GDPR-Transparency-and-Consent-Framework icon indicating copy to clipboard operation
GDPR-Transparency-and-Consent-Framework copied to clipboard

Published 20 hours ago verified publisher icon InteractiveAdvertisingBureau

TCF vs GDPR

Open fabiomariotti opened this issue 4 years ago • 2 comments

We are implementing the TCF 2.0, we have already a fully working GDPR solution.

We have difficulties to match the consent with a GDPR action.

Within the GDPR framework we implemented:

  • optin/optout
  • deletion
  • data request

The TCF framework does not really specify what consent or no consent means in terms of the actions above.

Our personal interpretation is that we simply stop the tracking if there is no consent. But for example we do not explicitly issue an optout or a data deletion.

It means that we are not going to propagate the signal to our partners, like for example google, which will continue to use the "cookie"/"id" for targeted advertisement.

Would it be possible to make a better link between "consent" and the GDPR? Even for the final user. I think that the GDPR is a bit more clear on the consequences of data usage.

I might have missed totally the point!

I will be very happy to have comments!

Thanks!

fabiomariotti avatar Aug 21 '20 20:08 fabiomariotti

The TCF framework does not really specify what consent or no consent means in terms of the actions above.

It maps to "optin/optout". You use the TCF to disclose processing purposes with legal basis (consent or legitimate interest) for vendors. Vendors declaring purposes based on consent are "optin." For vendors using their legitimate interest as their legal basis, the user can "object" to this which one could consider an optout. These user's preferences are encoded into the TCF "tcdata". This can be passed along in, for example, advertising requests so that downstream companies processing the requests can determine whether they "have consent" (have established a legal basis for the processing) by inspecting the tcdata.

Some material here might be helpful: https://iabeurope.eu/tcf-2-0/

dmdabbs avatar Aug 25 '20 22:08 dmdabbs

I do not think so.

First of all it is missing the 2 others GDPR actions. Get my data, delete my data. These are not available in any CMP/TCF pop up.

Then the interface and the process do not really match.

I mean on a web page I give consent, on the other web page I remove it. and so on ...

The optin/optout per scope or purpose then is basically random.

Now! In our company we handle the optout as a truly optout at best of our efforts. We set a cookie, then we do not track you anymore.

But for the TCF consent we need to relay on an external SDK which might not be consistent over the user. It might be consistent over the same CMP implementation.

Definitely not user oriented.

fabiomariotti avatar Sep 29 '20 22:09 fabiomariotti

TCF only supports optin/optout. The Get my data / Delete my data is handled by vendors individually without an industry standard.

HeinzBaumann avatar Nov 07 '23 18:11 HeinzBaumann