The Transparency & Consent Framework (TCF) is an industry standard created by IAB Europe (Interactive Advertising Bureau Europe) that gives websites, advertisers, and ad-technology vendors a shared way to collect, encode, and transmit user consent for cookies and data processing in digital advertising. TCF is not a law — it is a voluntary framework designed to help organisations comply with the GDPR and the ePrivacy Directive when they participate in programmatic advertising.
TCF in One Sentence
TCF standardises how consent is collected by a Consent Management Platform (CMP), encoded into a machine-readable string, and shared with every vendor in the programmatic ad supply chain — so each party knows exactly what processing a user has allowed.
How TCF Works
At the heart of TCF is the TC String (Transparency & Consent String) — a compact, base64-encoded payload that records which vendors and processing purposes a user has consented to. When a visitor interacts with a TCF-compliant cookie banner, the CMP generates this string and stores it in a first-party cookie called euconsent-v2. Every ad network, analytics provider, and data broker in the supply chain can then read the string to determine what processing they are permitted to carry out.
What the TC String Contains
TCF version identifier
Which version of TCF the string was generated under
Consent creation and update timestamps
When the user first gave consent and when they last changed it
CMP identifier and version
Which registered CMP generated the string
Purpose consent and legitimate-interest bits
A bitfield indicating consent or objection for each of the 11 TCF purposes
Vendor consent and legitimate-interest bits
A bitfield indicating consent or objection for each vendor in the Global Vendor List
Publisher restrictions
Any additional restrictions the publisher has placed on specific vendor–purpose combinations
Disclosed vendors (mandatory in v2.3)
Which vendors were actually shown to the user in the consent UI
The Four Pillars of TCF
TCF is built on four interconnected components that work together to standardise consent across the ad-tech ecosystem.
Global Vendor List (GVL)
A publicly available, machine-readable registry maintained by IAB Europe that lists every registered vendor, the purposes they process data for, the legal bases they rely on, and the data categories they collect. CMPs use the GVL to populate their consent banners automatically. As of early 2026, the GVL includes over 880 vendors.
Consent Management Platform (CMP)
The software that displays the consent banner, collects the user's choices, generates the TC String, and provides the __tcfapi JavaScript interface that vendors call to read consent data. Only CMPs officially registered with IAB Europe may participate in TCF. There are currently around 177 registered CMPs, though roughly 41% are private CMPs dedicated to a single publisher. Learn more about CMPs →
TC String
The encoded consent signal itself — a compact, URL-safe string that travels through the ad-tech supply chain alongside bid requests, ad calls, and analytics pings. Each vendor that receives the string can decode it to verify whether the user has granted consent for the specific purposes that vendor needs.
Policies and Technical Specifications
The governance documents published by IAB Europe that define the rules all participants must follow: purpose definitions, legal-basis requirements, vendor disclosure obligations, CMP audit standards, and enforcement procedures.
TCF Purposes and Legal Bases
TCF defines a fixed set of processing purposes. Each purpose has a standard description and one or more permitted legal bases — either consent (opt-in) or legitimate interest (opt-out). Since TCF v2.2, all personalisation purposes (3–6) require explicit consent and can no longer rely on legitimate interest.
| # | Purpose | Legal Basis (v2.2+) |
|---|---|---|
| 1 | Store and/or access information on a device | Consent only |
| 2 | Select basic ads | Consent or Legitimate Interest |
| 3 | Create a personalised ads profile | Consent only |
| 4 | Select personalised ads | Consent only |
| 5 | Create a personalised content profile | Consent only |
| 6 | Select personalised content | Consent only |
| 7 | Measure ad performance | Consent or Legitimate Interest |
| 8 | Measure content performance | Consent or Legitimate Interest |
| 9 | Apply market research to generate audience insights | Consent or Legitimate Interest |
| 10 | Develop and improve products | Consent or Legitimate Interest |
| 11 | Use limited data to select content | Consent or Legitimate Interest |
Special Purposes and Special Features
In addition to the 11 standard purposes, TCF defines two Special Purposes (ensuring security/preventing fraud, and technically delivering ads) that users cannot opt out of, plus two Special Features (using precise geolocation data and actively scanning device characteristics) that always require explicit consent.
TCF Versions: A Brief History
TCF has evolved significantly since its launch in 2018, with each version responding to regulatory feedback, court rulings, and real-world implementation challenges.
| Version | Released | Key Changes |
|---|---|---|
| v1.0 / v1.1 | April 2018 | Initial framework launched just before GDPR enforcement. Focused on ad-tech vendors. Limited publisher controls. |
| v2.0 | August 2019 | Major overhaul: 10 granular purposes, legitimate interest support, publisher restrictions on vendor–purpose combinations, expanded Global Vendor List. |
| v2.1 | August 2020 | Aligned with the CJEU Planet49 ruling. Standardised cookie duration disclosure in TC Strings. |
| v2.2 | May 2023 | Responded to the Belgian DPA enforcement action. Removed legitimate interest as a legal basis for personalisation purposes (3–6). Enhanced user-facing information. Implementation deadline: November 2023. |
| v2.3 | June 2025 | Made the 'Disclosed Vendors' segment mandatory in TC Strings to resolve the 'ghost vendor' ambiguity. Compliance deadline: 28 February 2026. |
TCF v2.3 Is Now Required
As of 28 February 2026, all TCF participants must generate TC Strings that include the mandatory Disclosed Vendors segment. If your CMP has not been updated to v2.3, the consent strings it produces may be rejected by vendors and ad platforms that validate against the latest specification.
Who Needs TCF?
TCF is a voluntary industry standard, but two forces have made it effectively mandatory for certain businesses: Google's enforcement and the structure of the programmatic advertising ecosystem.
Do You Need TCF?
| Your Situation | TCF Required? | What to Use Instead |
|---|---|---|
| Publisher monetising with Google AdSense or Ad Manager | Yes — Google requires a TCF-certified CMP for personalised ads in the EEA, UK, and Switzerland | No alternative — you must use a TCF-registered CMP |
| Programmatic ad vendor (SSP, DSP, ad exchange) | Yes — IAB Europe requires TCF registration to participate in the ecosystem | No alternative — register as a vendor in the GVL |
| E-commerce, SaaS, or service business using Google Ads and Analytics | No — Google Ads and GA4 require Consent Mode v2, not TCF | A consent solution with Google Consent Mode v2 support (like CookieBeam) |
| Website with no advertising or only first-party marketing | No — TCF is specific to the programmatic ad supply chain | A standard GDPR-compliant cookie banner |
Google's TCF Requirement
Since 16 January 2024, Google requires all publishers using Google AdSense, Google Ad Manager, or Google AdMob to serve ads to users in the EEA, UK, or Switzerland through a Google-certified CMP that supports IAB TCF v2.2 or later. Traffic from non-certified CMPs can only serve non-personalised or limited ads, and non-compliance can result in ad-serving suspension.
This requirement applies specifically to Google's publisher monetisation products. If you are an advertiser using Google Ads to run campaigns — rather than a publisher displaying third-party ads on your site — you need Google Consent Mode v2, not TCF.
TCF vs GDPR: How They Relate
TCF and GDPR are often mentioned together, but they serve different roles. GDPR is a binding EU regulation that applies to all organisations processing personal data of EU residents. TCF is a voluntary industry framework that helps advertising-specific data processing comply with GDPR and the ePrivacy Directive.
TCF vs GDPR
| Aspect | GDPR | TCF |
|---|---|---|
| Type | EU regulation (legally binding) | Voluntary industry standard |
| Scope | All personal data processing | Programmatic advertising and ad-tech data processing |
| Enforced by | National Data Protection Authorities | IAB Europe (with DPA oversight) |
| Who must comply | Any organisation processing EU personal data | Publishers, vendors, and CMPs in the IAB ad ecosystem |
| Penalties | Up to €20M or 4% of global turnover | De-registration from TCF, ad-serving restrictions |
Key Takeaway
You can be fully GDPR-compliant without TCF. TCF is an additional layer on top of GDPR for organisations involved in programmatic advertising. A standard cookie consent solution with proper consent collection, audit logging, and Consent Mode v2 support covers GDPR requirements for the vast majority of websites.
TCF vs Google Consent Mode v2
TCF and Google Consent Mode v2 are complementary but serve different audiences. TCF standardises consent for the entire programmatic ad ecosystem — hundreds of vendors reading a single consent string. Consent Mode v2 is Google's own framework for communicating consent state to Google's tags specifically.
TCF vs Google Consent Mode v2
| Aspect | TCF | Google Consent Mode v2 |
|---|---|---|
| Created by | IAB Europe | |
| Scope | Entire programmatic ad supply chain | Google's own tags (GA4, Google Ads, etc.) |
| Required for | Google AdSense, Ad Manager, and AdMob publishers | All Google Ads advertisers targeting EEA/UK users |
| Signal format | TC String (base64-encoded bitfield) | JavaScript consent state signals (granted/denied per category) |
| Vendor granularity | Per-vendor consent for 880+ registered vendors | Category-level consent (analytics, ads, personalisation) |
Legal Challenges and Criticisms
TCF has faced significant legal scrutiny. In February 2022, the Belgian Data Protection Authority (DPA) ruled that IAB Europe had committed GDPR breaches through the TCF, finding that TC Strings constitute personal data and that IAB Europe is a joint data controller. IAB Europe was fined €250,000 and required to submit a corrective action plan — which directly led to the TCF v2.2 update in May 2023.
In March 2024, the Court of Justice of the EU (CJEU) confirmed that TC Strings are personal data when linkable to identifiers such as IP addresses or cookie IDs. The Brussels Court of Appeal upheld most of these findings in May 2025, though it narrowed IAB Europe's controller role to exclude downstream real-time bidding (RTB) processing.
Other common criticisms include:
Consent fatigue
With 880+ vendors, presenting meaningful, informed choices to users is practically impossible
CMP compliance gaps
IAB Europe's own 2024 audit found 50% of CMPs failed to clearly inform users how to withdraw consent
Legitimate interest controversy
TCF v2.0's allowance of legitimate interest for personalisation purposes was arguably non-compliant — v2.2 corrected this
Limited platform coverage
Only 5% of registered CMPs support web, mobile, and CTV together
CookieBeam and TCF
CookieBeam is a cookie consent solution — not a TCF-certified CMP. We do not implement the IAB Transparency & Consent Framework and are not registered in IAB Europe's CMP list.
For the majority of websites, this is the correct choice. TCF adds significant complexity — vendor mapping, consent-string management, GVL integration, ongoing IAB audits — that only benefits businesses participating in the programmatic ad supply chain.
CookieBeam Is the Right Choice When
You run an e-commerce store, SaaS product, agency site, or content site that uses Google Ads and Analytics for advertising and measurement — but does not monetise through Google AdSense or Ad Manager. CookieBeam gives you full GDPR compliance, Google Consent Mode v2 support (including Advanced Mode for conversion modeling), server-side audit logs, and automatic cookie scanning — without the overhead and cost of TCF certification.
You Need a TCF-Certified CMP If
You are a publisher monetising through Google AdSense, Google Ad Manager, Google AdMob, or other IAB-connected programmatic ad networks in the EEA, UK, or Switzerland. In this case, you must use a CMP registered in the IAB TCF — such as OneTrust, Quantcast Choice, Usercentrics, or Cookiebot. CookieBeam alone does not satisfy this requirement.
Frequently Asked Questions
Is TCF a legal requirement?
No. TCF is a voluntary industry standard, not a law. However, it has become effectively mandatory for publishers who monetise through Google's ad platforms in the EEA, UK, and Switzerland, because Google requires a TCF-certified CMP for personalised ad serving in those regions.
What is the difference between TCF and GDPR?
GDPR is an EU regulation that applies to all personal data processing. TCF is a voluntary framework that helps the programmatic advertising industry comply with GDPR specifically. You can be GDPR-compliant without TCF — TCF is only relevant if you participate in the IAB ad ecosystem.
Do I need TCF if I use Google Ads?
No. Google Ads (the advertiser platform) requires Google Consent Mode v2, which CookieBeam fully supports. TCF is required only for Google's publisher products: AdSense, Ad Manager, and AdMob.
What changed in TCF v2.2?
TCF v2.2 removed legitimate interest as a legal basis for personalisation purposes (3–6), meaning explicit user consent is now required for creating ad profiles, selecting personalised ads, and similar activities. This was a direct response to the Belgian DPA's enforcement action against IAB Europe.
What is new in TCF v2.3?
TCF v2.3, released in June 2025, makes the 'Disclosed Vendors' segment mandatory in every TC String. This resolves the 'ghost vendor' problem — previously, a vendor could not tell whether a zero-bit meant the user had objected or the vendor was simply never shown in the consent UI. The compliance deadline was 28 February 2026.
What is a TC String?
A TC String (Transparency & Consent String) is a compact, encoded payload generated by a TCF-certified CMP that records which vendors and purposes a user has consented to. It is stored in the euconsent-v2 cookie and transmitted to ad-tech vendors so they can verify consent before processing data.
Can I use CookieBeam instead of TCF?
Yes — if you are not a publisher displaying third-party programmatic ads. CookieBeam provides GDPR-compliant consent collection, Google Consent Mode v2 signaling, and server-side audit logs. For the majority of websites (e-commerce, SaaS, service businesses, content sites), CookieBeam covers all consent requirements without the complexity of TCF.
How many vendors are registered in TCF?
As of early 2026, the Global Vendor List (GVL) contains over 880 registered vendors. The list is publicly available and updated regularly by IAB Europe.
Related Topics
What Is a CMP?
How a Consent Management Platform automates consent collection and audit logging.
What Is GDPR?
The EU data protection regulation that TCF helps the ad industry comply with.
What Is Google Consent Mode v2?
Google's consent signaling framework — the TCF alternative for non-publisher websites.