Understanding IAB TCF 2.2 and Google CMP Certification
Jeffrey Edwards
|Privacy & Compliance | October 27, 2023
Recent updates to the Interactive Advertising Bureau (IAB) Transparency and Consent Framework (TCF) 2.2, along with Google’s new requirement for Google Certified Consent Management Platforms (CMPs), have significant implications for publishers publishers and developers using Google AdSense, Ad Manager, or AdMob in the EU.
These frameworks are more than just industry buzzwords; they represent a concerted effort to prioritize user privacy amidst a complex set of regulatory rules.
The deadline for moving to IAB TCF 2.2 is set for November 20, 2023, while the requirement to use Google Certified CMPs kicks in on January 16, 2024.
In this blog post, we’ll unpack the details of IAB TCF 2.2 and Google Certified CMPs, exploring what they entail, notable changes to consent management best practices, and what steps are necessary to stay compliant.
For starters, let’s explore the changes and updates to the IAB TCF.
Understanding IAB TCF 2.2 Certification
What is IAB TCF?
The IAB Transparency and Consent Framework (TCF) is a standardized initiative developed by the Interactive Advertising Bureau to help stakeholders in the digital advertising sector comply with the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive. It provides guidelines on processing personal data and managing user consent, especially when accessing or storing information on a user’s device, such as cookies and advertising identifiers. In simpler terms, it lays down the rules for how a business should collect, store, and share user information.
Why should you use IAB TCF?
Major advertising companies adhere to the IAB TCF as a standard, and many will not display ads without proof of compliance with the framework. To get that proof, advertisers rely on a signal known as the “TC string.” This compact, encoded data structure is generated when users interact with the consent management platform (CMP) on a website, and is shared with advertisers to make the user’s preferences known. This enables advertisers to understand what level of data processing is permitted by the user, helping them to comply with data protection regulations like GDPR when serving ads.
Without this TC string, advertisers lack the necessary information to process user data in a compliant manner, which could lead to them withholding their advertising from the platform, thereby potentially affecting the advertising revenue for publishers.
What’s new in IAB TCF 2.2?
The updated IAB TCF 2.2 makes a significant pivot from the prior versions, largely due to legal challenges against the framework that eventually resulted in the Belgian Data Protection Authority (BE DPA) declaring the previous iteration of the framework noncompliant with the GDPR.
Most substantial of the many changes made is that IAB TCF 2.2 no longer recognizes legitimate interest as a legal basis for advertising and content personalization. Instead, it mandates that vendors can only use consent for processing personal data for these purposes. This change is a reflection of the recent assertions by Data Protection Authorities, affirming that consent is the apt legal basis for such data processing activities.
TCF 2.2 also now provides user-friendly descriptions of purposes and features, and has standardized vendor disclosures to include the categories of data collected and the retention periods of the data.
On the technical front, TCF 2.2 includes updates aimed at enhancing the framework’s performance and reliability. Notable among these is the deprecation of the getTCData command, transitioning instead to a requirement for vendors to use event listeners to obtain the TC string. These technical modifications necessitate that publishers, advertisers, and vendors update their systems and processes to align with the new framework requirements.
What is the timeline for IAB TCF 2.2 Implementaiton?
The IAB TCF 2.2 was officially launched on May 16, 2023. The transition period extends until November 20, 2023, during which the stakeholders in the digital advertising ecosystem are expected to update their systems and processes to comply with the new framework. Post November 20, 2023, the IAB TCF 2.2 will be the valid framework that governs the consent management practices within the industry.
What is Google CMP Certification?
In a significant policy shift, Google unveiled new guidelines on May 16, 2023, dictating the terms of advertising on its network for businesses operating in the European Economic Area (EEA) and the UK. This new mandate requires businesses to not only have a consent signal from a Consent Management Platform (CMP) that integrates with the IAB TCF, but also requires that that the CMP used is certified by Google.
What is the Business Impact?
If you’re heavily invested in Google Ads, Google Analytics, or other Google services, achieving Google CMP certification is a prerequisite. Google will not allow you to monetize EU traffic without a TCF-compliant consent signal from a Google-certified CMP.
In plain English, this means that:
- Publishers serving ads to users in the EEA and the UK must collect their consent.
- Simple cookie banner plugins will not suffice unless they meet TCF 2.2 standards and have been vetted by Google.
What is the timeline for implementation?
Businesses have until January 16, 2024, to get a Google-certified CMP in place if they’re running ads on Google’s network in the European Economic Area (EEA) or the UK.
CHEQ Privacy Compliance Enforcement is Google CMP Certified and IAB TCF 2.2 Compliant
CHEQ Privacy Compliance Enforcement (PCE) is IAB TCF 2.2 compliant and a Google-certified CMP, allowing our customers operating in the EEA and UK to monetize traffic while remaining compliant with requirements from regulators and ad networks alike.
With over 70 billion consents served, CHEQ Privacy helps make privacy easy and avoid regulatory pitfalls with granular consent modules,, robust data governance and reporting, and best-in-class user privacy enforcement.
Enforce privacy in real-time
Automatically block and allow tracking technologies based on consent, without relying on APIs or third-party integrations, retaining marketing agility and regulatory compliance without the need to change workflows or implementations.
Stop data leakage and prove compliance with data governance
Maintain organized consent records and avoid accidentally collecting PII or other sensitive data patterns in approved technologies and maintain compliance regardless of missteps by employees or external partners.
Monitor third-party technologies
Monitor and control all tags on your site with intelligent categorization of third-party technologies. Ensure that privacy choice enforcement is not only applied to direct website services but all services utilized by proxy.
Easy setup and integration
One line of code enables seamless privacy compliance, with no changes to live martech implementations and easy integration into existing privacy workflows.
Customizable consent
CHEQ PCE allows you to configure your consent modals with custom branding, and location or regulation-specific templates.
Cross-domain and cross-device consent
CHEQ PCE also offers the option to extend consent across all of your digital properties, across multiple domains and device-types.
Ready to secure your customer privacy and compliance? Get started with a demo today.
Author
Jeffrey Edwards
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.
