The IAB’s Transparency & Consent Framework (TCF) is the industry standard for ensuring GDPR and ePrivacy Directive compliance in digital advertising. It defines how businesses explain data use, capture user consent, and share that consent with downstream partners.
This comprehensive guide explains everything publishers, advertisers, vendors, and consent management platforms (CMPs) need to know about IAB TCF v2.3. You’ll learn about the framework’s evolution, its compliance obligations, the role of the IAB CMP List, and how choosing an IAB-approved CMP supports both legal compliance and business growth.
What is the IAB Transparency and Consent Framework?
- IAB TCF v2.3 is the most recent version of the IAB Transparency & Consent Framework, launching February 2026.
- The TCF v2.3 brings changes to requirements for and use of Disclosed Vendors.
- The IAB CMP List contains only CMPs certified to manage consent within the Framework.
- Key updates remove legitimate interest as a basis for advertising and require vendors to disclose more details.
- Working with an IAB-approved CMP supports GDPR compliance, builds trust, and helps ensure interoperability with ad tech partners.
The IAB Transparency & Consent Framework (TCF) was launched by IAB Europe to standardize how organizations comply with GDPR and the ePrivacy Directive when processing personal data for digital advertising.
At its core, the IAB TCF framework:
- Establishes a common language for describing data collection and processing purposes
- Provides standardized consent signals (TC String)
- Enables consent to be communicated across the advertising supply chain, from publishers, to vendors, to demand-side platforms
This standardization helps solve a fundamental challenge: Publishers and vendors often rely on dozens or even hundreds of partners in programmatic advertising. Without a common protocol, ensuring that each partner receives and respects user consent would be almost impossible.
The IAB TCF has evolved from v1.1 to v2.0 and now to v2.3. The deadline to comply with v2.3 requirements is February 28, 2026. Each iteration addresses regulatory developments, industry feedback, and enforcement actions by data protection authorities.
The TCF v2.3 complements in-app solutions for app publishers. Learn more about best practices for mobile app consent to see how the TCF v2.3 works with app consent banners.
What is IAB TCF v2.3?
The IAB’s TCF v2.3 is the latest set of Transparency and Consent Framework (TCF) changes and guidelines as of 2026. The Framework enhances transparency and customer control over personal data processing by publishers and advertisers in the digital advertising ecosystem. Version v2.2 brought significant new requirements, and v2.3 tightens up requirements and usage for Disclosed Vendors.
This updated version makes Disclosed Vendors a mandatory segment, enabling vendors to determine if they’re allowed to process data under Special Purposes. Starting February 28, 2026, all new or updated consent signals must include the Disclosed Vendors segment. Existing consent signals created before February 28, 2026, without the v2.3 format, will remain valid until the user updates or renews their consent preferences.
Evolution from TCF v1.1 to v2.3
The technology landscape changes even faster than the regulatory one, so there have been a number of versions of the TCF since it first came out in 2018.
Here’s a timeline of its evolution, which underscores how the Framework has been adapted to regulatory and industry demands while maintaining its role as the backbone of GDPR-compliant digital advertising.
TCF v1.1 (2018)
- First industry attempt to harmonize consent under the GDPR
- Provided a basic structure for consent signals
- Faced criticism for limited user transparency and reliance on legitimate interest
TCF v2.0 (2020)
- Introduced more granular controls for publishers
- Added flexibility for vendors to declare legal bases
- Improved user interface guidelines
- Still faced scrutiny from regulators
TCF v2.2 (2023)
- Responded to concerns from European data protection authorities, especially the Belgian Data Protection Authority ruling on IAB Europe’s role as a joint controller
- Removed legitimate interest for advertising purposes
- Simplified purpose descriptions for users
- Expanded vendor disclosure requirements
TCF v2.3 (2026)
- Adds a mandatory Disclosed Vendors section to all TC strings (clear binary indicator to users whether a vendor has disclosed data processing activities)
- Resolves ambiguity for vendors processing data under Legitimate Interest for Special Purposes
- Reinforces transparency and user control by introducing stricter disclosure and consent requirements for CMPs and vendors
Read IAB Europe’s first Transparency & Consent Framework Compliance Report for 2024.
What were the changes for the IAB TCF v2.2?
The TCF v2.2 was released in 2023 and it brought with it significant changes that remain in effect, meant to close gaps identified in previous versions. The TCF v2.3 is a much more limited release by comparison.
- Legal basis for data processing: User consent is now the exclusive legal basis for advertising and content personalization, eliminating the option for legitimate interest.
- User-friendly descriptions: All in-app explanations and disclaimers about data use must be clearly written and easy to understand.
- User control: Individuals have more control over how app publishers may process data like geolocation data.
- Vendor disclosure: App publishers must disclose all vendors that will access personal data, along with details on the type of data they collect, how long they keep it, and their reasons for data use.
- Transparency: App publishers using the framework must disclose the data they collect and use in their ad campaigns.
- Consent management platform (CMP) design: Publishers must ensure that the number of vendors is displayed on the first layer of their CMP UI and that users can easily opt out of data processing.
App publishers need to be cautious about how they collect and share users’ consented data, and also how their vendors and technology partners process that data.
Why the IAB TCF matters for publishers and advertisers
Digital advertising is undergoing a profound shift toward Privacy-Led Marketing. Regulations like the GDPR, platform policies, and user expectations require companies to rethink how they collect and use data.
By adopting the TCF, publishers and advertisers can:
- Achieve and maintain GDPR compliance: Align with the most widely recognized industry framework
- Maintain monetization opportunities: Many demand sources require TCF compliance to transact programmatic advertising.
- Build user trust: Clearer consent information helps establish credibility with audiences.
- Reduce compliance risk: Demonstrates proactive alignment with regulatory guidance.
- Streamline partner relationships: Standardized consent signals ensure smoother data sharing with vendors.
Case study: Learn about how Conrad Electronic meets privacy compliance and Google business requirements at scale with Usercentrics — including using the TCF for Google Ads.
How does the TCF affect app publishers?
The TCF gives power back to users who can share, refuse, or revoke consent at any time. To avoid the risk of noncompliance, app publishers must comply with privacy standards when collaborating with third-party vendors.
User consent management
App publishers are required to explicitly mention what technologies they use to collect personal data and how they process that data.
Publishers need to provide users with the ability to refuse consent or to change or withdraw previously granted consent at any time. This needs to be as easy to do as giving consent.
App developers must disclose the user data they collect, for what purposes, and what third parties it may be shared with, among other requirements.
Publisher restrictions
App publishing companies can now exercise more control over how their vendors and tech partners access and handle user data.
For example, publishers can set custom requirements specifying how every vendor can process collected user data. App companies can also limit the purpose of data processing to a single activity, such as ad personalization or visitor analytics.
Vendors can register as capable of operating under multiple legal bases, and publishers can specify their preferred legal bases for partnering with vendors. This enables vendors and publishers to navigate markets with varying legal requirements for processing personal data.
Enhanced transparency
Publishers are required to provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies. Additionally, for consent requests to be valid, users must be provided with the following information for each vendor:
- Purposes (for data processing) and any special purposes
- Associated legal bases for the purposes
- Retention period for personal data for stated purpose
- Features and special features
- Categories of data collected and processed
If a publisher is using legitimate interest as the legal basis, they must provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies, as well as the following information for each vendor:
- Purposes (for data processing) and special purposes
- Associated legal bases for the purposes and a link to each vendor’s explanation of its legitimate interest(s) at stake
- Retention period for personal data re. fulfilling each stated purpose
- Features and special features
- Categories of data collected and processed
By providing this information in advance of data processing, individuals are empowered to make informed decisions about their data.
Vendor compliance
While not an absolute legal requirement, app publishers are advised to work with vendors that comply with the TCF v2.3 and are on the IAB’s vendors list. By doing so, all parties involved agree to adhere to the same standards, which reduces the overall risk of noncompliance.
Usercentrics App CMP is on the TCF List and is seamlessly integrated with the TCF. It’s also a Gold Tier Google-certified CMP partner and supports Google’s Additional Consent, so the CMP collects and signals consent for ad tech providers that are not part of the TCF, but are listed on Google’s Ad Tech Providers (ATPs) list.
Impact on revenue
The TCF can impact app companies’ revenue. If informed users decide to opt out of personalized ads, app publishers could lose programmatic ad revenue.
Publishers that get most of their traffic in the EU or UK could experience this revenue drop the most due to the region’s regulations and requirements being levied by large digital platform providers.
Even so, it’s best to adopt the TCF v2.3 no matter where you operate, since most programmatic ad platforms will eventually stop advertising on websites and applications that haven’t implemented it.
Not meeting the latest standards and requirements could result in an even greater revenue hit from critical third parties. For example, Google now requires European advertisers to use a certified CMP that integrates with the TCF v2.3, or else they will not be able to do personalized advertising.
TCF considerations for digital advertising and monetization
In the mobile advertising landscape, the TCF v2.2 introduced essential guidelines and requirements for advertisers for privacy compliance, user transparency, and effective ad targeting strategies. These have been added to with the TCF v2.3. Companies delivering digital ads should pay close attention to the following TCF framework components.
1. Vendor lists
The TCF requires app publishers to disclose the total number of vendors on their vendor list on the first layer of their CMP. Displaying too many vendors can make it hard for users to make informed choices. It’s better to limit the vendor list to include only those that you work with closely.
2. Purposes
The TCF restricts use of legitimate interest as a legal basis for certain purposes. Vendors must establish consent as their legal basis for the following purposes:
- Create a personalized ads profile
- Select personalized ads
- Create a personalized content profile
- Select personalized content
The TCF has also replaced the currently mandatory legal disclaimers with user-friendly descriptions. You’ll need to include illustrations on the CMP’s second layer to clarify what the different purposes mean.
3. Consent for personalized and non-personalized ads
The TCF requires publishers to capture user consent for serving both personalized and non-personalized ads to enable compliance with user preferences and data protection regulations.
4. Consent signals
Before the TCF, vendors struggled with interoperability because they used two sets of guidelines — one from IAB Europe and another from Google — to transmit consent signals to ad tech partners. Google supports the TCF, so you can follow a consistent set of guidelines for all ad tech companies.
To work with Google AdSense, Ad Manager, or AdMob, publishers must implement a TCF v2.3-certified CMP, so Google’s ad tags and SDKs can easily receive the transparency and consent (TC) string from that CMP.
5. Requirements for demand-side platforms (DSPs)
Demand-side platforms (DSPs) must comply with the following guidelines to meet TCF requirements.
- Register as a vendor in the global vendor list
- Vendors must have a mechanism that supports TC String consumption for processing real-time bidding requests
- A legal basis is mandatory for processing sensitive user data
6. Requirements for vendors
Vendors will also have to provide some additional information during registration:
- Categories of data collected and processed
- Details of the data retention period
- A webpage link that reveals a vendor’s legitimate interests
The IAB CMP List: finding an IAB-approved CMP
The IAB CMP List includes all consent management platforms approved by IAB Europe to implement the Framework. Only CMPs on this list can issue valid TCF 2.3 consent strings.
An IAB-approved CMP helps to ensure that:
- Consent banners meet technical standards
- User choices are recorded and transmitted correctly
- Vendors can rely on consent signals for GDPR compliance
Choosing a certified CMP is essential for both regulatory compliance and business continuity. Usercentrics is proud to be on IAB Europe’s CMP List, offering a CMP for publishers that integrates seamlessly with the TCF.
Challenges and opportunities for publishers
Global coverage of privacy regulations continues to expand, and existing laws, guidelines, and platforms’ policies are getting more strict. So unsurprisingly there are growing challenges for companies, including with TCF requirements.
However, these go hand in hand with opportunities for companies to build more sustainable business operations and enjoy competitive advantages.
IAB TCF v2.2 and v2.3 challenges and opportunities
Data privacy is complex, and meeting TCF requirements may seem daunting. But as privacy regulations become nearly globally ubiquitous, and meeting privacy standards increasingly becomes critical to business success, companies need to be prepared to meet these challenges and seize opportunities.
| Challenges | Opportunities |
|---|---|
| Managing privacy compliance in-house is complex and grows more so, especially if multiple laws are applicable. This can strain tech and legal resources. | CMPs’ automation functions can streamline maintenance to help reduce resource strain, manage regulatory updates, and provide compliance peace of mind. |
| Apps can see lower consent rates as users leave or avoid ones that fail TCF UI or UX standards, especially as banner requirements for CMPs change. | A TCF-compliant CMP with ad optimization helps provide better user experience and maintains trust. |
| CMPs face stricter registration and compliance checks. | Meeting strict privacy requirements shows proof of respect to audiences and ad partners for legal requirements and users’ data and privacy. |
| Publishers must adapt to new banner requirements. | Privacy compliance can open access to premium demand sources. |
| Vendors must provide more granular disclosures and maintain them as technologies in use and operations change. | Transparency with users and optimal user experience is a competitive advantage. |
| Both coverage of privacy laws and frameworks and authorities’ enforcement are likely to increase. | Early adopters can position themselves as leaders in Privacy-Led Marketing. |
| Ambiguity about whether a vendor was actually shown to the user. | Cleaner signals, fewer disputes, and more auditable across the chain. |
| Lack of standardization, misreads, and need to handle edge cases. | Easier ecosystem interoperability, everyone — CMPs, vendors, publishers — read/write/process the Disclosed vendors segment the same way. |
A Usercentrics study revealed 90 percent of EU apps reviewed didn’t comply with the GDPR or ePrivacy requirements. Learn where apps are failing and how to protect your ad revenue.
TCF and GDPR compliance
The TCF framework is closely aligned with the GDPR’s principles:
- Consent must be explicit: Language must be clear and consent choices must be equally accessible — no legal jargon or pre-ticked boxes.
- Transparency is key: Users must understand what they’re agreeing to, and be able to access granular information about processors.
- Vendors must justify processing: Legal basis and retention periods must be clear, and legitimate interest is no longer allowed for several functions; consent is mandatory for those.
- Accountability applies: Publishers, vendors, and CMPs all share responsibility for data privacy compliance.
Adopting the TCF demonstrates to regulators and partners that your organization takes privacy compliance seriously and has integrated GDPR requirements effectively.
Learn about the 7 principles of the GDPR to enable ongoing privacy compliance.
Transparency and Consent Framework best practices
Achieving privacy compliance with the TCF v2.3 (and future versions) may seem challenging, but it is achievable. All you need is the right tools to set up an ecosystem that enables you to seamlessly connect with and manage vendors and users.
These best practices will help you stay privacy-compliant:
- Provide users with the complete required list of data processing partners and legal bases used by your organization.
- Explicitly mention data storage, retention, and use policies that publishers and their third-party partners follow.
- Obtain user consent for the use of technologies like tracking cookies before collecting users’ personal data (where required), including for IP addresses and device identifiers as varying laws dictate.
- Enable users to access the list of third parties (aka vendors) that may process user data.
- Inform users about the consequences of declining consent, such as certain functions that may not work correctly or at all, or the inability to provide personalized experiences.
- Give users the ability to update, withdraw, or revoke their consent choices as easily as they provide it.
- Notify users if legitimate interest is being used as the legal basis for data processing, but remember that under the TCF v2.3, user consent is now the exclusive allowed legal basis for advertising and content personalization.
- All call-to-action buttons for consent choices must be equally visible. “Accept” and “Reject” options must appear equal and be equally accessible.
The IAB TCF 2.3 and the future of digital advertising
The IAB Transparency & Consent Framework is the cornerstone of GDPR-compliant digital advertising. The Framework will continue to evolve to meet requirements of new technologies, consumer demands, and legal developments.
By addressing regulator concerns and strengthening user rights, the TCF provides a more transparent and trustworthy approach to data-driven marketing, gives users more control over their data, and makes companies more attractive advertising partners.
For publishers and advertisers navigating an increasingly complex privacy landscape, the TCF v2.3 is not just a mandated privacy compliance tool, it’s a strategic enabler of sustainable growth.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
