Game On or Game Over? Navigating google TCF 2.2 requirements and the consent man | Pocket Gamer.biz
New changes will soon see Google requiring mobile app and game publishers to collect TCF-compliant (transparency and consent framework) user consent for showing ads to users in the EEA (European economic area) and United Kingdom.
In this guest post, head of ad monetisation at GameBiz Consulting, Božo Janković breaks down this industry development and sheds some light on what’s sure to become a hot topic.
Let’s start with the basics
As I have covered in my previous article, on 16th May 2023 Google announced that “later this year” they will require everyone using Google AdMob, Google AdManager, or Google AdSense to start collecting consent from users via the CMP (Consent Management Platform) that has been Google certified.
Before that date however, Google provided a more specific (and delayed) deadline – publishers now have until 16th January 2024 to comply with these requirements. Based on my conversations with ad networks and colleagues from other companies, it doesn’t seem that the industry is in too much rush to have this implemented.
There are many unknowns on the topic. Everyone seems to be in the exploration stage and it would not be unexpected if the extended deadline would result in publishers having more time to do nothing and then doing the actual implementation in the last minute. Think of the implementations of ATT – Apple Privacy requirements – the GDPR launch and other industry novelties that have been introduced over the years.
This argument could further be supported by the fact that as Q4 is approaching, publishers will be reluctant to go ahead with the changes that may disrupt the most profitable part of the year from an ad monetization perspective.
What else has Google shared with us
Apart from the deadline, we now have an official list of CMPs that Google has certified. Publishers can see which CMPs have been certified by Google here. At the time of writing, in total, there are 49 certified CMPs on the list. All of which can be used for web properties, however, only 21 of them are available for mobile apps.
This also includes Google consent management solutions. On the entire list, there is only one game publisher that had their CMP approved – Outfit7. The only other game publisher that we are aware of that has their own CMP is EasyBrain (certified by IAB) but it seems that even they still haven’t been certified by Google.
For reference, publishers have an option to create their own CMP instead of using a third party solution, however this seems greatly impractical for the vast majority of companies in the industry. Apart from the technical and legal effort, there is a fair amount of bureaucracy – the solution first needs to be certified by IAB and after that by Google – and at the moment, there are no time estimates as to how much time the entire process would take.
Which TCF version should be used by publishers?
The latest version of TCF that has been introduced by IAB is TCF 2.2. Their requirement for the implementation by CMPs was 30th September 2023, however, this has also been postponed for 20th November 2023.
Where is the mobile games industry now in terms of TCF 2.2 compliance
Pretty much nowhere. We previously shared examples of consent flows that are in line with TCF requirements, however none of them are TCF 2.2 compliant. Some of the biggest gaming publishers have very simple consent flows which are not following TCF guidelines and this includes the likes of Supercell, Electronic Arts, Ubisoft, Zynga, King, Playrix, Wildlife Studios, Miniclip, Peak Games, Dream Games, Glu Mobile, Moon Active and others.
How to choose the right CMP
At GameBiz we conducted a very thorough research regarding different CMP solutions. We went through the list of initially certified 11 CMPs and we conducted two rounds of interviews with them. We shortlisted our favourite solutions (five of them) and did a third round of calls to get into the finest details of their product offering. Below are the criteria we took into consideration when comparing different CMP solutions:
1. Support Availability: This is one of the most important factors in our books. From experience we have so far, we have seen that implementing a CMP is not a trivial task. So getting proper support from a CMP during and after the implementation is essential in order to avoid unintentional damages to publisher’s ad revenues. Only one day of CMP implementation not working correctly on the entire user base can cost more than a full year fee of CMP services.
2. Consent Pop-Up Customisation: Another important factor since going for an out of the box solution as opposed to customising it can result in very different opt-in rates, which are crucial for avoiding negative impact on ad revenue.
3. AB Testing Availability: This goes hand in hand with the previous criteria. If the platform has an out-of-the-box solution for AB testing different consent pop-ups, it can greatly increase publisher’s chance of maximising their opt-in rate.
4. Regulations Supported: Depending on the location of publisher’s users, this might be an important factor when choosing a CMP. Right now, Google is requiring TCF 2.2 consent for EEA and UK users but there’s nothing to say that, half a year or one year from now, they won’t expect publishers to comply with other regulations world-wide (example: CCPA – California Consumer Privacy Act, LGPD – Brazilian data protection law called Lei Geral de Proteção de Dados Pessoais. Having different CMPs for different laws or switching them would probably be greatly impractical.
5. TCF Version Supported: Ensuring that your CMP has plans to update their TCF version to 2.2 requirement by the deadline is also something that should be done to avoid any headache in the future.
6. Integration options: All of the CMPs we interviewed require an SDK integration. Depending on the engine the publisher is using to develop their games, different integration options might be more convenient than the others (iOS, Android, React Native, Unity, Flutter, etc.)
7. Server location: This might seem a bit strange at first, but we didn’t want to leave anything to chance. The reason that we looked into this is that historically, data transfers from to outside the European Union have come under a certain amount of scrutiny of the regulators. More specifically, this was so far executed under Privacy Shield mechanism which was questioned by the EU courts and at one point it seemed as if it would not qualify as a legal ground for data transfer. Even Meta announced that, if this mechanism is to be invalidated, they would have no choice but to start providing their solutions to customers in the EU, including Facebook (blue) app, Instagram and WhatsApp.
On 10th July 2023 European Commission adopted an adequacy decision for EU – US transfers, stating that the United States ensures a level of data protection equivalent to that of the EU. So for now, it seems that there’s no issue with the transfer but for publishers that want to be on the safe side, it might just be easier to ensure that the servers of CMP they choose are located in the EU.
8. Experience with Game Publishers: It’s always best when the service provider has experience with companies similar to yours because they have a greater understanding of your needs.
9. CMP is a Core Product for the CMP Provider: There is a big difference when a company that provides a tool or a service is making their living off the product they are selling to you and the company that has hundreds of products and might have their business priorities elsewhere.
10. API Availability: For publishers that want to pull the data into their own BI systems, this is another factor to be taken into account.
11. Proof of Consent: It’s a good idea to ask CMP providers in advance to explain what kind of proof of consent they can provide if the regulators come knocking on the doors asking for it.
12. Benchmark Opt-In Rates: Comparing opt-in rates between providers is somewhat impractical since they would depend on the exact implementation of each app but it can give some sense of what to expect once the implementation is live.
13. Other Features: There are many other factors to be taken into account. Specifics of how they handle retention practices, if they have readily available lists of TCF IAB vendors, etc. which can be greatly helpful when the time comes to get down to implementation.
14. Pricing model: The importance of this factor is self explanatory. According to our research, there are great differences in pricing models of different CMP solutions. For example, Google consent management solutions as well as Quantcast are free of charge, while other CMPs charge based on number of apps, DAU (Daily Active Users), MAU (Monthly Active Users), number of sessions or a combination of these.
Other Important Factors to Be Aware of When Implementing a CMP
Once the publisher chooses a CMP, there are a number of other factors to be taken into account and decisions to be made.
1. he exact pop-up design
2. Which buttons are required according to TCF 2.2 (example: is using “Accept all” and “Manage options” buttons enough or you need to have “Reject all” button on the first UI layer too, whether you have to/can use “x” button)
3. Which vendors to list – Even though it sounds trivial, this is a complex task. Most of the SDK vendors are not working with a TCF string (think of Meta Audience Network, UnityAds, ironSource, Applovin, DT Exchange) which means you need to decide how you want to handle them. Some other partners, on the other hand, are working with the TCF.. For example, Google will obviously start working with it, Ogury announced they will require it from October 2023, while Amazon Publisher Services (APS), Smaato and Yahoo already require the use of TCF 2.2. You become aware of the additional complexity of this task when, apart from SDK partners you are working with, you learn that you need to go through the official list of TCF vendors and determine which of them you want/need to list in your consent prompt.
4. Exact information to be listed in the first and second UI layer, how to handle users’ right to change their mind
5. Should current Terms of Service and Privacy Policy pop-ups (which are the most common industry implementation at the moment) be merge with the CMP pop-up or they should be kept separate
6. In which order to show mentioned pop-ups when ATT message is taken into consideration for users on iOS (in order to avoid issues with app review process with Apple)
7. Depending on how cautious your company is, the complexity of this topic becomes somewhat greater since legal team might want to get involved in the process
The Importance of Proper CMP Implementation
This all becomes less relevant if the publisher is making only a small fraction of their revenue from ads. Of course, some publishers might earn only a small fraction of their overall revenue from ads but in absolute numbers that might still be significant enough to invest a significant effort into proper CMP implementation. For publishers of more casual and hyper-casual games this topic should be high on their priority list if they want to ensure proper implementation and at least keep their ad revenues on the current level. Another factor that should be taken into account is the distribution of publisher’s users across countries. Those that don’t have many users in EEA and UK regions would have different set of priorities than those that do.
Finally, right now, many SDK networks are not requiring TCF implementation so the business impact of not implementing a CMP is proportional to the importance of Google ads in your inventory. However, this might change too in case other major networks decide to follow in Google’s footsteps.
At GameBiz, we have dedicated a lot of time and effort in getting as much information possible on this topic in order to prepare our clients for the upcoming changes. We are also ready to provide a CMP implementation as a custom-made service for any publishers that need assistance in this topic. We offer different levels of support, depending on each publisher’s needs.
Edited by Paige Cook
window.fbAsyncInit = function() {
// init the FB JS SDK FB.init( appId : 250161755076617, // App ID //channelUrl : '//'+window.location.hostname+'/channel.php', // Path to your Channel File status : true, // check login status cookie : true, // enable cookies to allow the server to access the session xfbml : true // parse XFBML );
FB._PG = url: "/useractions/loginfb/", response: "allowed",
// Common handler to fetch FB details and reload the page process: function(me) $.post( FB._PG.url, username: me.username, uname: me.name, uid: me.id, uimg: 'https://graph.facebook.com/' + me.id + '/picture?type=large' ) .done(function(xml) if ( $("status", xml).text() == FB._PG.response ) window.location.reload(); else alert('Error: Something bad just happened. Our tech department has been notified. Please try again later.');
) .fail(function(xml)
alert("Error: something wasn't right there, please try again.");
); ,
// Used by event subscriptions to handle the response handleResponse: function(response) if (response.authResponse) FB.api('/me', function(me) if (me.name) FB._PG.process(me); );
,
post: function(text, image) image = image ;
FB.Event.subscribe('auth.statusChange', FB._PG.handleResponse);
FB.Event.subscribe('edge.create', function(response) $.post('/ajax/social-links/', site: 'facebook' ); ); };
(function(d, s, id) var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "http://connect.facebook.net/en_US/all.js"; fjs.parentNode.insertBefore(js, fjs); (document, 'script', 'facebook-jssdk'));