CMPs must adhere to TCF Policies and UI/UX requirements
Last year’s enforcement decision by the CNIL against French mobile ad tech company Vectaury has sent shockwaves through the CMP community, due to Vectaury’s CMP being deemed by the French regulator to be in breach of GDPR requirements for valid consent. Key shortcomings of Vectaury’s CMP could have been easily avoided had it followed TCF Policies for CMPs more closely. We therefore urge all CMPs to ensure that they are implementing TCF Policies correctly. This is even more important given the responsibility CMPs have for the Publisher’s they work for, as well as for the Vendors who rely on the consent signals they create.
In addition to the need to register CMPs with the Framework in order to be able to send TCF-compliant consent signals, the signals CMPs generate are only reliable if they comply with the law. IAB Europe and its members have been making considerable efforts in understanding legal requirements of the GDPR with respect to consent and published a Working Paper on Consent since adoption of the GDPR in 2016. These efforts have been woven into the TCF Policies, notably into Appendix B on UI/UX Guidelines and Requirements. The TCF FAQs give further clarity on UI requirements (see p. 11-13 and p. 22).
In summary, these are some key elements of a compliant CMP UI under the TCF Policies:
- Initial layer of the UI must be prominently displayed, covering all or substantially all of the content of the page or app. Information to be provided on this initial layer of the UI must at minimum include:
- Multiple parties will be accessing and/or storing information, such as cookies, on the user’s device and process their personal data and examples of the type personal data.
- A link to the enumerated list of named third parties (Vendors).
- The Purposes for which the Publisher and its third party Vendors wish to access and/or store information, such as cookies, on the user’s device and process their personal data using the standard names provided in the Vendor List.
- An explanation that the user is asked to provide their consent and can change their mind at any time and withdraw consent, as well as an explanation of how to do so (e.g. link at the footer of the page or in the privacy policy that allows resurfacing the CMP UI). A user should also be informed of the consequence of consenting and/or not consenting.
- Calls to action of equal visual prominence that at a minimum include a way to consent and a way to access advanced options and information.
- Options and information that must at minimum be provided in secondary layers of the UI includes:
- Users must be able to review the Purposes, including their standard definitions, and (if applicable) exercise granular choices regarding these Purposes.
- Users must be able to review the enumerated list of named third parties (Vendors), and have access to information made available on the Vendor List by Vendors. This information must at a minimum, include:
- Vendor’s name
- Link to Vendor’s privacy policy
- The Purposes for which the Vendor processes personal data
- The legal basis or bases relied upon by the Vendor by Purpose
- The Features the Vendor relies on when processing personal data
Moreover, it should be noted that consent signals, by their very nature can only be created on the basis of a clear affirmative user interaction with the CMP that unambiguously signifies their consent to the processing. Creation of consent signals by CMPs or others absent such a clear user interaction is therefore not permitted.
