The IAB TCF (Transparency and Consent Framework) is a voluntary standard from IAB Europe. It lets websites collect visitor consent for digital advertising, then pass that consent through a Consent Management Platform to ad-tech vendors downstream. It supports GDPR and ePrivacy compliance for programmatic ads.
IAB Europe governs the framework and IAB Tech Lab maintains its technical specs. The version in force today is v2.3, and its legal standing has been contested since a 2022 Belgian ruling that later appeals narrowed.
What Is the IAB TCF?
The IAB TCF is an accountability tool built on standardization. It helps publishers and ad-tech vendors document a visitor's consent choices for GDPR and ePrivacy compliance, per IAB Europe's framework specification. It is not a law. It is an industry-built rulebook and technical format. It lets a visitor's cookie and tracking choices travel from the website where they were made to every ad-tech company serving that visitor an ad.
Three groups use it. Publishers (first parties) are the websites and apps that collect the consent. Vendors (third parties) are the ad-tech companies that read the consent signal downstream, such as ad servers, demand-side platforms, and measurement providers. Consent Management Platforms (CMPs) sit in between. They show the banner, record the choice, and generate the technical signal both sides rely on.
The TCF is voluntary. No law requires a site to adopt it. A site adopts it when it runs programmatic advertising. Its ad partners then require a recognized consent signal to keep serving ads in the EU, EEA, and UK.
Who Created and Governs the IAB TCF?
IAB Europe created and owns the TCF policy. IAB Tech Lab stewards its technical specifications. IAB Europe first launched the framework in 2017 and has updated it several times since, most recently to version 2.3 in 2025.
The two organizations split responsibility cleanly. IAB Europe handles the legal and policy side: what the framework requires and how it maps to GDPR and the ePrivacy Directive. IAB Tech Lab handles the technical side: the CMP API that CMPs implement, the TC String format, and the Global Vendor List specification.
Both sit under the broader Interactive Advertising Bureau (IAB), a trade body with more than 700 member companies. IAB Europe is one of 45 independently operated regional IAB organizations worldwide. IAB Tech Lab is a separate nonprofit technical consortium that works in affiliation with IAB. Confusing the three is common. IAB is the parent trade body. IAB Europe is the TCF's policy owner. IAB Tech Lab is its technical steward.
Why the IAB TCF Matters for GDPR and ePrivacy
The IAB TCF exists because a single ad impression can involve dozens of ad-tech companies. GDPR and the ePrivacy Directive both require a valid legal basis before any of them can process a visitor's data. Without a shared consent signal, each vendor in that chain would need its own way to confirm consent, and none could trust another's claim. The TCF standardizes the signal so every party can act on the same recorded choice.
The stakes are commercial as much as legal. Google requires publishers serving EEA, UK, and Switzerland traffic through AdSense or Ad Manager to use a Google-certified CMP that integrates with the TCF. A publisher without a working TCF signal risks reduced ad demand, or outright loss of programmatic revenue in those regions.
Consent under the TCF is not always the legal basis in play. Vendors can also declare legitimate interest for narrower purposes. The 2022 update to the framework, covered below, removed legitimate interest as an option for advertising and content personalization specifically. The underlying visitor choice the TC String encodes is still the same cookie consent a banner records at the outset.
The Core Parts of the IAB TCF
The TCF's technical infrastructure rests on four moving parts. The CMP captures consent. The Global Vendor List identifies who receives it. The TC String encodes it. The Purposes define what "it" covers. For the full step-by-step signal flow between these parts, see how the IAB TCF works.
Consent Management Platforms (CMPs)
A Consent Management Platform is the software that displays the consent banner and records the visitor's choice. It also generates the TC String that carries that choice downstream. Consently is one example. It is a registered CMP that shows a banner and lets a visitor accept or reject tracking categories. It then produces a TCF-compliant signal for any connected ad-tech vendor.
The Global Vendor List (GVL)
The Global Vendor List is IAB Europe's public registry of IAB vendors that have agreed to follow TCF rules. The current specification is GVL version 3.0. Each listed vendor gets a fixed ID number. A CMP's banner reads from this list to show a visitor which vendors would receive their consent choice.
The TC String
The TC String, short for Transparency and Consent String, is the compact encoded signal a CMP generates once a visitor makes their choice. It travels with every ad request downstream. Vendors decode it to confirm exactly which purposes and vendors the visitor consented to before processing any data. For the full encoding mechanics, see the TC String explained.
Purposes, Special Purposes, and Features
TCF Purposes are the fixed categories of data use a visitor consents to or objects to, such as selecting personalized advertising or measuring ad performance. The current framework defines 11 Purposes and 3 Special Purposes. Special Purposes cover processing a visitor cannot object to, such as Special Purpose 3, "Save and communicate privacy choices," which stores the consent record itself. A CMP's banner shows the objectable categories as toggles, not a single accept-or-reject choice. The full list lives at TCF purposes; this page keeps to the definitional overview.
IAB TCF Versions: From v1.0 to v2.3
The current version is TCF v2.3. Any site running programmatic advertising should be implementing it today, not v2.2. IAB Europe's own pages carry two dates for the v2.3 release: April 2025 on one page, 19 June 2025 on its dedicated transition page. This article uses "2025" for the broader launch window and the more specific date where precision helps.
| Version | Year | Key change |
|---|---|---|
| v1.x | 2018 | The original framework; first standardized consent signal for programmatic ads. |
| v2.0 | 2020 | Added granular Purposes and a legitimate-interest legal basis alongside consent. |
| v2.2 | 2023 | Removed legitimate interest as a legal basis for advertising and content personalization Purposes; consent became the only option for those. |
| v2.3 | 2025 | Made the disclosedVendors segment of the TC String mandatory, closing a signal ambiguity for vendors that declare both Special Purposes and Purposes under legitimate interest. |
The disclosedVendors segment matters because of a specific edge case. A vendor could previously receive a "0" in the legitimate-interest section of the TC String. That "0" could mean the visitor objected, or it could mean the vendor was never disclosed to the visitor at all. Making disclosedVendors mandatory removes that ambiguity: a "1" now always means the vendor was shown to the visitor.
The transition deadline for v2.3 was 28 February 2026, and that date has now passed. Any TC String generated without the disclosedVendors segment is deemed invalid from 1 March 2026 onward. So v2.3 is not simply the newer option today: it is the only valid version a compliant CMP can generate. Some vendor documentation still references v2.2 as current; treat any page describing v2.2 as the operative version as out of date.
Is the IAB TCF Legally Valid? The Belgian DPA Ruling
Yes, the IAB TCF is in active, lawful use today. But its legal footing has been genuinely contested, and the dispute is only partly resolved. On 2 February 2022, the Belgian Data Protection Authority (APD) found that the TCF, as then operated, infringed the GDPR. The APD treated IAB Europe as a joint controller over the TC String's processing and ordered a corrective action plan.
The dispute did not end there. IAB Europe submitted an action plan in April 2022, and the APD validated it in January 2023. IAB Europe appealed.
On 7 March 2024, the Court of Justice of the EU (CJEU) ruled on IAB Europe's role. IAB Europe can be a joint controller for TC String creation, but only when it actually influences that specific processing. The CJEU explicitly excluded downstream activity, such as ad targeting or measurement. That distinction undercut a core assumption behind the APD's original 2022 finding.
Applying the CJEU's narrower reading, the Belgian Market Court ruled on 14 May 2025. Several of the APD's original orders had gone too far, given IAB Europe's limited controller role.
On 9 January 2026, the Market Court went further. It annulled the APD's January 2023 decision that had validated IAB Europe's action plan, finding that validation legally flawed. The matter now returns to the APD to issue a narrower decision reflecting IAB Europe's actual, limited role.
The practical upshot: the TCF has not been ruled illegal. It remains the working consent standard for programmatic advertising in the EU today. But the litigation is not closed. The 2022 finding drove real changes to the framework, and the legitimate-interest removal in v2.2 traces directly to this dispute. The case is still working its way back through the Belgian regulator.
Do You Actually Need the IAB TCF?
You likely need the IAB TCF if you run programmatic display advertising to EU, EEA, or UK visitors. That includes Google AdSense, Ad Manager, header bidding, or a supply-side platform. It also applies if you are a publisher whose ad partners require a TCF signal to keep buying your inventory. Most ordinary business sites do not need it.
- You need it if: you serve EU/EEA/UK visitors programmatic ads through an SSP, an ad exchange, or Google Ad Manager. This also applies if an ad partner has told you a TCF signal is required.
- You probably don't if: your site runs only Google Analytics and a handful of marketing tags, with no programmatic ad inventory. A standard consent banner plus Google Consent Mode is usually enough for that case.
Enabling the TCF through an IAB-registered CMP is a configuration choice, not a rebuild. Most CMPs, including Consently, expose it as a toggle, not a separate integration project.
How Does the IAB TCF Differ from Google Consent Mode and the GPP?
The IAB TCF, Google Consent Mode, and the IAB GPP are complementary consent signals, not competing standards. Most sites running programmatic ads to Google use more than one at once.
| Framework | Who runs it | What it governs | When you use it |
|---|---|---|---|
| IAB TCF | IAB Europe (policy) and IAB Tech Lab (technical specs) | Consent for the wider programmatic ad-tech supply chain via the Global Vendor List and TC String | Running header bidding, an SSP, or any ad-tech vendor beyond Google alone |
| Google Consent Mode | Passing a visitor's consent state to Google's own tags, such as Analytics and Ads | Running Google Analytics or Google Ads, with or without other ad-tech vendors | |
| IAB GPP | IAB Tech Lab | A newer, multi-region string format that can carry TCF (EU) signals and US state-privacy signals together | Operating across both EU/UK and US jurisdictions from one CMP setup |
Google officially integrates with the IAB TCF. Google Ads and Ad Manager read the TC String generated by a certified CMP. Google also runs a separate Additional Consent (AC v2) specification. It lets a CMP pass consent for Google-approved ad-tech providers not on the IAB Global Vendor List. That closes a coverage gap the GVL alone does not solve.
How Consently Supports the IAB TCF
Consently is a registered CMP that signals IAB TCF v2.3 for sites running programmatic ads. IAB TCF support is included on every plan rather than gated to a top tier, covering Basic, Premium, and Enterprise alike.
Consently signals IAB TCF v2.3 alongside Google Consent Mode v2 and Google Additional Consent (AC v2). A publisher's consent choices reach ad-tech vendors in the standard format each one expects. The setup shows up as configuration inside the dashboard, not a separate integration.
Two practical details matter for smaller sites. First, IAB TCF support ships on every Consently plan, including the entry-tier Basic plan, instead of sitting behind an upgrade. Second, a site that does not run programmatic advertising can switch IAB TCF off entirely. That keeps the banner simpler for visitors and skips vendor-consent controls nobody on that site needs.
For the broader category this framework sits inside, see consent management. Try Consently free to see the IAB TCF toggle alongside Google Consent Mode in one dashboard.
FAQs
What does IAB stand for?
IAB stands for Interactive Advertising Bureau, a trade body with more than 700 member companies. IAB Europe is its European regional arm and the TCF's policy owner.
What is the IAB TCF in simple terms?
In simple terms, the IAB TCF is the shared system carrying a visitor's cookie and ad-consent choices from a website to the ad companies downstream. Without it, those companies would process visitor data blind to that choice.
Is the IAB TCF mandatory?
No. It is a voluntary industry standard, not a law. GDPR and the ePrivacy Directive are the law; the TCF is one recognized way to document compliance for programmatic advertising specifically.
What is the current version of the IAB TCF?
The current version is v2.3, released in 2025. The disclosedVendors segment became mandatory after the 28 February 2026 transition deadline, so a TC String without it is now invalid.
Do Google and Meta use the IAB TCF?
Google does. Google Ads and Ad Manager officially integrate with the TCF, reading the TC String from a certified CMP. Google also runs its own Additional Consent list for approved vendors outside the Global Vendor List. Meta does not integrate with the TCF the way Google does and runs its own consent requirements outside it. Treat Meta's consent handling as separate from the TCF.
What is a TCF vendor?
A TCF vendor is an ad-tech company listed on the IAB Global Vendor List. It has agreed to follow TCF rules for how it processes consent signals, covered above under the framework's core parts.
What is TCF Special Purpose 3?
TCF Special Purpose 3, "Save and communicate privacy choices", covers storing and passing the visitor's consent record. That record lets the decision persist across sessions and vendors. A visitor cannot object to Special Purposes, since they underpin the framework itself.
Is the IAB TCF the same as a cookie banner?
No. The banner is the visitor-facing interface. The TCF is the standard behind an ad-focused banner that also generates the TC String the ad-tech supply chain reads.
Does a US-only website need the IAB TCF?
Generally no. The TCF targets EU, EEA, and UK consent for GDPR and ePrivacy. A US-only site typically needs opt-in vs opt-out consent handling instead, often built around a signal like Global Privacy Control (GPC) rather than the TCF.

