Skip to main content

Full Vendor Transparency — IAB TCF v2.3

Per-vendor consent, legitimate-interest objection, and standards-compliant signals — from an IAB-registered CMP (CMP ID 499)

Under the GDPR, consent is only valid if visitors know who they are consenting to. A banner that says "we and our partners" without naming those partners does not meet that bar. The IAB Transparency & Consent Framework (TCF) exists to solve exactly this: every ad-tech vendor is listed by name, with its purposes, its legal bases, and its retention periods — and the visitor decides per vendor.

Passiro implements IAB TCF v2.3 in full, as an IAB-registered CMP (CMP ID 499). This page walks through what that means in practice: what your visitors see, what your vendors receive, and how Google's ad partners are covered on top.

What your visitors see

The banner's preferences view has two tabs — purposes and vendors — and the vendor count is shown live on the banner itself ("View our N partners"), so the number is always accurate:

  • Purposes tab: all 11 TCF purposes and the special features (such as precise geolocation) are individually controllable — each with its own toggle, not an all-or-nothing switch.
  • Vendors tab: every vendor from your configuration is listed with its purposes and legal bases. Visitors can accept or reject each vendor individually — and object to processing based on legitimate interest, per vendor.
  • Official IAB texts: purpose and feature names and descriptions are shown in the visitor's language using IAB's official translations, in 25 languages. TCF policy requires these texts verbatim — Passiro never rewrites them.

What vendors receive

Every choice is encoded as a TCF v2.3 TC string — the machine-readable format all TCF vendors parse. Passiro's TC strings include the mandatory disclosedVendors segment, which records exactly which vendors were shown to the visitor. Vendors use it to verify they were actually disclosed before relying on the consent — a v2.3 requirement some CMPs still skip.

Vendors read the string through the standard __tcfapi JavaScript API using the addEventListener pattern, so they are notified the moment consent changes. Ad units running inside iframes reach the CMP through the __tcfapiLocator cross-frame mechanism — no custom integration needed on either side.

The TC string is persisted in the standard euconsent-v2 cookie, and every decision is stored as a consent receipt in your consent records — your proof of consent if a visitor or authority ever asks.

Google ad partners (Additional Consent)

Some of Google's ad partners are not TCF vendors — they are on Google's Ad Technology Provider (ATP) list instead. For these, Passiro emits Google's Additional Consent string (AC v2, the 2~ids~dv.ids format) alongside the TC string, so consent for ATP partners travels with the same signal Google's ad products read.

You choose which Google ad partners to work with directly in the dashboard's ATP picker; the AC string and the vendor disclosures update accordingly. TCF and Additional Consent work side by side — one banner, both signals.

Compliance & registration

  • IAB-registered CMP: Passiro is registered with IAB Europe as CMP ID 499 — the ID embedded in every TC string it produces.
  • Global Vendor List synced daily: vendor names, purposes, legal bases, and retention periods always match the current GVL — no stale vendor data.
  • Official IAB translations: a TCF policy requirement, covered out of the box in 25 languages — a capability several competitors reserve for paid tiers.

Full vendor transparency is not a premium add-on in Passiro — the complete TCF v2.3 implementation, the daily GVL sync, and the official translations ship on every plan, from the same single script tag as the rest of your banner.

Read more: the full TCF guide, geo-targeting, and US opt-out.

Set up your TCF banner — free