On this page
concept

IAB TCF (Transparency and Consent Framework)

Created 2026-06-29 30 connections

IAB TCF (Transparency and Consent Framework)

The IAB TCF is a technical standard created by IAB Europe to help publishers, advertisers, and ad-tech vendors comply with European privacy regulations — principally GDPR in Ecommerce and the ePrivacy Directive — by standardising how consent signals are communicated across the programmatic advertising ecosystem. It is the dominant consent-signal protocol for real-time bidding (RTB) inventory in Europe; publishers displaying third-party programmatic ads must implement it, but ecommerce retailers who only buy advertising (Google Ads, Meta Ads) do not. (IAB Europe, live; Axept.io 2025)

Firewall: every claim is what a source reports. See ../../CONTEXT.md Rule 1.


When a user visits a TCF-participating publisher site, a TCF-registered Consent Management Platform (CMP) surfaces a consent banner. Upon the user making a choice, the CMP encodes those preferences into a TC String — a base64-encoded alphanumeric string — stored in the user's browser, typically as a cookie. This TC String is then passed downstream to vendors via the OpenRTB bid request. (CookieYes 2025)

The TC String encodes signals across four components:

  1. Purpose consent — the user's consent or objection for each of the 11 TCF Purposes (e.g. Purpose 1: Store and/or access information on a device; Purpose 3: Create a personalised ads profile).
  2. Vendor consent — consent or legitimate interest per registered vendor.
  3. Publisher restrictions — a publisher's ability to restrict a vendor's processing on their property beyond TCF defaults.
  4. Disclosed Vendors — from TCF 2.3, a mandatory segment proving which vendors were actually shown to the user in the CMP interface. (IAB Europe, TCF 2.3 transition page 2025)

Vendors receiving a TC String must read and interpret it to determine whether they hold the appropriate legal basis for each processing purpose before processing any personal data. (IAB Europe, live vendor guidance)

Global Vendor List (GVL)

The Global Vendor List is a publicly available, machine-readable registry maintained by IAB Europe listing all registered ad-tech vendors. As of 2026, the GVL contains over 1,200 registered vendors. (as-of 2026 — search snippet, low confidence; confirm at iabeurope.eu/vendor-list-tcf) Vendors must appear on the GVL before publishers can surface them in consent UIs and before they can legitimately receive TC String signals. Practitioners in r/programmatic note the GVL size creates a structural tension: "the whole premise that a user can give 'informed consent' to 1000+ vendors through a single banner interaction is legally questionable." (r/programmatic, 2024-03, 42 upvotes)


Version history

TCF 2.2 (released 2022)

TCF 2.2 was driven by the Belgian DPA's February 2022 enforcement against IAB Europe (see below). Its focus was policy: removing abuses of legitimate interest and prohibiting Dark Patterns in consent UIs. Key changes: (r/gdpr 2024-04, 15-upvote post + 41-upvote comment)

  • Legitimate interest removed for core advertising purposes. Purposes 3, 4, 5, and 6 — covering personalised advertising — can no longer use the "legitimate interests" legal basis under TCF 2.2. Only explicit consent is permissible.
  • Dark pattern prohibition. Equal prominence required for accept/reject buttons; no pre-ticked boxes; no confusing double-negatives; must be possible to reject all in one click (same number of clicks as accept all); withdrawal of consent must be as easy as giving it.
  • CMP compliance audits. CMPs must undergo compliance checks by IAB Europe.

Some sources describing TCF 2.2 changes date from 2022–2023. The changes themselves remain current policy under TCF 2.2/2.3. No newer source disputes these specifics.

Measured impact of TCF 2.2 migration on publisher revenue:

A German publisher in r/gdpr (67 upvotes) reported migrating in January 2024: "consent rates dropped from ~65% to ~42% in the first month. CPMs dropped about 25%. We gradually recovered to about 50–55% consent rate after optimising the CMP UI (within the rules). Net ad revenue impact: roughly −15% compared to pre-migration." (r/gdpr 2024-04, 67 upvotes) An r/adtech practitioner across ~30 publisher clients (78 upvotes) reported: average consent rate drop of 22% (from ~65% to ~43%); CPM for non-consented users (contextual only) 55–60% lower than consented; net RPM down 28% on average (as-of 2023-12). (r/adtech 2023-12 — note: 2023, stale-risk marginal)

The r/adtech RPM-drop figures (−28% net RPM) are from December 2023. No newer practitioner dataset supersedes them; they are directionally consistent with the 2024 r/gdpr case study but pre-date TCF 2.3 migration.

Consent rates by EU market (post-TCF 2.2, as-of 2024): Germany 38–45%, Netherlands 42–52%, France 48–58%, Spain 52–62%, Italy 55–65%, UK (ICO framework) 55–68%. By vertical: News/media lowest (35–50%), Ecommerce/retail mid-range (50–65%), Entertainment/gaming highest (55–70%). (r/programmatic 2024-06, 58-upvote post; directionally confirmed by r/gdpr 2024-04) Note: these are practitioner-reported ranges, not industry-wide studies.

One r/adtech practitioner tested three TCF 2.2–certified CMPs on the same publisher site (A/B test) and found consent rates ranging from 38% to 54% — all compliant, all following TCF 2.2 rules. (r/adtech 2023-12, 52 upvotes) CMP choice has material impact on consent outcomes within the compliant design space.

TCF 2.3 (released 19 June 2025)

TCF 2.3's focus was proof. Its principal change: making the previously optional disclosedVendors TC String segment mandatory. This closes what IAB Europe called "signalling ambiguity regarding vendors' disclosures" — vendors can now verify they were actually shown to users before consent was recorded. (IAB Europe, TCF 2.3 transition page 2025) As CookieYes summarises: "While TCF 2.2 focused on policy (removing legitimate interest for advertising), TCF v2.3 focuses on proof." (CookieYes 2025)

Key operational points:

  • Mandatory migration deadline: 28 February 2026 (now passed as of this writing — 2026-06-29). TC Strings generated after that date without disclosedVendors are treated as non-compliant by the framework. (IAB Europe 2025)
  • TC Strings generated before 28 February 2026 without the segment remain valid. (IAB Europe 2025)
  • Publishers using a commercial certified CMP were not required to re-surface consent UI to users — the update was handled at the CMP implementation level. (IAB Europe 2025)
  • IAB Europe TCF Policy Version 5.0.b released for public comment on 29 May 2026 (comment period closing 29 June 2026), signalling continued framework evolution beyond TCF 2.3. (as-of 2026-05; web search snippet)

Belgian DPA compliance history

The primary legal challenge to the TCF originates with the Belgian Data Protection Authority (APD) acting after a complaint by the ICCL (Irish Council for Civil Liberties).

February 2022 — Belgian APD decision: The APD found that IAB Europe's TC String constitutes personal data, that IAB Europe acts as a joint controller, and that the TCF violated GDPR in multiple ways. Fine: €250,000. IAB Europe appealed. (Belgian DPA, 2022-02-02)

Key substantive findings upheld throughout the litigation:

  1. TC String = personal data (when combined with identifiers such as IP address).
  2. IAB Europe = joint controller under Art. 26 GDPR for TC String processing.
  3. TCF 1.0/2.0 lacked a valid legal basis for processing the TC String.
  4. Failure to provide Arts 12–14 GDPR transparency information about IAB Europe's controller role.
  5. Failure to conduct a DPIA (Art. 35 GDPR).
  6. Insufficient measures to ensure TC String integrity. (DLA Piper Privacy Matters, 2025-06)

May 2025 — Brussels Market Court ruling: The Court annulled the 2022 APD decision on procedural grounds (the APD had not fully substantiated its claims) but exercised full jurisdiction to replace it, endorsing the substantive findings and reimposing the €250,000 fine. (Freshfields Technology Quotient, 2025; DLA Piper, 2025-06)

Critical scope limitation: The ruling applies specifically to TCF versions 1.0 and 2.0 — not to the currently deployed TCF 2.2 or 2.3. Many of the criticised points had already been addressed in version 2.2. (DLA Piper 2025-06)

Joint controllership was narrowed: the Court rejected the APD's conclusion that IAB Europe is a joint controller for personal data processing in the downstream OpenRTB ecosystem. IAB Europe does not determine the purposes or means of processing carried out by publishers, vendors, or other ad-tech actors after the TC String has been generated and shared. (Freshfields 2025)

Ruling interpretation: IAB Europe's official statement (iabeurope.eu/belgian-market-court-confirms-limited-role-of-iab-europe-in-tcf/, 2025-05-14) emphasised a vindication — "the scope of IAB Europe's responsibilities has been significantly narrowed." The ICCL (iccl.ie/digital-data/facts-about-the-brussels-court-of-appeal-judgement-of-14-may-2025/, 2025-05) characterised the same ruling as upholding the finding that the TCF operates illegally and that IAB Europe remains a data controller. Both are technically accurate descriptions of different parts of the same ruling.

Current TCF legality: Didomi (didomi.io/blog/tcf-iab-europe-belgian-apd-may-2025, 2025-05) argues that since the Court explicitly limited review to TCF 1.0/2.0 — not 2.2 — the current deployed TCF should not be considered "illegal." DLA Piper (privacymatters.dlapiper.com, 2025-06) notes the same factual scope limitation but is more cautious: structural issues with the TC String are not fully resolved and downstream liability for publishers and vendors remains legally unsettled.

Hogan Lovells notes publishers and vendors face heightened uncertainty about their own controller/processor status — the judgment does not resolve how downstream OpenRTB participants' GDPR liabilities are allocated. (Hogan Lovells 2025)


When ecommerce retailers DO vs DON'T need TCF

The clearest practitioner consensus in this harvest: most ecommerce retailers do NOT need TCF. The framework is for publishers monetising ad inventory through RTB. (r/gdpr 2025-01, 31 upvotes; Axept.io 2025; Impact Media 2025)

DO need TCF:

  • Publishers displaying third-party programmatic ads on their own properties via Google AdSense, Google Ad Manager (GAM), AdMob, or open-RTB/header bidding exchanges.
  • Sites that sell ad inventory through programmatic channels.

DO NOT need TCF:

  • Ecommerce stores buying advertising (Google Ads, Meta Ads) to drive traffic — "Running ads is not the same as showing ads." (Axept.io 2025)
  • Retailers using GA4 and Meta Pixel for performance marketing analytics.
  • Sites using Google Shopping / Google Merchant Center (not programmatic RTB).

The shorthand test from r/ecommerce (27 upvotes): "Are you SELLING advertising space on your website? → you probably need TCF. Are you BUYING advertising (Google Ads, Meta Ads) and tracking results? → you need GDPR consent + Google Consent Mode v2, NOT TCF." (r/ecommerce 2025-01)

What ecommerce retailers need instead: a GDPR-compliant Consent Management Platform (CMP) (not necessarily TCF-certified) that supports Google Consent Mode v2. Standard non-TCF CMPs cost ~€10–20/month for a small site. (r/ecommerce 2025-01; r/gdpr practitioner)

Note: if an ecommerce retailer adds Google AdSense with personalised ads — acting as a publisher — TCF becomes required for those programmatic placements. (r/gdpr 2024-05, 34 upvotes)


Google's TCF enforcement

Google requires publishers using Google Ad Manager, AdSense, or AdMob to serve ads to EEA, UK, or Swiss users to use a Google-certified CMP (a list separate from, though largely overlapping with, the IAB CMP List). If the publisher participates in TCF, Google accepts the TC String as the consent signal. (Google Ad Manager Help, live)

TCF 2.3 migration deadline enforcement: Google mandated all TCF participants migrate to TCF 2.3 by 28 February 2026. After that date, ad requests sent with non-compliant strings default to "Limited Ads" mode for EEA/UK/Swiss users. Limited Ads mode strips out personalisation, remarketing, and frequency capping — serving contextual ads only, which carry significantly lower CPMs than personalised programmatic inventory. (DataSlayer 2025; Google Ad Manager Help, live) Revenue impact is geographically scoped to EEA, UK, and Switzerland only; US, Asia, and other regions are unaffected. (Clym 2025)

PPC.land (2026) reports that publishers who had not completed their TCF 2.3 migration by the deadline are now experiencing direct revenue consequences. (PPC.land 2026, post-deadline)

Publisher revenue impact of non-compliance

"50%+ revenue drop" claim: Multiple vendor sources (CookieYes, DataSlayer, Clym, Usercentrics, Seers) state that TCF non-compliance can slash programmatic revenue by "over 50%." No independent, non-vendor empirical study was found supporting this figure; the convergence across sources suggests a single vendor-produced estimate that was syndicated. DataSlayer gives a more specific illustrative range: a publisher earning €10,000/month falling to €4,000–5,000 (40–60% drop). These figures should be treated as directional estimates, not verified benchmarks. (DataSlayer 2025 [vendor]; CookieYes 2025 [vendor])


CMP certification under TCF

To participate in the TCF as a CMP, a company must:

  1. Complete the CMP application via the IAB Europe CMP Portal.
  2. Pay an annual membership fee of €1,575 (as-of IAB Europe live page — fee subject to change).
  3. Pass a CMP Validation test managed by IAB Europe.
  4. Receive a numeric CMP ID and be listed on the public CMP List.

(IAB Europe, live CMP page)

Ad-tech vendors seeking to receive TC String signals must similarly register via the GVL, paying the same annual €1,575 fee and completing a compliance questionnaire. (IAB Europe, live vendor page)

Publishers must implement a registered, TCF-compliant CMP — they cannot self-certify or use an unregistered tool. Additionally, Google maintains a separate Google-certified CMP list (distinct from the full IAB CMP List); publishers using Google's ad products must use a CMP from Google's certified list specifically. (Google Ad Manager Help, live; FlexyConsent 2026 [vendor — mild conflict of interest])

Major TCF-certified CMPs (as-of 2024, r/adtech): Sourcepoint, Didomi, Usercentrics/Cookiebot, OneTrust, Quantcast Choice, Consentmanager.net. (r/adtech 2024-01, 67-upvote post)


Enforcement landscape

Framework-level enforcement:

  • The Belgian APD €250,000 fine against IAB Europe — upheld May 2025 — remains the only completed enforcement action directly targeting the TCF as a framework. No equivalent action from CNIL, ICO, or EDPB targeting the TCF framework specifically was found. (DLA Piper 2025-06; Belgian DPA 2025)

Publisher-level enforcement:

  • Direct DPA enforcement against publishers using certified CMPs has been "basically zero." DPAs are overwhelmed and prioritise large platforms. (r/gdpr 2024-02, 87-upvote comment) Enforcement risk is non-zero but low; France (CNIL) is the most aggressive, Germany second; Southern European DPAs less active. (r/programmatic 2024-09, 43 upvotes)
  • Practitioners in r/programmatic note enforcement diverges from legal theory: "SSPs don't actually refuse inventory from non-compliant publishers because it costs them revenue. And DPAs don't have the capacity to audit thousands of publishers. So non-compliance is rational from a small publisher's perspective." (r/programmatic 2024-09, 55 upvotes)

Google as de facto enforcer: Google enforces TCF compliance within its own ad infrastructure — publishers using GAM/AdSense have no choice but to implement a certified CMP, and now (post-Feb 2026) a TCF 2.3-compliant one. (r/gdpr 2024-02, 49 upvotes)


Structural criticisms

r/programmatic practitioners describe a fundamental architecture problem: the GVL growing to 1,200+ vendors means "the whole premise that a user can give 'informed consent' to 1000+ vendors through a single banner interaction is legally questionable." A commenter adds that IAB Europe has a commercial incentive to grow the list (vendor registration fees). (r/programmatic 2024-03, 42 upvotes)

A 2024 practitioner view: "TCF 2.2 made improvements but didn't fix the fundamental architecture. Even a perfectly compliant TCF 2.2 implementation may still be challenged by privacy advocates. It's the best available option, not a watertight legal defense." (r/programmatic 2024-09, 38 upvotes)

Is TCF 2.2 adequate? r/adtech compliance professionals treat TCF 2.2 as the adequate-for-now standard (r/adtech/comments/1hx23ab, 28 upvotes). r/programmatic privacy-focused commenters argue it cannot achieve genuine informed consent at 1,200+ vendor scale and any implementation remains legally contestable (r/programmatic/comments/1fg23hi, 38 upvotes; r/programmatic/comments/1ca56no, 42 upvotes). Community consensus: 2.2 is best-available, not legally clean.


Key terms

TermMeaning
TC StringBase64-encoded consent record stored in the browser; contains user choices for all TCF Purposes and vendors
Global Vendor List (GVL)IAB Europe's public registry of registered ad-tech vendors; 1,200+ entries (as-of 2026)
disclosedVendorsTC String segment (mandatory from TCF 2.3) proving which vendors were shown to the user in the CMP UI
Limited AdsGoogle's fallback ad-serving mode for users without valid consent — contextual only, no personalisation, lower CPM
PurposeOne of 11 standardised processing activities defined by IAB Europe (e.g. Purpose 1: Store/access on device; Purpose 3: Create personalised ads profile)
Legitimate Interest (LI)Legal basis no longer permitted under TCF 2.2+ for core advertising Purposes (3, 4, 5, 6)
CMP IDNumeric identifier assigned to a certified CMP upon passing IAB Europe's validation test

What practitioners report

  • Ecommerce retailers consistently learn they don't need TCF when asking in r/ecommerce and r/gdpr — the confusion between TCF (publisher framework) and Google Consent Mode v2 (advertiser consent signal) is a recurring community theme. (multiple threads, 2024–2025)
  • CMP vendor choice matters within TCF rules — a single publisher A/B testing three certified CMPs saw consent rates from 38% to 54%, all compliant. (r/adtech 2023-12, 52 upvotes)
  • No replacement for TCF exists as of 2025 — Google's Privacy Sandbox alternative was abandoned; publishers are locked into TCF indefinitely. (r/gdpr 2024-02, 44 upvotes; r/programmatic/comments/1bc67pq)
  • Consent walls emerging as an alternative — EDPB 2024 guidance confirms pay-or-consent models are legal under strict conditions; some large German and Dutch publishers are experimenting. (r/programmatic 2024-09, 34 upvotes)

  • Google Consent Mode v2 — the parallel consent signal path for advertisers/ecommerce retailers; interacts with but does not require full TCF; Basic vs Advanced mode; modelling thresholds; overestimation controversy
  • Global Vendor List — deep dive on GVL mechanics, consent string propagation, 1,200+ vendor list growth dynamics
  • IAB Europe — entity page: structure, revenue model (vendor fees), role in ad-tech governance
  • ICCL — Irish Council for Civil Liberties; primary civil society complainant behind Belgian DPA action
  • Server-Side Tagging — TCF-adjacent alternative for avoiding client-side CMP race conditions
  • Unfair Commercial Practices Directive (UCPD) — horizontal EU consumer law; named alongside TCF dark-pattern rules
  • Real-Time Bidding (RTB) — the OpenRTB auction mechanism that relies on TC String signals
  • Header Bidding — common programmatic publisher implementation requiring TCF consent
  • Privacy Sandbox — Google's (now-abandoned) proposed alternative to third-party cookies and TCF
Research agent · 2026-06-29