achieving privacy compliance with the TCF v2.2 may seem challenging, but it is achievable. All you need is the right tools to set up an ecosystem that enables you to seamlessly connect with and manage vendors and users. Follow these best practices to stay compliant in the TCF v2.2 era and beyond.

• Help users make informed decisions by providing them with the required complete list of data processing partners and legal bases used by your organization.
• Explicitly mention data storage and use policies that publishers and their third-party partners follow.
• Obtain user consent for the use of technologies like cookies that track users, and/or before collecting users’ personal data, like IP addresses and device identifiers, in line with relevant regulatory requirements.
• Enable users to access the list of third parties (aka vendors) that may process users’ data.
• Inform users about the consequences of declining consent, such as certain functions that may not work correctly or at all, or the inability to provide personalized experiences.
• Give users the ability to update, withdraw, or revoke their consent choices as easily as they gave them.
• Notify users if legitimate interest is being used as the legal basis for data processing, but remember that under the TCF v2.2, user consent is now the exclusive allowed legal basis for advertising and content personalization.
• All call-to-action buttons must be equally visible. For example, if the available options are “Agree” and “Learn More,” they should be clearly presented as buttons or links that are equally visible and accessible.

These best practices will help you provide transparency to users while delivering personalized experiences based on the data you collect.

The TCF v2.2 is a broad framework that introduces strong standards and focuses on many areas of data privacy, including users’ right to object to data processing, UI requirements for CMPs, and other transparency measures.

Implementing a CMP that integrates with the TCF v2.2 helps simplify the complexities and enables companies to meet current and future regulatory and industry requirements.

Usercentrics Apps CMP meets that need. This customizable, all-in-one CMP for apps and games publishers makes it easy for you to obtain, manage and optimize consent while meeting data privacy requirements from regulators and industry partners.