IAB TCF v2.3: The Complete Guide to the Transparency and Consent Framework
The IAB Transparency and Consent Framework (TCF) is an industry standard created by IAB Europe that defines how consent is collected, stored, and communicated between publishers, advertisers, and ad-tech vendors. If your website uses programmatic advertising in the European Economic Area, TCF compliance is not optional.
Since January 2024, Google requires all publishers serving ads to EEA users to use a consent management platform (CMP) registered with the IAB TCF. Without it, personalised advertising is disabled and ad revenue drops significantly.
What Is the TCF?
The TCF solves a coordination problem. When a user visits a website, dozens of ad-tech vendors may process their data through real-time bidding, retargeting, analytics, and content personalisation. Each vendor needs to know whether the user has consented to their specific type of data processing. Before the TCF, there was no standard way to communicate this information across the ad-tech supply chain.
The framework defines a common language for consent. A TCF-registered CMP collects consent from the user and encodes it into a TC String (Transparency and Consent String). This string is a compact, standardised representation of the user's consent choices that any participating vendor can read and interpret.
TCF Version History
| Version | Released | Key Changes |
|---|---|---|
| TCF v1.0 | 2018 | Initial framework. Basic consent collection and TC String format. |
| TCF v2.0 | 2019 | Added legitimate interest, special purposes, features, and publisher restrictions. Major overhaul of the consent string format. |
| TCF v2.2 | 2023 | Removed legitimate interest for targeted advertising (Purposes 3, 4, 5, 6). Response to regulatory pressure from EU data protection authorities. |
| TCF v2.3 | 2024 | Current version. Technical refinements, improved vendor disclosure requirements, and alignment with latest DPA guidance. |
The 11 TCF Purposes
The TCF defines 11 purposes for data processing. Each purpose describes a specific type of activity that a vendor may perform with user data. Users can consent to or reject each purpose individually.
| Purpose | Description | Consent Required |
|---|---|---|
| 1 | Store and/or access information on a device | Yes (always) |
| 2 | Select basic ads | Yes |
| 3 | Create a personalised ads profile | Yes |
| 4 | Select personalised ads | Yes |
| 5 | Create a personalised content profile | Yes |
| 6 | Select personalised content | Yes |
| 7 | Measure ad performance | Yes |
| 8 | Measure content performance | Yes |
| 9 | Apply market research to generate audience insights | Yes |
| 10 | Develop and improve products | Yes |
| 11 | Use limited data to select content | Yes |
Note: In TCF v2.2 and later, legitimate interest is no longer available as a legal basis for Purposes 3, 4, 5, and 6. These purposes require explicit consent.
The Global Vendor List (GVL)
The Global Vendor List is a central registry maintained by IAB Europe that lists every vendor participating in the TCF. Each vendor declares which purposes and features it uses, and whether it relies on consent or legitimate interest for each.
When a CMP displays a consent interface, it pulls vendor information from the GVL so users can see exactly which companies will process their data and for what purposes. Users can consent to or reject individual vendors, not just purposes.
As of 2026, the GVL contains over 1,200 registered vendors, including Google, Meta, Amazon, and most major ad-tech companies.
The TC String
The TC String is the technical core of the framework. It is a Base64-encoded string that contains the user's complete consent state: which purposes they consented to, which vendors they approved, whether legitimate interest applies, and any publisher restrictions.
Every vendor in the ad-tech chain reads this string to determine what processing it is allowed to perform for this specific user. The string is stored in the user's browser (typically in a cookie called euconsent-v2) and transmitted through the bidding chain via the __tcfapi() JavaScript API.
The __tcfapi() JavaScript API
The __tcfapi() is a standardised JavaScript function that CMPs must implement. It allows any script on the page to query the current consent state. Ad tags, analytics scripts, and header bidding wrappers all use this API to check whether they have permission to process data.
Key commands include:
getTCData: Returns the current TC String and parsed consent data.addEventListener: Registers a callback for consent state changes.ping: Checks whether the CMP is loaded and ready.
Prebid.js, Google Publisher Tags (GPT), and most major ad-tech SDKs automatically call __tcfapi() to retrieve consent before making bid requests or firing pixels.
Cross-Frame Messaging
Ad units often run in iframes on a different domain than the publisher's page. These iframes cannot directly access the __tcfapi() function on the parent page due to browser same-origin policy restrictions.
The TCF solves this with a cross-frame messaging protocol. The CMP creates a specially named iframe (__tcfapiLocator) that acts as a message relay. Vendor scripts inside ad iframes send postMessage requests to this locator frame, which forwards them to the CMP and returns the consent data.
This mechanism is essential for programmatic advertising to work correctly with consent. Without it, ad units in iframes would have no way to check consent status.
TCF and Google
Since January 2024, Google requires publishers serving ads to EEA users to use a Google-certified CMP that implements IAB TCF v2.3. This requirement applies to Google Ads, AdSense, Ad Manager, AdMob, and DV360.
Google also requires Consent Mode v2 alongside TCF. Consent Mode handles Google's own tags (Analytics, Ads), while TCF handles the broader ad-tech ecosystem. Both are needed for full compliance.
Without a TCF-compliant CMP, Google will not serve personalised ads to EEA users, resulting in significantly lower ad revenue.
TCF and Passiro
Passiro includes full IAB TCF v2.3 support in its free consent widget. This includes TC String generation, the __tcfapi() JavaScript API, cross-frame messaging, Global Vendor List integration, per-vendor consent, legitimate interest objection, and publisher restrictions.
Most competing CMPs charge EUR 10-50 per month for TCF support. Passiro includes it at no cost, with no page limits, no traffic limits, and no feature restrictions on the consent functionality.
Vai jūsu tīmekļa vietne atbilst sīkdatņu noteikumiem?
Skenējiet savu tīmekļa vietni bezmaksas un atrodiet visas sīkdatnes dažu minūšu laikā.
Skenēt savas sīkdatnes bezmaksas