Rules Glossary

Rules that can be added to a Standard fall into two main policy groups. Those policy groups are either European (GDPR) or US (US Privacy). In the tables below please brief descriptions of each rule

Sourcepoint provides visual representations of passing and failing rules in the Rules Explainer tooltip on the Standards page. Please be aware that not all rules can be represented visually.

European (GDPR) Rules

Rule

Description

Screen Proportion

The First Layer Message modal takes up all or substantially all of the screen

Update Preferences

The user can resurface the Privacy Manager and change their preferences

User Action Respected

The user's preferences actually represent what they selected

Geotargeting is Not Used

The publisher does not have any vendors that use specific geolocation (TCF Special Feature 1)

Fingerprinting is Not Used

The publisher does not have any vendors that user specific geolocation (TCF Special Feature 2)

Privacy Choices Available

The user is presented with a consent notice and has a choice between accepting, editing the parameters of, and/or rejecting the processing of their data

Purposes Explained

All purposes are explained in the First Layer Message

Informed of Consent Outcome

The user is informed of the consequences of consenting

Informed of Ability to Withdraw

The user is informed that they may withdraw consent at any time and is given instruction on how to do so

Equal Prominence

All calls to action are given equivalent prominence

Read and Write to Devices

The user is informed that their information may be read or written by third parties

Examples Provided

The First Layer Message provides an example of personal data processed

Users Are Informed They Can Object to Legitimate Interest (if present)

The consent banner instructs users that they can object to processing on the basis of legitimate interest

Notified of Third Party Sharing

The First Layer Message includes a notification that data will be shared with third parties

Consent notice shown

Consent notification is shown to new users from a European IP address

Valid CMP

The consent string is created with a valid and registered CMP ID

User Action Required

Consent strings are not written before the user has made an affirmative action

Vendors Linked

There is a link to the vendors that is accessible from the First Layer Message

Users can object to legitimate interest

For every purpose that uses Legitimate Interest as a legal basis, there is a way to Object on the publisher's property

Using latest version of TCF framework

The latest version of the TCF framework is being used

Two key calls to action in first layer message

The first layer includes both a call to action to accept, and a call to action to manage detailed preferences

Calls to action have matching text treatments

The two primary calls to action on the 1st layer have matching text treatment and, for each, a minimum contrast ratio of 5:1.

Xandr cookies are not dropped before consent is given

Cookies from Xandr are not placed on the client until the user has completed the consent experience

Check information about purposes and features

Either the Vendor List component is used (recommended) or text exactly reflects the Purposes and/or Stacks and Special Features used

Criteo cookies are not dropped before consent is given

Cookies from Criteo are not placed on the client until the user has completed the consent experience

Reject button is present

There is a reject button in the first layer of the CMP

Purpose 1 is present with consent as a legal basis only

The User is notified that Purpose one (reading and writing to their device) will happen, and the legal basis is consent only

All 10 TCF v2 purposes are disclosed to the User with legal basis of consent

All purposes are covered by consent as the legal basis

US (US Privacy) Rules

Rule

Description

Privacy Policy Present

There is a link to a privacy policy on the main page

US Privacy Framework Used

The US Privacy string and API are present

User CCPA Opt Out Respected

If a user takes an opt out action the US privacy string is updated to reflect the opt out

Opt Out Present

There is a call to action on the main page that allows the user to opt out of selling data for California residents

Delete My Data Form Available

There is a form available for the user to request their data be deleted

Privacy policy contains a description of data usage

The Privacy Policy contains a description of how consumer data is used and shared.

Two Methods of Contact for Request my Data

There are at least two methods of contact listed the user to request data about themselves

The privacy policy includes a description of the California Rights

The Privacy Policy contains a description of the key rights granted to California users under CCPA

Privacy policy contains a description of data sharing

The Privacy Policy contains a description of the data sharing practices across parties.

Delete My Data Phone Available

There is a phone number available for the user to request their data be deleted

Request My Data Form Available

There is a form available for the user to request data about themselves

Request My Data Phone Available

There is a phone number available for the user to request data about themselves

Two Methods of Contact for Delete my Data

There are at least two methods of contact listed for the user to request their data be deleted