IAB Europe this week launched a TCF Vendor Compliance Programme. IAB Europe says the programme has the aim to identify and enforce against instances of non-compliant Vendor implementations, which may reduce consumer protection, expose Publishers and Vendors to legal risks, and undermine the reputation of the TCF in the eyes of both regulators and users.
Starting next month, IAB Europe will regularly monitor top websites in key European markets. IAB Europe may also act on TCF community reports of non-compliance.
IAB Europe will audit live installations of Vendor technologies as integrated on Publisher properties and focus on assessing compliance with the following TCF policies:
Chapter III 16 (1) “A Vendor must not store information or access information on a user’s device without consent, unless the law exempts such storage of information or accessing of information on a user’s device from an obligation to obtain consent.”
Chapter III 16 (2bis) “A Vendor shall indicate on the GVL the maximum duration of information stored on a user’s device, including whether such duration may be refreshed.”
Chapter III 13 (6) “A Vendor must not create Signals where no CMP has communicated a Signal, and shall only transmit Signals communicated by a CMP or received from a Vendor who forwarded a Signal originating from a CMP without extension, modification, or supplementation, except as expressly allowed for in the Policies and/or Specifications.”
Chapter III 16 (17) “A Vendor must not transmit personal data to another Vendor unless the Framework’s Signals show that the receiving Vendor has a Legal Basis for the processing of the personal data. For the avoidance of doubt, a Vendor may in addition choose not to transmit any data to another Vendor for any reason”.
Chapter III 16 (20) “If a Vendor receives a user’s personal data without having a Legal Basis for the processing of that data, the Vendor must quickly cease processing the personal data and must not further transmit the personal data to any other party, even if that party has a Legal Basis for processing the personal data in question”.
Where a live Vendor installation is found to be in breach of the policies, the following process applies:
If this is the first, second or third time a breach has been identified, in each instance, the Vendor will be given 28 calendar days to remedy the issues. If, following the expiration of the 28 day period, the issues have not been resolved, the Vendor will be suspended from the Framework and removed from the Global Vendor List until all compliance failures have been remedied;
If this is the fourth time within a twelve-month period that a breach has been identified, the Vendor will be suspended from the Global Vendor List with immediate effect for a minimum of 14 days and until all compliance failures have been remedied.