How To Implement TCF 2.0 As An Open-Source CMP?

[adewes]

We're operating Klaro, one of the most popular open-source CMP solutions in Europe (https://github.com/kiprotect/klaro) and sometimes get requests to implement TCF 2.0. Looking at the documentation it seems that it's not possible to implement it without registering as a CMP provider and obtaining an ID first, is that correct? Would any Klaro user need to register as a CMP first to be able to use the script on their website, or would we (the Klaro creators) need to register and provide our ID to them (and what would that mean in terms of liability)?

It seems to me that the TCF 2.0 is only geared towards use by commercial CMPs, which is a bit frustrating as it forces owners of small websites (the main Klaro target users) to rely on such commercial services for implementing a consent management solution.

I would therefore propose to create a better way for open-source solutions to implement the TCF 2.0 in a way that does not requires website owners to use a commercial CMP provider or register as one themselves. Maybe one could introduce a CMP ID for open-source solutions that does not require the hefty registration fee? This would be good in general as currently the TCF 2.0 standard can only be implemented by commercial entities, which makes one doubt the "open" nature of the standard.

[henry-wu-ucfunnel]

I have same problem too!

[ErikSom]

I would also be interested to learn more about this.

[mmatthiesen]

TL;DR: It is possible for one CMP ID to be used across many websites. But somebody has to be responsible for compliance by the CMP with the TCF Policies.

The TCF Policies have always required CMPs to register with IAB Europe. The switch from v1.1 to v2.0 has not changed this requirement. TC Strings that do not contain a CMP ID assigned by IAB Europe have always had to be treated as invalid by receiving Vendors under the TCF Policies. The only thing that has changed is that IAB Europe now provides a machine readable list of valid CMP IDs so Vendors can automate the logic more easily.

The purpose of registration is accountability. Before being registered and assigned a CMP ID, a CMP must undergo a compliance check. This allows the presence of the CMP ID in a TC String to give Vendors confidence that the TC String is generated in accordance with the TCF Policies, which in turn gives Vendors confidence that relying on the TC String allows them to demonstrate compliance with requirements of the GDPR. Remember, a TC String is a promise that the information contained therein has been generated in accordance with the TCF Policies. That promise being false could have serious regulatory consequences for third parties who rely on the promise.

A CMP is responsible under the TCF Policies for its compliance with the same. So long as you are willing and able to assume this responsibility, your CMP can be distributed to large numbers of small websites without the need for those websites to register with the IAB Europe themselves. You would register as a "commercial CMP" even if there is no commercial activity associated with the CMP. It simply means that the CMP is made available to third party websites that are not responsible for the CMP's compliance themselves.

The risk you assume is that the CMP could lose its good standing with IAB Europe, and its registration could be suspended. Even if only a single implementation associated with the ID is in violation of the TCF Policies. This could occur, for example, if you offer customization options that could cause non-compliance if used incorrectly by implementers or because the code could be changed by an implementing website in a way that causes non-compliance. While suspension would not likely happen from one day to the next, and there is a cure period during which any shortcomings could be corrected, the invalidation of a CMP ID as a result of a single bad implementation carries the risk of harming all other websites who rely on the CMP by marking the TC Signals they send as invalid, which in turn could affect their revenue.

You should therefore consider limiting customization options that could result in a breach of the TCF Policies, as well as protect against modifications to the code that have the same effect, so long as it is associated with your CMP ID in order to limit the risk of negatively impacting everyone who relies on the same CMP ID. Websites who wish to make use of such customization options or modify the code in a way that could negatively impact compliance, should register their custom CMP with IAB Europe, so that compliance can be assured.

[adewes]

So, summarizing this means that no open-source CMP can ever be TCF compliant. There's no way to keep users of a open-source project with a true free license like BSD3 or MIT from modifying the code to suit their needs (if there was it wouldn't be a open source / free software).

[mmatthiesen]

No, your summary is not correct. Open-source CMPs can be TCF compliant.

However, if the CMP ID associated with an implementation is tied to other implementations that are not under the same control the CMP ID is at risk of being invalidated for any non-compliance by other implementations. The risks I described therefore only arise if an open-source CMP uses a single CMP ID across all implementations and any of those implementations being non-compliant.

You'll have to be a little bit creative about how to approach it. For example, you could offer a CMP as a service on the basis of the open-source code where you retain control for a specific type implementation under a single CMP ID for which you take responsibility. If somebody wanted to implement their CMP using the open-source code but have more control, they could separately register and assume responsibility for its compliance. This would be similar to Wordpress.org / Wordpress.com.

[adewes]

I don't think we have the same understanding of open source software then. By definition, downloading and using open-source software does not require a contract between the copyright holder of the software and the user, as the usage is governed by a license. There are different views of what actually is a valid open-source or free software license, the common denominator though is the ability of a user to freely adapt the code of the software to his/her needs. Thereby, the owner of an open-source project can never exert the desired level of control you're talking about. Only a non-free software license would enable us to restrict the modification of Klaro to always remain compliant with the TCF. Then the software would no longer be open-source in its normal definition though.

So, to summarize, an open-source CMP can never fulfill your requirements.

Regarding the other options: Registering as a private CMP and paying 1200 € / year is just not a viable option for most of our users. We could consider paying this to obtain a CMP ID and for the hosted version this might be a viable option, but as explained above this is not a solution for the open-source version (and I don't understand either why open-source projects should be forced to pay a large, recurring amount of money just to implement an open standard).

If you really care about open-source projects implementing your standard you might want to consider adding a way to use the TCF 2.0 framework without registering for a CMP ID (or at least make it much easier to obtain a CMP ID for small website publishers).

[a2intl]

TCF, at its core, is a compliance mechanism, its policies exist to ensure a registered CMP can be relied upon to provide GDPR-compliant data usage notification and consent collection. The type of open-source and free software that @adewes is talking about is about respecting and protecting user freedoms (most notably, the freedom to modify software to suit the user's wants). These are fundamentally at conflict and cannot be resolved: giving the user the freedom to modify a CMP as desired would negate the primary purpose of a CMP which is to collect GDPR-compliant consent.

[adewes]

I really don't follow your argument that only closed-source software can provide GDPR-compliant consent. It's not the approach of open-source software that is flawed, it's the compliance mechanism implemented by the TCF-2.0 framework. Also, even a closed-source CMP cannot effectively control how a website publisher integrates it, as it's trivial to modify the behavior of a JS-based CMP using more JS or even just CSS. And indeed a recent study shows that a sizeable fraction of websites (up top 54 % according to the paper) which use TCF-2.0 compliant CMPs actually do not implement consent mechanisms in a compliant way.

Also, some of your registered CMP providers like Borlabs (that provides a cookie consent plugins for Wordpress) already publish their software under a GPL-compatible license (as an integration into Wordpress would not be possible otherwise). How is that compatible with your requirements?