Changes in CMP Implementation Timeline and Main Improvements

Speakers: Frances Hudson, VP of Product, Sourcepoint Giulia Stancampiano, Product Legal Manager, iubenda Thomas Adhumeau, Chief Privacy Officer, Didomi Peter Craddock, Partner, Keller and Heckman LLP

Agenda Implementation timeline Main changes for CMPs 1. Disclosure of the number of Vendors 2. Improvements to existing user-facing standard texts 3. Standardisation of new information about Vendors 4. Improved policies on withdrawal of consent 5. Changes to the TCF API commands Updates to the TCF Compliance programmes Q&A

Implementation timeline

Implementation timeline May 16th 2023 June 30th July 10th September 30th 2023 Deadline for Vendors to update registration Deadline for supporting v2.2 (deprecation of v2.1) Release of TCF v2.2 Reminder: deadline for CMPs to stop hosting scripts on subdomains of consensu.org - New version of the Global Vendor List to build enhanced user-facing disclosures in CMP UIs is available at https://vendor-list.consensu.org/v3/vendor-list.json (already registrations) published weekly as Vendors update their - Existing version of the Global Vendor List will continue being published weekly until September 30th - Revocation of consensu.org subdomains

Main changes for CMPs

1. Disclosure of the number of Vendors - CMPs are required to disclose in the initial layer of the UI the number of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s). e.g. We and our [number] partners store and/or access information on your device for personalised ads and content [...] - The secondary layer of the UI has to disclose the number of third party Vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s) for each purpose. - These numbers should at minimum represent the number of TCF Vendors for which the publisher establishes transparency & consent, but may include the number of non-TCF Vendors as well. In practice, commercial CMPs are encouraged to compute this number automatically for their publishers clients when they make a selection of a subset of Vendors.

2. Improvements to existing user-facing standard texts - New names for the TCF purposes & features - Removal of the legal texts , replaced by new and more detailed user-friendly descriptions - Creation of illustrations that should be made available to end-users on a secondary layer of the CMP UI The TCF Policies provide publishers with flexibility to modify/supplement standard illustrations under certain conditions - including the requirement to flag such change in the TC String (UseNonStandardStacks field has been expanded and renamed UseNonStandardTexts). The new version of the Global Vendor List reflect these upgrades: https://vendor-list.consensu.org/v3/vendor-list.json New translations will be made available progressively at: https://vendor-list.consensu.org/v3/purposes-{language}.json

3. Standardisation of new information about Vendors Categories of data collected and processed by Vendors - The categories of data commonly collected and processed by Vendors has been standardised through a dedicated taxonomy. - 11 categories have been created, such as IP addresses , device identifiers , browsing and interaction data . CMPs should use the standard names provided by the TCF Policy and make available the corresponding user-friendly descriptions. - Taxonomy has been added to the GVL. The categories of data declared by Vendors are represented for each Vendor entry in the GVL.

3. Standardisation of new information about Vendors Data retention periods on a per-purpose basis - The declaration made by Vendors for each purpose are in days. When the retention is less than 1 day or data only maintained during the session then enter a declaration of 0. - To facilitate users understanding, CMPs may convert retention periods provided by Vendors in days into a different time unit (e.g. in months), the same way they may currently do so with Vendors maximum device storage durations. - Requirement is not applicable to Purpose 1 which is not a data processing purpose in itself but corresponds to the obligation of Article 5(3) of the ePrivacy Directive.

3. Standardisation of new information about Vendors Legitimate Interests at stake - In addition to providing a link to their privacy policies, Vendors will also provide a dedicated link that redirects to an explanation of their legitimate interest(s) at stake when they pursue at least one purpose or special purpose on the basis of this legal basis. - This URL can be a bookmark/anchor within Vendors privacy policies or standalone web page and is available in the new GVL. - CMPs will be able to retrieve this URL from the GVL to supplement disclosures about Vendors

3. Standardisation of new information about Vendors Support for multiple languages URL declaration - Vendors are now able to declare multiple URLs to their privacy documentations (one URL per language). All URLs are made available in the GVL. - This enables CMPs to provide users with link(s) to Vendors privacy documentations in the same language as the one used in their UIs. - Where Vendors have not declared URLs to their privacy documentations in the language used in their UIs, CMPs may choose to provide links to the Vendors documentation in a different/default language.

4. Improved policies on withdrawal of consent - Publishers and their CMPs need to ensure that users can re-access the CMP UI easily to manage their choices (e.g. from a floating icon, a footer link available on each webpage, the top-level setting of the app etc.) - If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and vendors in one click (such as Consent to all ), an equivalent call to action should be provided when users resurface the CMP UI as to withdraw consent to all purposes and vendors in one click (such as Withdraw consent to all ). - TCF v2.2 do not require that CMPs provide a call to action for users to refuse consent from the first layer of their UIs. Publishers and their CMPs should ensure they are fully aware of their local Data Protection Authority s requirements and act accordingly

5. Changes to the TCF API commands - CMP command getTCData has been deprecated. As a consequence, CMPs are no longer required to support this command. - 3 API commands remain required: 1) ping 2) addEventListener 3) removeEventListener The deprecation of the getTCData command is intended to ensure that Vendors always make use of eventListener when retrieving the TC String.

Updates to the TCF Compliance programmes

Updates to the TCF Compliance programmes - Controls catalogue that maps requirements of the Policies and corresponding Technical Specifications to auditable elements that describes IAB Europe s auditing of CMPs live installations - New version of the CMP Validator Chrome extension that is publicly available. -> CMPs can self-test their live installations to verify compliance with the TCF using the Controls catalogue and CMP Validator - CMPs do not have to apply for re-validation the new requirements will be verified as part of IAB Europe s regular monitoring of CMPs live installations as of the implementation deadline. - There is a dedicated website section explaining the TCF Compliance Programmes.

Q&A

Thank you!