With several changes implemented in the past 18 months, we’re taking this opportunity to address the common questions we regularly receive from our clients.
Recent changes in digital privacy regulations
The Interactive Advertising Bureau (IAB) has developed a new version of the Transparency and Consent Framework (TCF 2.2). This framework helps advertisers, publishers, and other stakeholders comply with data protection regulations, particularly the EU’s GDPR and ePrivacy Directive.
What does the TCF 2.2 standard mean for website administrators?
TCF 2.2 strengthens GDPR compliance requirements, focusing on user transparency, consent, and third-party service usage. This change comes from increased regulatory oversight and evolving legal interpretations, particularly regarding online identifiers such as IP addresses.
What’s driving stricter privacy rules?
Recent rulings from European courts and Data Protection Authorities (including the Austrian DPA’s stance on Google Analytics) have made it clear: IP addresses and other online identifiers—even when shared passively with third parties—are personal data and fall under GDPR protection.
A prime example is Google Fonts, which sends users’ IP addresses to external servers. This practice has attracted scrutiny since users don’t explicitly consent to sharing their IP addresses.
How is Appeal managing and implementing these changes?
Appeal includes the Borlabs consent management tool as part of our managed hosting service. Borlabs has adopted a stricter consent model that complies with both the GDPR and TCF 2.2. The tool effectively manages consent for seemingly minor data processing activities, such as loading fonts or embedded services.
I’m a UK-based company operating only in the UK — Is this relevant to me?
The TCF is specifically designed to help organisations comply with EU GDPR. Due to post-Brexit legal divergence, UK law doesn’t automatically require TCF compliance unless your activities fall under EU GDPR’s scope.
If you operate in both the EU and UK, you’ll need to ensure compliance with TCF 2.2.
While we all dislike privacy popups, we believe that providing users with a choice on how their data is used is the safest and most ethical approach.
When do I need to implement changes?
Now. The implementation date for publishers and vendors was November 20th, 2023. We have been working with our partners and clients over the past 12 months to implement the necessary changes to ensure compliance where relevant.
Looking for WordPress support?
We’ve helped B2B businesses across the UK and EU achieve compliance. Learn more about our support plans.
Steps to achieve compliance
If these new compliance frameworks are relevant to your business, you can get started by working through the following steps:
- Identify third-party services: List all of the services in use on your WordPress website (for example, Google Fonts, Google Analytics, YouTube embeds, etc)
- Categorise your services: Each of your services need to be classified with the purposes defined in the TCF 2.2 (for example, measurement, personalisation)
- Implement a Consent Management Platform (CMP): At Appeal, we use Borlabs Cookie, but other solutions such as OneTrust and Cookiebot are available.
- Adapt your website: Block scripts until consent is given and implement fallbacks for when consent is not provided. Examples include self-hosting fonts or offering alternative functionality.
- Update your privacy policies: Have a lawyer or data protection expert review your documentation and policies to ensure compliance with the new frameworks.
- Test and monitor: Compliance is not an endpoint. Make sure that you’re regularly reviewing your site to ensure ongoing monitoring and compliance is maintained.
Key takeaways
In practice, successful implementation of these new measures will not look vastly different from the cookie banners we’re used to seeing across the web. To ensure compliance, make sure that:
- Cookie banners are displayed correctly and use clear language.
- No services are loaded until consent is provided.
- Users can easily withdraw or modify their consent at any time.
If you have other specific questions about making your WordPress website compliant, get in touch.
A little disclaimer – While we’re website experts, we’re not legal experts. Our knowledge is general and the information provided is not tailored to your circumstances. We recommend consulting a data protection officer or legal expert to evaluate your specific obligations.
