Blog

IAB canada finalizes TCF policies

July 9, 2021

N/A

The Interactive Advertising Bureau (IAB) of Canada recently finalized its version of Transparency Consent Framework (TCF) Policies. The Transparency and Consent Framework consists of a set of technical specifications and policies to which publishers, advertisers, technology providers, and others who may voluntarily choose to adhere. The goal of the Framework is to help players in the online digital ecosystem become compliant with Canadian Privacy Law. As a not-for-profit association, IAB Canada represents over 250 of Canada’s most respected advertisers, ad agencies, media companies, service providers, educational institutions and government associations.

The Framework provides a way of informing and providing choices to users about how their personal information is collected, used, or disclosed for purposes that companies are seeking. Verified CMPs are able to send the user’s choices downstream to participating ad tech vendors.    

What do the IAB canada TCF policies highlight? 

The revised IAB Canada TCF policies are grounded in current privacy legislation, Personal Information Protection and Electronic Documents Act (PIPEDA). The legislation regulates privacy in Canada at a federal level, and was introduced on April 13, 2000 and entered into force on January 1, 2001. 

The updated Policies incorporate the following:   

  • Updated terminology to more accurately reflect PIPEDA. An example of this includes the rephrasing of the definitions of “permission” (it now says express or implied consent according to Canadian Privacy Law) and removed the definition of “Consent” as a result and replaced it with a definition for “Objection”. Also removed the definition of PII as it is not a legal term but merely a concept in legislation. 
  • Updates have been made to reflect TCF V2.0 including elements such as additional stacks etc. 
  • Important revisions made to address the ambiguity around implied consent to avoid situations where a Vendor propagates an unknown consent within the Framework (even though, absent the signal, they would likely not do so).   

To read the full Policies document, click here. As a next step, these policies are also being shared with the IAB Tech Lab’s Global Privacy Platform working group who will now begin the process of developing technical specifications for the Canadian string.

 IAB canada TCF differences from IAB europe

In 2018, IAB Tech Lab and IAB Europe released the collaborative industry solution for conducting GDPR-compliant targeted advertising. A new version of the IAB Transparency & Consent Framework (TCF) replaced version 1 on August 15, 2020. The new version is designed to standardize the collection and transmission of user choice and transparency on digital properties.

 Compared to IAB Europe TCF, there are a few differences in the IAB Canada Policies that should be noted:  

  • Purpose 1 is not mentioned in the IAB TCF Canada framework but all other purposes/features/stacks are the same as the IAB Europe TCF framework  
  • There is no legitimate interest in TCF Canada  
  • Instead, “express consent” is mentioned to take place of an opt–in consent model, which is used in the EU 
  • Implied consent is possible in Canada for a vendor if: 
  • The user has the appropriate information provided to them in accordance with the policies and specifications  
  • No objection signal has been received by the vendor in accordance with the policies and specifications  
  • IAB TCF Canada still plans to utilize global scope  
  • Re consent timeline will be expanded beyond the EU 13 month timeline 
  • If there are no permissions established for the Canada framework then objection signals must be generated 
  • Instead of storing or accessing information that is done in the EU, Canada collects, uses or discloses user information
  • A vendor must be able to demonstrate permissions in Canada whereas in the EU, vendors must maintain records of consent

 

 IAB canada TCF requirements for CMPs and vendors  

According to the Policies, there are certain requirements that participating CMPs and Vendors must follow. Below are high-level requirements; for further detail, read here.

  • CMPs and Vendors must apply to IAB Canada for participation in the Framework 
  • CMPs and Vendors must make a public attestation of compliance with the Policies in a prominent disclosure 
  • In addition to implementing the Framework according to the Specifications, CMPs and Vendors must support the full Specifications, unless the Specifications expressly state that a feature is optional, in which case a CMP may choose to implement the optional feature but need not do so. 
  • CMPs and Vendors shall only work with Publishers within the Framework that are in full compliance with the Policies, including but not limited to the requirement to make an attestation of compliance in a prominent location, such as a privacy policy 
  • A Vendor must respect signals communicated by a CMP or received from a Vendor who forwarded the Signal originating from a CMP in accordance with the Specifications and Policies, and act accordingly 
  • A Vendor must not collect, use, or disclose Personal Information relating to a user without a permission to do so

 

Privacy guidelines growing in canada

The same week that IAB Canada finalized its policies, Bill 64 was introduced in an effort to modernize the current legal regime in Quebec regarding the protection of personal information. The Bill not only updates the current legal framework regarding individuals’ personal information and privacy rights, but it also aligns Quebec’s privacy laws with those of other jurisdictions. In fact, many of the amendments that are proposed are influenced by, or are similar to, the provisions found in the federal Personal Information Protection and Electronics Act (“PIPEDA”)and the European Union’s General Data Protection Regulation (“GDPR”).

 Additionally, on November 17, 2020, the Canadian government proposed new legislation to the House of Commons, Bill C-11, which includes enacting the Consumer Privacy Protection Act (CPPA) to reform Canada’s privacy legislation. The CPPA aims to protect individuals’ personal information and regulate how organizations collect, use, and disclose personal information across their activities. The bill would also introduce the Personal Information and Data Protection Tribunal Act (the Tribunal Act), establishing an administrative tribunal to hear appeals of decisions made by the Office of the Privacy Commissioner of Canada (OPC) and facilitate the issuing of penalties. IAB Canada’s policies proactively include an appendix for opt-in consent due to requirements by the CPPA. 

 For more information on IAB Canada TCF and other Canadian legislation:  

 

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on privacy in Canada. 


You may also like

Webinar

Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more

Webinar

Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more