Game On or Game Over? Navigating Google TCF 2.2 Requirements and the Consent Management Landscape for Publishers

As you have probably heard, Google will be requiring mobile app and game publishers to collect TCF-compliant (TCF = Transparency & Consent Framework) user consent for showing ads to users in the EEA (European Economic Area) and the United Kingdom. Since this is a major industry development, I wanted to shed more light on this topic, based on the two-month research I conducted.

Let’s start with the basics

As I have covered in my previous article, on 16th May 2023 Google announced that “later this year” they will require everyone using Google AdMob, Google AdManager, or Google AdSense to start collecting consent from users via CMP (CMP = Consent Management Platform) that has been Google certified. In the meantime, Google provided a more specific (and delayed) deadline — publishers now have until 16 January 2024 to comply with these requirements. Based on the conversations with ad networks and colleagues from other companies, it doesn’t seem that the industry is in too much rush to have this implemented. There are many unknowns on the topic, everyone seems to be in the exploration stage and it would not be unexpected if the extended deadline would turn into publishers having more time to do nothing and then doing the actual implementation last minute again (think of the implementations of ATT, Apple Privacy requirements, GDPR launch and other industry novelties that were introduced during the years). This argument could further be supported by the fact that as Q4 approaches, publishers will be reluctant to go ahead with the changes that may disrupt the most profitable part of the year from the ad monetization perspective.

What else has Google shared with us

Apart from the deadline, we now have an official list of CMPs that Google has certified. At this link, publishers can see which CMPs have been certified by Google. At the moment of writing this article, in total, there are 49 certified CMPs on the list. All of them can be used for web properties, however, only 21 of them are available for mobile apps. This also includes Google consent management solutions. On the entire list, there is only one game publisher that had their CMP approved — Outfit7. The only other game publisher that we are aware of that has their own CMP is EasyBrain (certified by IAB) but it seems that they still haven’t been certified by Google.

For reference — publishers have the option to create their own CMP instead of using a third-party solution, however, this seems greatly impractical for the vast majority of companies in the industry. Apart from the technical and legal effort, there is a fair amount of bureaucracy — the solution first needs to be certified by IAB and after that by Google — and at the moment, there are no time estimates as to how much time the entire process would take.

Which TCF version should be used by publishers?

The latest version of TCF that has been introduced by IAB is TCF 2.2. Their requirement for the implementation by CMPs was 30 September 2023, however, this has also been postponed to 20 November 2023.

Where is the mobile games industry now in terms of TCF 2.2 compliance?

Pretty much nowhere. We previously shared examples of consent flows that are in line with TCF requirements, however, none of them are TCF 2.2 compliant. Some of the biggest gaming publishers have very simple consent flows that do not follow TCF guidelines and this includes the likes of Supercell, Electronic Arts, Ubisoft, Zynga, King, Playrix, Wildlife Studios, Miniclip, Peak Games, Dream Games, Glu Mobile, Moon Active and others.

How to choose the right CMP

At GameBiz, we conducted very thorough research regarding different CMP solutions. We went through the list of initially certified 11 CMPs and we conducted two rounds of interviews with them. We shortlisted our favorite solutions (five of them) and did a third round of calls to get into the finest details of their product offering. Below are the criteria we took into consideration when comparing different CMP solutions.

1. Support Availability: This is one of the most important factors in our books. From the experience we have so far, we have seen that implementing a CMP is not a trivial task. So getting proper support from a CMP during and after the implementation is essential in order to avoid unintentional damage to the publisher’s ad revenues. Only one day of CMP implementation not working correctly on the entire user base can cost more than a full year fee of CMP services.
2. Consent Pop-Up Customization: Another important factor since going for an out-of-the-box solution as opposed to customizing it can result in very different opt-in rates, which are crucial for avoiding a negative impact on ad revenue.
3. AB Testing Availability: This goes hand in hand with the previous criteria — if the platform has an out-of-the-box solution for AB testing different consent pop-ups, it can greatly increase the publisher’s chance of maximizing their opt-in rate.
4. Regulations Supported: Depending on the location of the publisher’s users, this might be an important factor when choosing a CMP. Right now, Google is requiring TCF 2.2 consent for EEA and UK users but there’s nothing to say that, half a year or one year from now, they won’t expect publishers to comply with other regulations worldwide (for example: CCPA — California Consumer Privacy Act, LGPD — Brazilian data protection law called Lei Geral de Proteção de Dados Pessoais. Having different CMPs for different laws or switching them would probably be greatly impractical.
5. TCF Version Supported: Ensuring that the CMP has plans to update their TCF version to 2.2 requirements by the deadline is also something that should be done to avoid any headaches in the future.
6. Integration options: All of the CMPs we interviewed require an SDK integration. Depending on the engine the publisher is using to develop their games, different integration options might be more convenient than the others (iOS, Android, React Native, Unity, Flutter, etc.).
7. Server location: This might seem a bit strange at first, but we didn’t want to leave anything to chance. The reason that we looked into this is that historically, data transfers from outside the European Union have come under a certain amount of scrutiny by the regulators. More specifically, this was so far executed under the Privacy Shield mechanism which was questioned by the EU courts, and at one point it seemed as if it would not qualify as a legal ground for data transfer. Even Meta announced that, if this mechanism is to be invalidated, they would have no choice but to start providing their solutions to customers in the EU, including Facebook (blue) app, Instagram, and WhatsApp. On 10 July 2023 European Commission adopted an adequacy decision for EU — US transfers, stating that the United States ensures a level of data protection equivalent to that of the EU. So for now, it seems that there’s no issue with the transfer but for publishers that want to be on the safe side, it might just be easier to ensure that the servers of CMP they choose are located in the EU.
8. Experience with Game Publishers: It’s always best when the service provider has experience with companies similar to yours because they have a greater understanding of your needs.
9. CMP is a Core Product for the CMP Provider: There is a big difference when a company that provides a tool or service and is making its living off the product they are selling to you and a company that has hundreds of products and might have its business priorities elsewhere.
10. API Availability: For publishers that want to pull the data into their own BI systems, this is another factor to be taken into account.
11. Proof of Consent: It’s a good idea to ask CMP providers in advance to explain what kind of proof of consent they can provide if the regulators come knocking on the doors asking for it.
12. Benchmark Opt-In Rates: Comparing opt-in rates between providers is somewhat impractical since they would depend on the exact implementation of each app but it can give some sense of what to expect once the implementation is live.
13. Other Features: There are many other factors to be taken into account. Specifics of how they handle retention practices, if they have readily available lists of TCF IAB vendors, etc. which can be greatly helpful when the time comes to get down to implementation.
14. Pricing model: The importance of this factor is self-explanatory. According to our research, there are great differences in the pricing models of different CMP solutions. For example, Google consent management solutions as well as Quantcast are free of charge, while other CMPs charge based on the number of apps, DAU (Daily Active Users), MAU (Monthly Active Users), number of sessions, or a combination of these.

Other Important Factors to Be Aware of When Implementing a CMP

Once the publisher chooses a CMP, there are a number of other factors to be taken into account and decisions to be made.

1. The exact pop-up design
2. Which buttons are required according to TCF 2.2 (example: is using the “Accept all” and “Manage options” buttons enough or do you need to have the “Reject all” button on the first UI layer too, whether you have to/can use the “x” button)
3. Which vendors to list — Even though it sounds trivial, this is a complex task. Most of the SDK vendors are not working with a TCF string (think of Meta Audience Network, UnityAds, ironSource, Applovin, DT Exchange) which means you need to decide how you want to handle them. Some other partners, on the other hand, are working with the TCF. For example, Google will obviously start working with it, Ogury announced they will require it from October 2023, while Amazon Publisher Services (APS), Smaato, and Yahoo already require the use of TCF 2.2. You become aware of the additional complexity of this task when, apart from the SDK partners you are working with, you learn that you need to go through the official list of TCF vendors and determine which of them you want/need to list in your consent prompt.
4. Exact information to be listed in the first and second UI layers, how to handle users’ right to change their mind
5. Should current Terms of Service and Privacy Policy pop-ups (which are the most common industry implementation at the moment) be merged with the CMP pop-up or they should be kept separate
6. In which order to show mentioned pop-ups when ATT message is taken into consideration for users on iOS (to avoid issues with the app review process with Apple)
7. Depending on how cautious your company is, the complexity of this topic becomes somewhat greater since the legal team might want to get involved in the process

The Importance of Proper CMP Implementation

This all becomes less relevant if the publisher is making only a small fraction of their revenue from ads. Of course, some publishers might earn only a small fraction of their overall revenue from ads but in absolute numbers that might still be significant enough to invest a significant effort into proper CMP implementation. For publishers of more casual and hyper-casual games, this topic should be high on their priority list if they want to ensure proper implementation and at least keep their ad revenues on the current level. Another factor that should be taken into account is the distribution of publisher’s users across countries. Those that don’t have many users in EEA and UK regions would have a different set of priorities than those that do.

Finally, right now, many SDK networks are not requiring TCF implementation so the business impact of not implementing a CMP is proportional to the importance of Google ads in your inventory. However, this might change too in case other major networks decide to follow in Google’s footsteps.

At GameBiz, we have dedicated a lot of time and effort to getting as much information as possible on this topic to prepare our clients for the upcoming changes. We are also ready to provide a CMP implementation as a custom-made service for any publishers that need assistance in this topic. We offer different levels of support, depending on each publisher’s needs. This includes:

1. A detailed report covering the important insights on the wider, general context of GDPR, other regulations throughout the world, and TCF 2.2 requirements by IAB, detailed, comparative analysis of different Google-certified CMP solutions, as well as implementation requirements and answers to the above-raised questions
2. Hourly based consultations
3. Support throughout the implementation of a specific CMP solution

For further information, feel free to contact us via LinkedIn or bozo@gamebizconsulting.com.

Happy CMP implementation everyone! :)