What is the IAB TCF Framework? Complete Guide for 2026

Digital advertising depends on user consent. But getting that consent, communicating it to dozens of ad tech vendors, and doing it in a way that satisfies GDPR? That is the problem the IAB Transparency and Consent Framework (TCF) was built to solve.

Since it launched in 2018, TCF has become the backbone of consent management in European digital advertising. If you run a website, publish content, or work in ad tech, understanding how it works is no longer optional.

In this guide, we will walk you through what the IAB TCF is, how it works, what each version changed, and what the move to TCF v2.3 means for publishers right now.

What is the IAB TCF framework?

The IAB Transparency and Consent Framework (TCF) is a standardized protocol developed by IAB Europe that enables websites and apps to collect, store, and communicate user consent preferences to advertising technology vendors. It defines how consent is recorded, which data processing purposes require consent, and how that information is passed along the digital advertising supply chain.

Introduced in 2018, TCF was created to give the digital advertising industry a consistent, GDPR-aligned way to handle user consent. Before TCF, there was no shared language between publishers and vendors for consent signals. Each partnership required its own consent infrastructure.

Today, TCF is used by thousands of publishers across Europe and beyond. If your site runs programmatic advertising and serves users in the EEA, UK, or Switzerland, TCF is almost certainly part of your consent workflow. Clym's IAB TCF solution supports the current v2.3 standard for publishers managing this transition.

How does the IAB TCF work?

At its core, TCF creates a communication layer between three parties: the user, the publisher, and the vendor.

Here is how the consent flow works in practice:

1. A user visits a website.
2. The Consent Management Platform (CMP) displays a consent banner.
3. The user makes their choices, accepting, rejecting, or configuring their preferences.
4. The CMP encodes those choices into a TC string (Transparency and Consent string).
5. The TC string is passed to ad tech vendors, who use it to determine what data processing they are permitted to carry out.

What is a TC string?

A TC string (Transparency and Consent string) is an encoded record of a user's consent preferences under the IAB TCF. It specifies which data processing purposes the user has consented to, which vendors are permitted to act on those preferences, and whether a vendor was disclosed in the consent interface. TC strings are generated by a certified CMP and stored in the user's browser.

The TC string is accessed by vendors via the TCF JavaScript API embedded on the publisher's page. This is what allows hundreds of ad tech vendors to read a single consent decision rather than each requiring a separate interaction with the user.

Who does TCF apply to?

TCF defines three distinct roles with specific obligations:

Publishers

Publishers are operators of websites or apps where the consent interface is presented to users. They are responsible for deploying a certified CMP, displaying accurate information about vendors and purposes, and obtaining valid consent before data processing begins. If you run a website that displays programmatic advertising to users in the EEA, you are a publisher under TCF.

Vendors

Vendors are advertising technology companies such as DSPs, SSPs, DMPs, and analytics providers that process personal data in connection with a publisher's content. Under TCF, vendors must register with the Global Vendor List, declare the data processing purposes they rely on, and specify the legal bases for each purpose.

Consent Management Platforms (CMPs)

CMPs are the technology layer that collects user consent, encodes it into a TC string, and transmits it to vendors. CMPs must be registered and certified with IAB Europe to participate in the framework. Clym's consent management platform is Google-certified and supports TCF v2.3.

What are the standard TCF data processing purposes?

TCF defines 10 standard data processing purposes that vendors must declare. Users can grant or withhold consent at the purpose level, not just globally.

Vendors must declare which purposes they rely on, whether they require consent or legitimate interest, and how long they retain associated data. Purposes 3 and 4, which relate to personalised advertising, must now be based on consent rather than legitimate interest as of TCF 2.2.

What is the Global Vendor List?

The Global Vendor List (GVL) is IAB Europe's official registry of advertising technology companies that have registered to participate in TCF. Publishers use the GVL to configure which vendors appear in their consent banner.

If a vendor is not on the GVL, they cannot receive valid TCF consent signals. Publishers should regularly audit their vendor list to ensure all active partners are registered.

IAB TCF versions: from 1.0 to 2.3

The framework has evolved significantly since 2018. Here is what each version introduced:

What changed in TCF 2.2?

Released in May 2023 and effective from November 20, 2023, TCF 2.2 brought the most significant user-rights changes in the framework's history.

• Consent required for targeted advertising: Vendors can no longer use legitimate interest as a legal basis for targeted advertising or personalised content. Explicit consent is required.
• Enhanced vendor transparency: Publishers must display more detail about each vendor, including data retention periods and which purposes rely on legitimate interest.
• Vendor count on initial banner: The number of vendors requesting consent must be displayed on the initial consent banner, giving users immediate context about the scope of data sharing.
• CMP accessibility: Consent interfaces must be accessible. Users must be able to withdraw consent as easily as they granted it.
• Technical updates: The getTCData command was deprecated. Vendors must use event listeners to receive updated TC strings.

What changed in TCF 2.3?

TCF v2.3 is the current version of the framework. Its most significant change is the introduction of a mandatory disclosedVendors segment in the TC string. For the full migration guide, see our article on the TCF v2.3 deadline for publishers.

The disclosedVendors segment

The disclosedVendors segment is a required binary indicator embedded in the TC string that confirms whether a specific vendor was actually shown to the user in the CMP interface. This is the core change in TCF v2.3.

Under previous versions, consent signals could be ambiguous. A vendor might appear in a TC string without any evidence that a user was ever shown their details. TCF v2.3 closes that gap. Vendor disclosure is now provable within the technical signal itself.

The Google enforcement deadline

Google confirmed that all newly generated TC strings must comply with TCF v2.3 from February 28, 2026. Publishers using Google Ad Manager, AdSense, or AdMob who have not migrated to a TCF v2.3-certified CMP risk their ad requests defaulting to Limited Ads.

Limited Ads are served without personalized cookies or full targeting capabilities, which significantly affects programmatic monetization performance.

TCF 2.2 vs TCF 2.3: key differences

Note: TCF v2.3 does not require users to re-consent. It is a technical update to how vendor disclosure is signaled in the TC string, not a change to consent collection rules.

How TCF relates to GDPR

TCF does not replace or guarantee alignment with GDPR. It is a technical framework that creates a structured way to collect and communicate consent. The legal obligation sits with the publisher and their vendors.

Under GDPR, processing personal data requires a valid legal basis. For advertising, that typically means either:

• Consent: Freely given, specific, informed, and unambiguous agreement from the user.
• Legitimate interest: A genuine business interest that is not overridden by user rights. As of TCF 2.2, this can no longer be used for targeted advertising.

GDPR is the law. TCF is the mechanism your business uses to work toward meeting its consent obligations. Having a TCF-compliant CMP is a meaningful step, but it does not replace legal advice or a broader privacy programme. You should also ensure you have a proper cookie policy and privacy policy in place, and that your platform handles data subject requests appropriately.

One important point: GDPR applies to organizations based in the EU or processing data of EU residents. The legitimate interest provisions within TCF are particularly relevant here, as many businesses incorrectly assumed they could rely on legitimate interest for advertising without user consent.

How Clym can help

Clym is a Google-certified Consent Management Platform that supports IAB TCF v2.3 with flexible regional configuration. Publishers using Clym can generate TCF v2.3-compliant TC strings, manage vendor disclosures, and configure consent flows by jurisdiction.

Beyond TCF, Clym supports you to manage:

• Cookie consent and privacy policies
• Global Privacy Control (GPC) signals
• Global Privacy Platform (GPP) integration
• Data subject request management
• Regional geofencing for jurisdiction-specific consent rules

Clym's ReadyCompliance^® feature automatically recommends the right consent configuration based on your company profile, making it easier to deploy TCF correctly from the start without manually reviewing each jurisdictional requirement.

Conclusion

The IAB TCF framework exists because digital advertising needs a common language for consent. Without it, every publisher-vendor relationship would require custom consent infrastructure, creating both legal risk and operational complexity.

Since TCF 1.0 in 2018, each version has pushed toward stronger user control and clearer accountability. TCF 2.2 removed legitimate interest for targeted advertising. TCF 2.3 made vendor disclosure provable at the technical level. Both changes reflect a broader shift: consent frameworks are now part of advertising infrastructure, not just a legal formality.

With Google's enforcement deadline now passed, operating without a TCF v2.3-certified CMP carries real risk to ad revenue. Whether you are just starting to implement TCF or managing the v2.3 migration, the right CMP makes the process significantly more manageable.