The Interactive Advertising Bureau (IAB) of Canada recently finalized its version of Transparency Consent Framework (TCF) Policies. The Transparency and Consent Framework consists of a set of technical specifications and policies to which publishers, advertisers, technology providers, and others who may voluntarily choose to adhere. The goal of the Framework is to help players in the online digital ecosystem become compliant with Canadian Privacy Law. As a not-for-profit association, IAB Canada represents over 250 of Canada’s most respected advertisers, ad agencies, media companies, service providers, educational institutions and government associations.
The Framework provides a way of informing and providing choices to users about how their personal information is collected, used, or disclosed for purposes that companies are seeking. Verified CMPs are able to send the user’s choices downstream to participating ad tech vendors.
What do the IAB canada TCF policies highlight?
The revised IAB Canada TCF policies are grounded in current privacy legislation, Personal Information Protection and Electronic Documents Act (PIPEDA). The legislation regulates privacy in Canada at a federal level, and was introduced on April 13, 2000 and entered into force on January 1, 2001.
The updated Policies incorporate the following:
- Updated terminology to more accurately reflect PIPEDA. An example of this includes the rephrasing of the definitions of “permission” (it now says express or implied consent according to Canadian Privacy Law) and removed the definition of “Consent” as a result and replaced it with a definition for “Objection”. Also removed the definition of PII as it is not a legal term but merely a concept in legislation.
- Updates have been made to reflect TCF V2.0 including elements such as additional stacks etc.
- Important revisions made to address the ambiguity around implied consent to avoid situations where a Vendor propagates an unknown consent within the Framework (even though, absent the signal, they would likely not do so).
To read the full Policies document, click here. As a next step, these policies are also being shared with the IAB Tech Lab’s Global Privacy Platform working group who will now begin the process of developing technical specifications for the Canadian string.
IAB canada TCF differences from IAB europe
In 2018, IAB Tech Lab and IAB Europe released the collaborative industry solution for conducting GDPR-compliant targeted advertising. A new version of the IAB Transparency & Consent Framework (TCF) replaced version 1 on August 15, 2020. The new version is designed to standardize the collection and transmission of user choice and transparency on digital properties.
Compared to IAB Europe TCF, there are a few differences in the IAB Canada Policies that should be noted:
- Purpose 1 is not mentioned in the IAB TCF Canada framework but all other purposes/features/stacks are the same as the IAB Europe TCF framework
- There is no legitimate interest in TCF Canada
- Instead, “express consent” is mentioned to take place of an opt–in consent model, which is used in the EU
- Implied consent is possible in Canada for a vendor if:
- The user has the appropriate information provided to them in accordance with the policies and specifications
- No objection signal has been received by the vendor in accordance with the policies and specifications
- IAB TCF Canada still plans to utilize global scope
- Re consent timeline will be expanded beyond the EU 13 month timeline
- If there are no permissions established for the Canada framework then objection signals must be generated
- Instead of storing or accessing information that is done in the EU, Canada collects, uses or discloses user information
- A vendor must be able to demonstrate permissions in Canada whereas in the EU, vendors must maintain records of consent
IAB canada TCF requirements for CMPs and vendors
According to the Policies, there are certain requirements that participating CMPs and Vendors must follow. Below are high-level requirements; for further detail, read here.
- CMPs and Vendors must apply to IAB Canada for participation in the Framework
- CMPs and Vendors must make a public attestation of compliance with the Policies in a prominent disclosure
- In addition to implementing the Framework according to the Specifications, CMPs and Vendors must support the full Specifications, unless the Specifications expressly state that a feature is optional, in which case a CMP may choose to implement the optional feature but need not do so.
- CMPs and Vendors shall only work with Publishers within the Framework that are in full compliance with the Policies, including but not limited to the requirement to make an attestation of compliance in a prominent location, such as a privacy policy
- A Vendor must respect signals communicated by a CMP or received from a Vendor who forwarded the Signal originating from a CMP in accordance with the Specifications and Policies, and act accordingly
- A Vendor must not collect, use, or disclose Personal Information relating to a user without a permission to do so
Privacy guidelines growing in canada
The same week that IAB Canada finalized its policies, Bill 64 was introduced in an effort to modernize the current legal regime in Quebec regarding the protection of personal information. The Bill not only updates the current legal framework regarding individuals’ personal information and privacy rights, but it also aligns Quebec’s privacy laws with those of other jurisdictions. In fact, many of the amendments that are proposed are influenced by, or are similar to, the provisions found in the federal Personal Information Protection and Electronics Act (“PIPEDA”)and the European Union’s General Data Protection Regulation (“GDPR”).
Additionally, on November 17, 2020, the Canadian government proposed new legislation to the House of Commons, Bill C-11, which includes enacting the Consumer Privacy Protection Act (CPPA) to reform Canada’s privacy legislation. The CPPA aims to protect individuals’ personal information and regulate how organizations collect, use, and disclose personal information across their activities. The bill would also introduce the Personal Information and Data Protection Tribunal Act (the Tribunal Act), establishing an administrative tribunal to hear appeals of decisions made by the Office of the Privacy Commissioner of Canada (OPC) and facilitate the issuing of penalties. IAB Canada’s policies proactively include an appendix for opt-in consent due to requirements by the CPPA.
For more information on IAB Canada TCF and other Canadian legislation:
Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on privacy in Canada.
