CookiePro Knowledgebase

dot pattern banner

Knowledgebase IAB What is IAB TCF 2.1?


What is IAB TCF 2.1?

Last Updated: August 5, 2022

IAB Europe recently amended TCF 2.0 to require disclosure of storage duration based on the Planet49 ruling. Starting January 31st, IAB now requires that all CMPs follow to TCF 2.1 technical specifications. Here’s what you need to know about TCF 2.1 technical updates.

To learn more about the TCF 2.1 Technical Updates visit: tcf.onetrust.com

Overview of TCF 2.0 Changes

Outlined in this document provided by IAB Europe, we’ve highlighted what you need about how to prepare for the IAB TCF 2.1 updates and TCF 2.0 Policy Amendments.

TCF 2.0 Policy amendments

The Transparency and Consent Framework (TCF) Steering Group have recently approved an amendment to the TCF 2.0 Policies. The amendment seeks to implement the requirement to disclose the duration of operation of cookies (or other information stored/accessed on a user’s device), resulting from the Court of Justice of the European Union (CJEU) ruling in case C-673/17 (Planet49). The change includes a new Policy 16(2bis) and an amendment to Appendix B, Policy C(c)(i). These new/amended policies contain:

  • (1) A requirement for Vendors to disclose maximum cookie storage duration on the GVL and whether other means of storage/access is used.
  • (2) A requirement for CMPs to disclose each vendor’s maximum cookie storage duration and whether other means of storage/access is used to the user on a secondary layer of the user interface.
  • (3) An option for Vendors to disclose more detailed and purpose-specific storage and access information where they wish to demonstrate detailed compliance with the requirements of the ruling.
  • (4) A requirement for CMPs to disclose the more detailed and purpose-specific storage and access information for each vendor, where vendors make this information available.
  • (5) A prohibition for Vendors to refresh the maximum storage duration where the maximum storage duration indicated on the GVL is not indefinite and unless the Framework signals indicate that the user has renewed their consent.

TCF 2.1 Technical Specifications Update

Taking the policy amendments into account the Global Privacy Working Group has developed a related Device Storage & Access Disclosure feature. The specification provides vendors with a method to disclose the amount of time any vendor-specific information may be stored on a device with varying degrees of detail. This includes a required disclosure as an added section in the Global Vendor List (GVL), which is used by CMPs to display the information to users.

The GVL registration will be updated with the following fields that will enable CMPs to make the additional disclosures to the user:

  • CookieMaxAgeSeconds (required field): This field represents the number, in seconds, of the longest potential duration for cookie storage on a device. The related technical specification implements policy points 1) and 2) above;
  • UsesNonCookieAccess (required filed): This field indicates whether the vendor uses other methods of storage or accessing information already stored on a user’s device (e.g. local storage). The related technical specification implements policy points 1) and 2) above;
  • DeviceStorageDisclosureUrl (optional field): It contains an optional, vendor-supplied, secure URL for disclosing additional storage information through a deviceStorage.json file. The related specification implements correspond to points 3) and 4) above.

Full documentation is available on the TCF v2 Github project.

CookiePro’s Support for IAB TCF 2.1

To help make updates for TCF 2.1, CookiePro has clear documentation that outlines two main steps to make the small adjustments. Here are the basic steps:

  • Republish domain scripts that are associated with a TCF template
  • After publishing validate the CMP second layer or preference center on your domain has been updated to include coookie lifespan in your vendor list in the vendor descriptions
  • Validate the GVL string has been updated on the website by utilizing the getVendorList API and confirm that the string includes the required settings

To read the full article, visit the CookiePro Community.


Onetrust All Rights Reserved