Who needs to comply with the IAB TCF?

Any publisher or website that monetizes through programmatic advertising in the EEA, UK, or Switzerland — particularly via Google Ad Manager, AdSense, or AdMob — and the consent management platforms and ad-tech vendors they work with. If you do not run programmatic ads, the TCF is generally not required for you, though you still need a compliant consent solution under the GDPR.

IAB TCF 2.3 Compliance: The Complete Guide for Publishers

Q: What is the IAB TCF?

The IAB Europe Transparency & Consent Framework (TCF) is an industry standard that lets publishers, consent management platforms, and ad-tech vendors communicate a user's consent choices across the programmatic advertising supply chain. It encodes those choices into a standardized TC String so every partner in the chain knows what a user did and did not agree to, helping the ecosystem comply with the GDPR and the ePrivacy Directive.

Q: What changed in TCF 2.3 compared to 2.2?

The main change in TCF 2.3 is that the disclosedVendors segment of the TC String is now mandatory, where it was previously optional. It is a binary signal (1 or 0) that confirms whether each vendor was actually shown to the user in the consent interface, removing the earlier ambiguity about whether a vendor was disclosed. TCF 2.3 did not remove legitimate interest changes introduced in 2.2; it adds verifiable proof of disclosure on top of them.

If your site earns money from programmatic advertising in Europe, the Transparency & Consent Framework decides whether your ad partners trust your consent signals. Here's what TCF 2.3 requires, what changed from 2.2, and why getting it wrong quietly drains your ad revenue.

The IAB Transparency & Consent Framework is the plumbing that carries a user's consent choices through the programmatic advertising supply chain. If you monetize a website with ads in Europe, your consent management platform almost certainly speaks TCF — and as of early 2026, it needs to speak the latest dialect, version 2.3, or your ad partners may stop trusting your signals altogether.

This guide explains what the TCF is, what specifically changed in 2.3, why the deadline already passed matters for your revenue, and how to make sure your site is generating valid consent signals today.

Key takeaways

The TCF standardizes how consent is communicated between publishers, CMPs, and ad-tech vendors, encoded in a "TC String."
TCF 2.3 is the current mandatory version — the deadline to adopt it was February 28, 2026.
The headline change: the disclosedVendors segment is now mandatory in every new TC String, proving which vendors were actually shown to the user.
From March 1, 2026, a new TC String without that segment is invalid — and major platforms like Google treat invalid strings as non-compliant, which can cut programmatic revenue sharply.

What is the IAB TCF?

The Transparency & Consent Framework was created by IAB Europe to solve a specific problem: a single web page that shows ads might rely on dozens or even hundreds of advertising partners, and under the GDPR and the ePrivacy Directive, each of those partners needs a lawful basis to process a visitor's data. Asking the user about every partner individually would be impossible. The TCF makes it workable by standardizing the whole exchange.

When a visitor makes their choices in your consent banner, the framework encodes those choices into a compact, standardized record called a TC String. That string travels with the ad request through the supply chain, so every vendor — from your publisher ad server to demand-side platforms — can read exactly what the user consented to and what they refused. In effect, the TCF is the shared language that lets the consent you collect actually mean something to the rest of the ad ecosystem.

It's important to be clear about what the TCF is and isn't. It is not a law. It's an industry framework that helps participants comply with the GDPR and the ePrivacy Directive in the specific context of programmatic advertising. You comply with the law; the TCF is the standardized mechanism that makes your compliance legible to your ad partners.

Who needs to care about the TCF?

The TCF matters most to publishers and websites that monetize through programmatic advertising in the EEA, UK, or Switzerland — especially anyone running Google Ad Manager, AdSense, or AdMob. If that's you, the TC String your CMP generates directly affects whether your inventory gets bids.

If you don't run programmatic ads, the TCF generally isn't required for you. You still need a compliant consent solution under the GDPR — a banner that blocks trackers until consent and logs the decision — but you don't need to generate TC Strings. The framework is specifically the bridge between consent and the programmatic ad supply chain.

What changed in TCF 2.3

To understand 2.3, it helps to know what 2.2 already did. Version 2.2, rolled out in 2023, was a policy update: most significantly, it removed legitimate interest as a valid legal basis for advertising and content-personalization purposes, required clearer purpose descriptions, and made CMPs show the total number of vendors on the first layer of the banner.

Version 2.3 is a smaller, more technical update, but a consequential one. The single headline change is this:

The disclosedVendors segment is now mandatory

The TC String is built from segments. One of them, the disclosedVendors segment, records which vendors were actually shown to the user in the consent interface. Under 2.2 this segment was optional, which created ambiguity — a vendor receiving a TC String couldn't always tell whether it had genuinely been disclosed to the user. TCF 2.3 makes the segment mandatory and turns it into a clear binary signal: for each vendor, a 1 means it was disclosed in the banner, and a 0 means it wasn't.

The practical effect is that disclosure becomes provable. A vendor can now verify whether it was shown to the user before relying on it to process data, which closes the "ghost vendor" ambiguity of earlier versions. For your CMP, it means the vendors visible in your banner must exactly match the 1s in the disclosedVendors segment — IAB Europe runs automated validators that flag mismatches, and a mismatch can cost a CMP its certification.

What 2.3 did not change: the legitimate-interest removals introduced in 2.2 still stand. TCF 2.3 doesn't relax any earlier requirement — it adds a layer of verifiable proof on top of them. If you were compliant with 2.2's policies, 2.3 is mainly about your TC String now carrying the mandatory disclosure segment.

	TCF 2.2	TCF 2.3 (current)
Focus	Policy — what's allowed	Proof — verifiable disclosure
disclosedVendors segment	Optional	Mandatory in every new TC String
Legitimate interest for ads	Removed	Still removed (unchanged)
Vendor count on first layer	Required	Required (unchanged)
Status as of June 2026	Strings without disclosedVendors invalid	Mandatory standard

The deadline, and why it hits your revenue

The deadline to adopt TCF 2.3 was February 28, 2026. From March 1, 2026, any new TC String created without the disclosedVendors segment is deemed invalid. (TC Strings created before the deadline stay valid until the user renews or changes their choices, so there's no need to force every existing user to re-consent purely because of the version change.)

The reason this matters commercially, not just legally, is how the ad ecosystem treats invalid strings. Major demand-side platforms — Google among them — treat an outdated or invalid consent string as non-compliant. When that happens, ad requests can fall back to "limited ads" or simply not get bid on, and reporting from across the industry describes potential programmatic revenue drops of 50% or more for publishers still sending old strings after the deadline. In other words, a stale TCF implementation doesn't just create a compliance risk — it quietly switches off a large share of your ad income.

If you're not sure which version your CMP generates: this is worth checking today. A consent banner that looks fine to visitors can still be emitting invalid TC Strings behind the scenes, and the first sign many publishers get is an unexplained drop in ad revenue. The fix is making sure your CMP generates valid TCF 2.3 strings with the disclosedVendors segment populated correctly.

How to stay TCF 2.3 compliant

For a publisher, compliance comes down to a handful of practical points:

Use a CMP that generates valid TCF 2.3 strings. It must populate the mandatory disclosedVendors segment, not just emit a legacy 2.2 string.
Make the vendor list in your banner match the signal. Every vendor shown in your interface must correspond to a 1 in the disclosedVendors segment; hidden vendors must be 0. Mismatches get flagged by IAB's automated validators.
Keep your Global Vendor List current. A compliant CMP downloads the GVL regularly and builds the disclosure signal from your actual banner configuration.
Show the vendor count and clear purpose descriptions on the first layer of the banner, and make it easy for users to withdraw or change consent at any time — carried over from 2.2 and still required.
Confirm certification where it matters. If you rely on Google's ad products, your CMP should be Google-certified for TCF 2.3 so your signals are accepted across Google Ad Manager, AdSense, and AdMob.

Is your site sending valid TCF 2.3 signals?

Scan your site free to see how your consent setup and trackers are behaving — in about 10 seconds.

Run a free scan

How ConsentPixel handles TCF 2.3

ConsentPixel generates valid TCF 2.3 TC Strings, including the mandatory disclosedVendors segment, so the vendors shown in your consent interface are correctly signaled to your ad partners. That keeps your programmatic inventory compliant and your consent signals trusted across the supply chain — without you having to manage the technical details of the framework by hand.

Because ConsentPixel is delivered as a single JavaScript pixel, the TCF layer works alongside the rest of your consent setup: trackers are blocked until the visitor consents, choices are logged, and the resulting consent state flows out as a properly formed TC String. For publishers, that means TCF compliance and the underlying GDPR consent requirements are handled together, from one lightweight install.

TCF compliance also sits alongside ConsentPixel's broader coverage — GDPR, Google Consent Mode v2, and other frameworks — so the consent you collect satisfies both the law and the ad ecosystem at the same time.

Frequently asked questions

The IAB Europe Transparency & Consent Framework is an industry standard that lets publishers, consent management platforms, and ad-tech vendors communicate a user's consent choices across the programmatic advertising supply chain. It encodes those choices into a standardized TC String so every partner knows what a user did and did not agree to, helping the ecosystem comply with the GDPR and the ePrivacy Directive.

The main change is that the disclosedVendors segment of the TC String is now mandatory, where it was previously optional. It's a binary signal (1 or 0) confirming whether each vendor was actually shown to the user in the consent interface, removing the earlier ambiguity about disclosure. TCF 2.3 didn't undo the legitimate-interest changes from 2.2; it adds verifiable proof of disclosure on top of them.

The deadline to adopt TCF 2.3 was February 28, 2026. From March 1, 2026, any new TC String created without the disclosedVendors segment is treated as invalid. Major demand-side platforms, including Google, treat outdated strings as non-compliant, which can cause ad requests to fall back to limited ads and significantly reduce programmatic revenue. TC Strings created before the deadline remain valid until the user renews or changes their choices.

Any publisher or website that monetizes through programmatic advertising in the EEA, UK, or Switzerland — particularly via Google Ad Manager, AdSense, or AdMob — along with the CMPs and ad-tech vendors they work with. If you don't run programmatic ads, the TCF generally isn't required, though you still need a compliant consent solution under the GDPR.

Yes. ConsentPixel generates valid TCF 2.3 TC Strings, including the mandatory disclosedVendors segment, so the vendors shown in your consent interface are correctly signaled to your ad partners and your programmatic ad inventory stays compliant.

The bottom line

The TCF is the standardized language that makes your consent meaningful to the advertising ecosystem, and as of early 2026 the required dialect is version 2.3. The change itself is narrow — a once-optional disclosure segment is now mandatory — but the consequence isn't: a site still emitting old TC Strings can see its programmatic revenue fall sharply, often before anyone connects the drop to a consent-framework version. The fix is straightforward: make sure your consent solution generates valid TCF 2.3 signals, with the vendors in your banner matching the disclosure segment exactly.

Keep your consent signals trusted

ConsentPixel generates valid TCF 2.3 strings, blocks trackers until consent, and logs every decision — from a single pixel. See how your site is doing in about 10 seconds.

Scan your site free

No credit card required · 14-day free trial on all plans

The ConsentPixel Team

ConsentPixel is a CIPA-first consent management platform delivered as a single JavaScript pixel, with TCF 2.3, GDPR, CCPA/CPRA and Google Consent Mode v2 support built in. This article is educational and not legal advice.