TCF 2.0 Transition Guide: What publishers must know

TCF 2.0 Transition Guide: What publishers must know

by Usercentrics
Jul 29, 2020
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

The clock is ticking. On August 15 2020, the Transparency and Consent Framework 2.0 (TCF 2.0) will come into force. What this means for publishers, we explain here.

TCF 2.0 – Overview of the most important points

More transparency, control and flexibility for all actors in the online value chain – the ultimate goal of the TCF 2.0. 

The three actors

= Website operators and those responsible for websites Advertisers are also regarded as publishers in the spirit of TCF if they allow data to be gathered on their websites via vendors – e.g. for evaluating website performance or measuring the success of a campaign, collecting cookies for retargeting or personalising content. = All service providers in the delivery chain wishing to process data as a third party system. These include, for example, website tracking systems, Ad Servers and Ad Verification providers, Demand Side Platforms (DSPs), Sell Side Platforms (SSPs) and Data Management Platforms (DMPs). = Technical solution for making user consent to process personal data accessible to all participants of the advertising and value chain via an interface. The CMP acts as a link between the publisher and the vendor and ensures that advertisers can gather and forward data in accordance with the current applicable data protection laws.

The Global Vendor List (GLV)

If vendors wish to gather and process user data or access information on users’ end devices, in accordance with IAB, they need to register and become part of the so-called “Global Vendor List” (GVL). Not only that, they need to provide during registration all purposes for which they may wish to use the user data.

⇨ With this information from the GVL the user then generates its own vendor list in its CMP. Information regarding the GVL’s vendors is updated weekly by Usercentrics and automatically incorporated by the CMP. Publishers therefore have no need to act themselves.

Background: The IAB publishes a new version of the GVL every Friday. Usercentrics updates it overnight from Thursday to Friday so that it is available from Friday in the Usercentrics Admin Interface.

In practice – TCF 2.0 Usercentrics Product 

Here are some examples of events which may occur during a week and would result in a necessary GVL update:

  • A new vendor has been added ⇨ The publisher can now add it to its CMP configuration.  
  • An existing vendor has added a new purpose⇨ Usercentrics incorporates the new information.
  • An existing vendor has changed the legal basis of an existing purpose ⇨ Usercentrics incorporates the new information.
  • An existing vendor has left the IAB ⇨ Usercentrics removes the vendor from the CMP configuration and releases a message in the Admin Interface.

The following fundamental principle applies: Any person or company wishing to use data for marketing purposes requires an appropriate legal basis (Article 6 GDPR) in order to be GDPR compliant.

A legal basis must be provided by the vendor for each purpose for which it uses the data. This can be explicit consent, legitimate interest or both:

Explicit consent means that the consumer must explicitly agree to this purpose in the CMP (via opt-in).

Legitimate interest means that the data processing organisation has a valid reason for processing data which outweighs the potential individual risks – and therefore only requires disclosure.

With TCF 1.1 every purpose had at least one of two declared legal bases i.e. legitimate interest or explicit consent. With version 2.0 providers can now select from three different legal bases for data processing:

  1. Consent as the sole legal basis 
  2. Legitimate interest as the sole legal basis  
  3. Consent or legitimate interest ( Important to know: The combination of both can be requested through the TC string, however, this logic of combination of both bases is not situated on the vendors’ sites and is therefore not mapped in the TC string.)

The vendor indicates the valid legal basis valid for a given purpose when registering with the IAB. Publishers must adhere to the following at first.

With the flexible purposes the vendor can indicate (although this is not required) its flexibility for certain purposes and allow the publisher to run the respective purposes based on whichever legal basis fits (from the publisher’s perspective).

Flexible legal bases can be indicated by vendors for all purposes, with the exception of purpose 1 as it deals with sensitive data and is therefore only permitted with consent.

With a flexible legal basis the vendor assigns either consent or a legitimate interest as a standard. Flexible legal bases can be indicated by vendors for all purposes, with the exception of purpose 1(stated above) as it deals with sensitive data and is therefore only permitted with consent.

The objective of the “flexible” option is to take account of various legal precedents within the EU which interpret the GDPR differently. Publishers therefore have the opportunity to operate in various markets according to various legal bases.

Nevertheless, the publisher has the last word in terms of which legal basis is assigned to a vendor for individual purposes. The chosen purposes are indicated in the IAB during registration. The publisher is then able to maintain full control over which vendors are permitted to engage with its users on its website.

With TCF 2.0 users may now object to the gathering of their data when “legitimate interest” is the stated legal basis.

Whilst the legal basis for legitimate interest was activated as a standard up until now, a check box is now contained directly in the TCF interface for this purpose.  

Should a user object to the use of his or her data on the basis of legitimate interest, the objection will be treated technically as a revocation (opt-out) of consent and saved as such. What is more, it occurs automatically without the publisher having to undertake any manual adjustments.

As a publisher you have the ability to adjust the functions and select from the following options:

  • Deactivate legitimate interest ⇨ vendors declaring a legitimate interest will be removed
  • Rely solely on legitimate interest ⇨ vendors asking for explicit consent will be removed or
  • Keep the standard settings ⇨ the legal basis of the respective vendor will be used exactly as it is

It is the publisher’s job to obtain user consent and then make this information available to its partners in the form of an IAB TC String .

What is the IAB TC string?

The IAB TC string is a coded series of characters containing:

  • All relevant information regarding the user’s consent 
    • Consent status for legal basis consent per purpose
    • Consent status for legal basis legitimate interest per purpose
    • Consent status for legal basis consent per vendor
    • Consent status for legal basis legitimate interest per vendor
    • Consent status for special featuresScope (global or service-specific)
  • Information regarding the vendors who have obtained user consent and for what purpose

Further information on the subject for publishers: IAB (Page 25).

The TC string:

  • Is saved in the local storage on the user’s end device when the service-specific scope is selected
  • only stored in the “euconsent-v2” cookie on the domain when the global scope is selected

In both cases, the TC string is stored on the Usercentrics servers to ensure your company meets the documentation requirement.  

⇨ This enables all parties involved to check the authenticity of the TC strings.  

This TC string can only be generated by an IAB certified Consent Management Platform (CMP)!

The Banner Text

The banner text must now be significantly more comprehensive and specific in order to comply with IAB TCF 2.0 requirements. Usercentrics has created a pre-written text version available to its customers which complies with all requirements stipulated in the TCF policies. 

The process after the transition to TCF 2.0:

Transitioning to TCF 2.0 will be translated into end users  being shown a new banner, asking for their preferences upon their first visit to the website.

The CMP will save this consent for 13 months after it has been granted. Subsequently, the user preferences will once again be asked for, via a banner.

Larger granular selection for users in the first and second layer.

In order to meet the requirements of the IAB, the banner must fulfil certain criteria both on the first and second layers.

⇨ First Layer: The first layer intends to provide users a transparent overview regarding the use of their data for various purposes and to request their consent or revocation.


⇨ Second Layer: On the second layer the user must be given the opportunity to view further information and to make thoroughly informed opt-in decisions, based on detailed and granular information.


Purposes Tab:


Vendor’s Tab:

The Purposes of Data Processing

TCF v1.1 made a distinction between five purposes for data processing . TCF 2.0 has expanded this to ten as displayed below.. Users receive detailed options so they can make thoroughly informed decisions as to how their data is used.



Special Purposes and Special Features – new developments:  

⇨ Special Purposes: With TCF 2.0 there are now two additional purposes which users are unable to revoke due to security reasons. These exist to grant extra protection to end users and assure the latter have been correctly informed. 

⇨ Special Features: These are features that require their own opt-in. They include, for example, the use of geolocation data.


From TCF 1.0 to TCF 2.0

The IAB published its Transparency Consent Framework (TCF) 1.0 in April 2018, approximately one month before the GDPR came into force. 

Background: The TCF 1.0 was a reaction to the new requirements of the GDPR and stipulated that ad targeting data could only be used with the user’s consent. Considering  version 1.0 showed several shortcomings in several key areas (e.g. vendors were given too many advantages and the big industry players had not joined in) the framework was revised into version 2.0 and published in August 2019. This updated version came into force one year later, August 2020.

The advantages of TCF 2.0

Consumers at present, with TCF 2.0 operative,  enjoy more transparency and control when providing or revoking consent and exercising their right to object to personal data being processed on the basis of legitimate interest. TCF 2.0 provides  publishers more control and flexibility for the integration and cooperation with technology partners in view of the fact that the power  is now in place to limit the purposes for which personal data is processed for each provider.

Short & concise

  • GDPR prohibits the gathering of data without a legal basis ⇨ Marketing is only possible with the appropriate consent of users.
  • The GDPR Transparency and Consent Framework (TCF) provides a technical standard for all sectors for retrieving and transferring a user’s consent signals to third parties working with publishers e.g. Google, Criteo, Quantcast, Taboola etc.
  • Anyone wishing to continue using programmatic advertising via providers who have signed up to the framework must transmit the user consent in the form of a TC character string.

⇨ This TC string can only be generated with the help of an IAB certified Consent Management Platform (CMP)!

BOTTOM LINE – What’s next?

One thing is clear, especially after tech giant Google’s decision to integrate TCF 2.0: TCF 2.0 has the potential to become the new industry standard. Whether or not this actually occurs remains to be seen. Publishers wishing to protect their advertising revenues should prepare for all eventualities starting today. At the latest, when vendors start demanding that user consent be transmitted in the form of a TC string, it will no longer be possible without an IAB certified CMP.


Home Resources Article TCF 2.0 Transition Guide: What publishers must know

Related Articles

South Africa’s Protection of Personal Information Act – an overview

South Africa’s Protection of Personal Information Act – an overview

South Africa’s POPIA is a data privacy law that preceded the GDPR by five years. We look at how...

Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados (LGPD) – an overview

Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados (LGPD) – an overview

Brazil’s LGPD builds on existing Brazilian law and is influenced by the GDPR. We look at how it addresses...