The IAB’s Transparency & Consent Framework (IAB TCF v2.2) is the industry standard for ensuring GDPR and ePrivacy compliance in digital advertising. It defines how businesses explain data use, capture user consent, and share that consent with downstream partners.
This comprehensive guide explains everything publishers, advertisers, vendors, and consent management platforms (CMPs) need to know about IAB TCF 2.2. You’ll learn about the framework’s evolution, its compliance obligations, the role of the IAB CMP List, and how choosing an IAB-approved CMP supports both legal compliance and business growth.
Key takeaways
- IAB TCF 2.2 is the most recent version of the IAB Transparency & Consent Framework.
- The TCF 2.2 improves transparency about data use in advertising, simplifies purposes, and gives users more control over their data and its use.
- The IAB CMP List contains only CMPs certified to manage consent within the Framework.
- Key updates remove legitimate interest as a basis for advertising and require vendors to disclose more details.
- Working with an IAB-approved CMP supports GDPR compliance, builds trust, and helps ensure interoperability with ad tech partners.
What is the IAB Transparency and Consent Framework?
The IAB Transparency & Consent Framework (TCF) was launched by IAB Europe to standardize how organizations comply with GDPR and the ePrivacy Directive when processing personal data for digital advertising.
At its core, the IAB TCF framework:
- Establishes a common language for describing data collection and processing purposes
- Provides standardized consent signals (TC String)
- Enables consent to be communicated across the advertising supply chain, from publishers, to vendors, to demand-side platforms
This standardization helps solve a fundamental challenge: Publishers and vendors often rely on dozens or even hundreds of partners in programmatic advertising. Without a common protocol, ensuring that each partner receives and respects user consent would be almost impossible.
The IAB TCF has evolved from v1.1 to v2.0 and now to v2.2. Each iteration addresses regulatory developments, industry feedback, and enforcement actions by data protection authorities.
The TCF v2.2 complements in-app solutions for app publishers. Learn more about best practices for mobile app consent to see how the TCF v2.2 works with app consent banners.
What is IAB TCF v2.2?
The IAB’s TCF v2.2 is the latest set of Transparency and Consent Framework (TCF) changes and guidelines as of 2023. The Framework enhances transparency and customer control over personal data processing by publishers and advertisers in the digital advertising ecosystem. This version has brought significant new requirements.
This updated version gives consumers more control over their personal data, particularly in the context of advertising and content personalization.
Evolution from TCF v1.1 to v2.2
The technology landscape changes even faster than the regulatory one, so there have been a number of versions of the TCF since it first came out in 2018.
Here’s a timeline of its evolution, which underscores how the Framework has been adapted to regulatory and industry demands while maintaining its role as the backbone of GDPR-compliant digital advertising. The TCF v2.3 was announced on June 19, 2025.
TCF v1.1 (2018)
- First industry attempt to harmonize consent under the GDPR
- Provided a basic structure for consent signals
- Faced criticism for limited user transparency and reliance on legitimate interest
TCF v2.0 (2020)
- Introduced more granular controls for publishers
- Added flexibility for vendors to declare legal bases
- Improved user interface guidelines
- Still faced scrutiny from regulators
TCF v2.2 (2023)
- Responded to concerns from European data protection authorities, especially the Belgian Data Protection Authority ruling on IAB Europe’s role as a joint controller
- Removed legitimate interest for advertising purposes
- Simplified purpose descriptions for users
- Expanded vendor disclosure requirements
Read IAB Europe’s first Transparency & Consent Framework Compliance Report for 2024.
What’s new in the IAB TCF 2.2?
The most recent version of the Framework was released in 2023, and it brought with it significant changes meant to close gaps identified in previous versions.
- Legal basis for data processing: User consent is now the exclusive legal basis for advertising and content personalization, eliminating the option for legitimate interest.
- User-friendly descriptions: All in-app explanations and disclaimers about data use must be clearly written and easy to understand.
- User control: Individuals have more control over how app publishers may process data like geolocation data.
- Vendor disclosure: App publishers must disclose all vendors that will access personal data, along with details on the type of data they collect, how long they keep it, and their reasons for data use.
- Transparency: App publishers using the framework must disclose the data they collect and use in their ad campaigns.
- Consent management platform (CMP) design: Publishers must ensure that the number of vendors is displayed on the first layer of their CMP UI and that users can easily opt out of data processing.
The deadline to comply with the updated TCF v2.2 was originally September 30, 2023, delayed two months to November 20 to give companies more time to meet the requirements.
App publishers should be cautious about how they collect and share users’ consented data, and also how their vendors and technology partners process that data.
Version 2.3 of the Transparency & Consent Framework is expected by February 1, 2026, when all vendors and approved CMPs will be required to update their implementations.
Why IAB TCF 2.2 matters for publishers and advertisers
Digital advertising is undergoing a profound shift toward Privacy-Led Marketing™. Regulations like the GDPR, platform policies, and user expectations require companies to rethink how they collect and use data.
By adopting the TCF v2.2, publishers and advertisers can:
- Achieve and maintain GDPR compliance: Align with the most widely recognized industry framework
- Maintain monetization opportunities: Many demand sources require TCF compliance to transact programmatic advertising.
- Build user trust: Clearer consent information helps establish credibility with audiences.
- Reduce compliance risk: Demonstrates proactive alignment with regulatory guidance.
- Streamline partner relationships: Standardized consent signals ensure smoother data sharing with vendors.
Case study: Learn about how Conrad Electronic meets privacy compliance and Google business requirements at scale with Usercentrics — including using the TCF v2.2 for Google Ads.
How does the TCF v2.2 affect app publishers?
The TCF v2.2 gives power back to users who can share, refuse, or revoke consent at any time. To avoid the risk of noncompliance, app publishers must comply with privacy standards when collaborating with third-party vendors.
User consent management
Under the TCF v2.2, app publishers are required to explicitly mention what technologies they use to collect personal data and how they process that data.
Publishers need to provide users with the ability to refuse consent or to change or withdraw previously granted consent at any time. This needs to be as easy to do as giving consent.
App developers must disclose the user data they collect, for what purposes, and what third parties it may be shared with, among other requirements.
Publisher restrictions
Thanks to the TCF v2.2, app publishing companies can now exercise more control over how their vendors and tech partners access and handle user data.
For example, publishers can set custom requirements specifying how every vendor can process collected user data. App companies can also limit the purpose of data processing to a single activity, such as ad personalization or visitor analytics.
Vendors can register as capable of operating under multiple legal bases, and publishers can specify their preferred legal bases for partnering with vendors. This enables vendors and publishers to navigate markets with varying legal requirements for processing personal data.
Enhanced transparency
The TCF v2.2 requires publishers to provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies. Additionally, for consent requests to be valid, users must be provided with the following information for each vendor:
- Purposes (for data processing) and any special purposes
- Associated legal bases for the purposes
- Retention period for personal data for stated purpose
- Features and special features
- Categories of data collected and processed
If a publisher is using legitimate interest as the legal basis, they must provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies, as well as the following information for each vendor:
- Purposes (for data processing) and special purposes
- Associated legal bases for the purposes and a link to each vendor’s explanation of its legitimate interest(s) at stake
- Retention period for personal data re. fulfilling each stated purpose
- Features and special features
- Categories of data collected and processed
By providing this information in advance of data processing, individuals are empowered to make informed decisions about their data.
Vendor compliance
While not an absolute legal requirement, app publishers are advised to work with vendors that comply with the TCF v2.2 and are on the IAB’s vendors list. By doing so, all parties involved agree to adhere to the same standards, which reduces the overall risk of noncompliance.
Usercentrics App CMP is on the TCF List and is seamlessly integrated with the TCF. It’s also a Gold Tier Google-certified CMP partner and supports Google’s Additional Consent, so the CMP collects and signals consent for ad tech providers that are not part of the TCF v2.2, but are listed on Google’s Ad Tech Providers (ATPs) list.
Impact on revenue
The TCF v2.2 can impact app companies’ revenue. If informed users decide to opt out of personalized ads, app publishers could lose programmatic ad revenue.
Publishers that get most of their traffic in the EU or UK could experience this revenue drop the most due to the region’s regulations and requirements being levied by large digital platform providers.
Even so, it’s best to adopt the TCF v2.2 no matter where you operate, since most programmatic ad platforms will eventually stop advertising on websites and applications that haven’t implemented it.
Not meeting the latest standards and requirements could result in an even greater revenue hit from critical third parties. For example, Google now requires European advertisers to use a certified CMP that integrates with the TCF v2.2, or else they will not be able to do personalized advertising.
TCF v2.2 considerations for digital advertising and monetization
In the mobile advertising landscape, the TCF 2.2 introduces essential guidelines and requirements for advertisers for privacy compliance, user transparency, and effective ad targeting strategies. Companies delivering digital ads should pay close attention to the following TCF v2.2 framework components.
1. Vendor lists
TCF v2.2 requires app publishers to disclose the total number of vendors on their vendor list on the first layer of their CMP. Displaying too many vendors can make it hard for users to make informed choices. It’s better to limit the vendor list to include only those that you work with closely.
2. Purposes
TCF v2.2 restricts use of legitimate interest as a legal basis for certain purposes. Vendors must establish consent as their legal basis for the following purposes:
- Create a personalized ads profile
- Select personalized ads
- Create a personalized content profile
- Select personalized content
TCF v2.2 also replaces the currently mandatory legal disclaimers with user-friendly descriptions. You’ll need to include illustrations on the CMP’s second layer to clarify what the different purposes mean.
3. Consent for personalized and non-personalized ads
TCF v2.2 requires publishers to capture user consent for serving both personalized and non-personalized ads to enable compliance with user preferences and data protection regulations.
4. Consent signals
Before the TCF, vendors struggled with interoperability because they used two sets of guidelines — one from IAB Europe and another from Google — to transmit consent signals to adtech partners. Google now supports the TCF v2.2, so you can follow a consistent set of guidelines for all ad tech companies.
To work with Google AdSense, Ad Manager, or AdMob, publishers must implement a TCF v2.2-certified CMP, so Google’s ad tags and SDKs can easily receive the transparency and consent (TC) string from that CMP.
5. Requirements for demand-side platforms (DSPs)
Demand-side platforms (DSPs) must comply with the following guidelines to meet TCF v2.2 requirements.
- Register as a vendor in the global vendor list
- Vendors must have a mechanism that supports TC String consumption for processing real-time bidding requests
- A legal basis is mandatory for processing sensitive user data
6. Requirements for vendors
Vendors will also have to provide some additional information during registration:
- Categories of data collected and processed
- Details of the data retention period
- A webpage link that reveals a vendor’s legitimate interests
The IAB CMP List: finding an IAB-approved CMP
The IAB CMP List includes all consent management platforms approved by IAB Europe to implement the Framework. Only CMPs on this list can issue valid TCF 2.2 consent strings.
An IAB-approved CMP helps to ensure that:
- Consent banners meet technical standards
- User choices are recorded and transmitted correctly
- Vendors can rely on consent signals for GDPR compliance
Choosing a certified CMP is essential for both regulatory compliance and business continuity. Usercentrics is proud to be on IAB Europe’s CMP List, offering a CMP for publishers that integrates seamlessly with the TCF v2.2.
Challenges and opportunities for publishers with the TCF 2.2
Global coverage of privacy regulations continues to expand, and existing laws, guidelines, and platforms’ policies are getting more strict. So unsurprisingly there are growing challenges for companies, including with the TCF v2.2 requirements.
However, these go hand in hand with opportunities for companies to build more sustainable business operations and enjoy competitive advantages.
IAB TCF 2.2 challenges and opportunities
Data privacy is complex, and meeting TCF requirements may seem daunting. But as privacy regulations become nearly globally ubiquitous, and meeting privacy standards increasingly becomes critical to business success, companies need to be prepared to meet these challenges and seize opportunities.
| Challenges | Opportunities |
|---|---|
| Managing privacy compliance in-house is complex and grows more so, especially if multiple laws are applicable. This can strain tech and legal resources. | CMPs’ automation functions can streamline maintenance to help reduce resource strain, manage regulatory updates, and provide compliance peace of mind. |
| Apps can see lower consent rates as users leave or avoid ones that fail TCF UI or UX standards, especially as banner requirements for CMPs change. | A TCF v.2.2-compliant CMP with ad optimization helps provide better user experience and maintains trust. |
| CMPs face stricter registration and compliance checks. | Meeting strict privacy requirements shows proof of respect to audiences and ad partners for legal requirements and users’ data and privacy. |
| Publishers must adapt to new banner requirements. | Privacy compliance can open access to premium demand sources. |
| Vendors must provide more granular disclosures and maintain them as technologies in use and operations change. | Transparency with users and optimal user experience is a competitive advantage. |
| Both coverage of privacy laws and frameworks and authorities’ enforcement are likely to increase. | Early adopters can position themselves as leaders in Privacy-Led Marketing. |
A Usercentrics study revealed 90 percent of EU apps reviewed didn’t comply with the GDPR or ePrivacy requirements. Learn where apps are failing and how to protect your ad revenue.
TCF 2.2 and GDPR compliance
The TCF v2.2 framework is closely aligned with the GDPR’s principles:
- Consent must be explicit: Language must be clear and consent choices must be equally accessible — no legal jargon or pre-ticked boxes.
- Transparency is key: Users must understand what they’re agreeing to, and be able to access granular information about processors.
- Vendors must justify processing: Legal basis and retention periods must be clear, and legitimate interest is no longer allowed for several functions; consent is mandatory for those.
- Accountability applies: Publishers, vendors, and CMPs all share responsibility for data privacy compliance.
Adopting the TCF v2.2 demonstrates to regulators and partners that your organization takes privacy compliance seriously and has integrated GDPR requirements effectively.
Learn about the 7 principles of the GDPR to enable ongoing privacy compliance.
Transparency and Consent Framework 2.2 best practices
Achieving privacy compliance with the TCF v2.2 (and future versions) may seem challenging, but it is achievable. All you need is the right tools to set up an ecosystem that enables you to seamlessly connect with and manage vendors and users.
These best practices will help you stay privacy-compliant:
- Provide users with the complete required list of data processing partners and legal bases used by your organization.
- Explicitly mention data storage, retention, and use policies that publishers and their third-party partners follow.
- Obtain user consent for the use of technologies like tracking cookies before collecting users’ personal data (where required), including for IP addresses and device identifiers as varying laws dictate.
- Enable users to access the list of third parties (aka vendors) that may process user data.
- Inform users about the consequences of declining consent, such as certain functions that may not work correctly or at all, or the inability to provide personalized experiences.
- Give users the ability to update, withdraw, or revoke their consent choices as easily as they provide it.
- Notify users if legitimate interest is being used as the legal basis for data processing, but remember that under the TCF v2.2, user consent is now the exclusive allowed legal basis for advertising and content personalization.
- All call-to-action buttons for consent choices must be equally visible. “Accept” and “Reject” options must appear equal and be equally accessible.
The IAB TCF 2.2 and the future of digital advertising
The IAB Transparency & Consent Framework v2.2 is the cornerstone of GDPR-compliant digital advertising. The Framework will continue to evolve to meet requirements of new technologies, consumer demands, and legal developments.
By addressing regulator concerns and strengthening user rights, the TCF v2.2 provides a more transparent and trustworthy approach to data-driven marketing, gives users more control over their data, and makes companies more attractive advertising partners.
For publishers and advertisers navigating an increasingly complex privacy landscape, the TCF v2.2 is not just a mandated privacy compliance tool, it’s a strategic enabler of sustainable growth.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
