This article is your in-depth guide to the Transparency Consent Framework (TCF). It’s an incredibly important thing to know about as a publisher and can be a huge factor in how much revenue you make. Without a Consent Management Platform (CMP), you could actually be blocked from making any money at all.
The article that you’re reading right now is going to get into the weeds about all of this stuff. Definitions, systems, the importance of each step.
It’ll be detailed and hopefully not too dense a read but, if all you want are the facts and instructions on what you, a publisher, can do right now, check out…
A simple guide to the CMP and Age-Gating for game publishers
Otherwise, let’s dig in.
What is the Transparency Consent Framework (TCF)?
The TCF is an industry-standard guideline from IAB Europe for collecting and transmitting user data between publishers and advertisers.
In other words, it’s a set of rules put in place whenever a user is sending data to a platform.
It’s the basis of important data privacy acts like the General Data Protection Regulation (GDPR) and the ePrivacy Directive. If data is being processed, accessed, or stored on a user’s device through things like cookies, advertising identifiers, or other tracking tech, then you better believe that the TCF has to be involved.
Pretty much all adtech uses these identifiers today, so if you’re not following the TCF then you may not be able to advertise—and therefore make money—at all.
User consent for this data handling is 100% necessary and is done using a Consent Management Platform (CMP). More on that later.
Here are a few examples of user data and what they’re used for:
- IP Address—used to retrieve data like a user’s geo-location, internet speed, service provider, etc.
- Device Advertising ID—used for tracking user behaviour across websites through things like the IDFA and AAID.
- Email addresses
- Anything that could probabilistically be used to identify someone (fingerprints, VR movement data, etc.)
- Precise geolocation data
Who do these privacy rights actually apply to?
These privacy rights are always user-centric regardless of where you or the servers that run your game are. That means that the rules and laws you follow depend on where your users are.
Here are just a few examples to give you a general idea of the legislation.
European users must always apply the TCF General Data Protection Regulation (GDPR) protection — it’s the law!
The GDPR covers all European Union member states, as well as the UK.
California users have control and rights over the personal information that businesses collect about them through the California Consumer Privacy Act (CCPA).
This one is slightly different to the GDPR. While consent is explicitly required for GDPR, CCPA does NOT require it (excluding minors and assuming the user has not already opted-out).
Publishers serving ads to Californian players must provide the catchily titled Do Not Sell My Personal Information (DNSMPI) link so that all users have the chance to opt-out.
Canada users are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). The GDPR and the PIPEDA are similar in many ways. They both have similar views on publisher responsibility of data privacy and similar requirements on the security measures that should be put in place.
Brazilian users are protected under the General Data Protection Law (LGPD). This one is also pretty similar to GDPR in its regulations and security needs.
Finally, children under the age of 13 are protected by the Children’s Online Privacy Protection Rule (COPPA). This places restrictions on publishers not to collect ANY personal data from children under 13.
Why be compliant with TCF v2.1?
This isn’t just about following the law. The world is becoming increasingly data privacy conscious, and everyone needs to change their mindset. Transparency about data collection will be the norm, and getting ahead of the game is the best move.
But we can’t beat around the bush either, advertisers will check for a TCF consent string before showing an advert to protect themselves. If you’re not following TCF then your revenue will be massively cut, or go down to zero regardless of your ad format.
In almost all cases where programmatic bidding is involved and where an ID (like the IDFA) is required, user consent is necessary to process the data.
We’re not just saying that because consent is important for In-Play…
❗ If you’re advertising within your game, getting consent from your players for data processing is critical to your revenue and analytics. ❗
But what’s an in-depth article about the law without a terrifying penalties section?
The risks and penalties of NOT being compliant with TCF v2.1
Here’s a scary stat to start us off:
The GDPR allows the EU’s Data Protection Authorities to issue fines of up to €20 million, or 4% of the company’s annual global turnover (whichever is higher).
Wow.
Here’s a link to the biggest GDPR fines of 2019, 2020, and 2021, and here’s a general database of GDPR related fines.
And, to touch on the data protection laws we spoke about earlier, here are the punishments for breaking those regulations:
The CCPA grants companies 30 days to fix their violations, if possible. If not, consumers can seek damages ranging from $100 to $750 per consumer incident – that adds up fast!
Canada’s PIPEDA can lead to fines of up to $100,000 per incident!
Brazil’s LGPD can impose penalties of up to 2% of a company’s revenue, limited to BRL$50 million PER VIOLATION.
COPPA can lead to fines of $43,280 per privacy violation, per child.
Who needs Alien: Isolation when you have horror like that?
So how can you actually comply with TCF v2.1?
Introducing… the Consent Management Platform (CMP)! 🎊
We’ll dive into what a CMP is in the next section, but all you need to know for now is that this is a tool that publishers can implement in games to manage and gather player consent.
It’s not a guarantee that you’re complying with TCF v2.1 though. You’ll still need to implement it well, but we’ll get to that later too.
So in terms of the CMP, here are your options:
- Option 1 – Use an existing IAB Europe TCF registered and approved CMP
-
- Admix provides a great free CMP through Didomi (fun fact: Didomi means ‘consent’ in Greek).
- And here’s a list of other approved CMPs with their fees.
- Option 2 – Use your own CMP (a high effort, challenging solution)
-
-
- If you really want to make your own CMP solution, it’ll be a bit of an uphill battle. The Information Commissioner’s Office (ICO) in the UK as well as many regulators in other countries are strict about CMPs because of how important they are. In order to create your own, you’ll need to go through these two long steps:
-
- Step 1 – Apply for approval to IAB Europe TCF. CMPs pay an annual fee of €1200 which includes registration for TCF v1.1 and/or TCF v2.0. Once you’ve completed and passed the CMP Validation test managed by IAB Europe, you’ll receive an ID and sub-domain and will be listed here
- Step 2 – Ask IAB Europe to review and approve the compliance of your notice text. This is the text asking your users for their consent. You’ll need to send an email to tcf.compliance@iabeurope.eu with your text and translations to complete this.
What even is a CMP?
Publishers are responsible for gaining the lawful means to process personal data from their players through a Consent Management Platform (CMP). This is a tool that, in short, shows a pop up at the start of your game with some pre-approved text asking your players for permission to process their data.
Advertisers also require a CMP.
When collecting consent it’s incredibly important that consent is specific, informed, unambiguous, and freely-given by the player. Pre-approved text helps with that.
“Specific” and “informed” relates to what the publisher is going to do with any collected data. That may include passing it on to other publishers or vendors, or linking the data to other sources. For example, trying to build an identity graph to compare gameplay session duration to geographic data would need this because session time can be collected without consent… BUT attaching an identifiable metric like location would make data-protection laws come into effect.
Implementing a CMP well mean using the right text (often included with the CMP), making it clear to the player what their options are and ensuring that buttons are accurately labelled, and popping it at the start of a game BEFORE any data is collected.
Easy.
The core function of a CMP, at a glance
- Asks for user consent for data processing
- Provides users the chance to change data collection preferences
- Stores user preferences for future sessions
- Sends compliance strings on to the TCF to figure out which advertisers can / would want to advertise in that game
Compliance strings aren’t something we’ve covered yet, but they’re also quite important.
Any CMP that is properly registered with the TCF will send strings to the TCF that contain three main properties:
- Core vendor info (the vendor’s name and privacy policy URL, the purposes that the vendor is collecting the data for, and the features that the vendor is using to collect data).
- Binary consent signals. This is literally as simple as 0 meaning that GDPR does not apply, and 1 meaning that GDPR does apply.
- The consent string, which contains the user’s preferences.
The CMP will use that string, specifically the preferences bit, to block certain third-party vendors if the user has objected to that content.
Admix and the TCF
Because we’re all about transparency, here’s some info on how we interact with TCF as a company.
In short, we store and process two kinds of personal data:
- Device Advertising ID (e.g. IDFA): these are collected from publishers and used as part of the bid request when buying and displaying an ad. This can be reset or restricted by the player.
- IP address: this is used to retrieve info like geo-location, ISP, and internet speed – all of these affect ad targeting and analytics.
We are currently signed up as a vendor within TCF 2.0.
We are vendor ID 980, and we require all 10 of the below purposes as set out by the TCF, as well as a few special features. We promise not to use the data we collect for any special purposes, and we will not collect any personal data beyond those collected for legitimate interest reasons.
Purpose 1 – Store and/or access information on a device
Purpose 2 – Select basic ads
Purpose 3 – Create a personalized ads profile
Purpose 4 – Select personalized ads
Purpose 5 – Create personalized content profile
Purpose 6 – Select personalized content
Purpose 7 – Measure ad performance
Purpose 8 – Measure content performance
Purpose 9 – Apply market research to generate audience insights
Purpose 10 – Develop and improve products
Special Purpose 1 – Ensure security, prevent fraud, and debug
Special Purpose 2 – Technically deliver ads or content
Feature 1 – Match and combine offline data sources
Feature 2 – Link different devices
Feature 3 – Receive and use automatically-sent device characteristics for identification
Special Feature 1 – Use precise geolocation data
Special Feature 2 – Actively scan device characteristics for identification
There you have it
That was a lot of info on the wide world of the TCF, and hopefully you feel a bit more informed about what you need to do and what your options are.
If you have any questions at all, or want to talk to us about integrating our CMP, get in touch and we can answer any questions you might have.
Jump in, it's freeeeee 🎉
You’re in good company. Over 500 game devs
worldwide are working with us already!
Connect
Stay on top of the game! 🎮
The latest game industry trends & updates every Friday in your inbox (no spam).