IAB TCF Explained: A Complete Guide for Website Owners
Learn what the IAB TCF is, how it works, and why it matters for cookie consent compliance. Practical guide to implementing the TCF framework.
The IAB TCF (Interactive Advertising Bureau Transparency and Consent Framework) is the dominant industry standard for managing cookie consent in digital advertising. If your website displays ads, uses analytics pixels, or works with any advertising technology, understanding the IAB TCF is essential for compliance with European privacy laws.
This guide covers how the framework operates, what it requires from website owners, and how to implement it correctly. This article is educational in nature and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is the IAB TCF?
The IAB TCF is a technical specification created by IAB Europe that standardizes how consent information is collected, stored, and communicated between websites, consent management platforms (CMPs), and advertising vendors. It was designed to help the digital advertising ecosystem comply with the GDPR (Regulation (EU) 2016/679) and the ePrivacy Directive (Directive 2002/58/EC).
Before the TCF existed, every advertising company handled consent differently. Publishers had no standard way to pass user consent choices to dozens or hundreds of ad tech vendors operating on a single page. The framework solved this by creating a common language: a structured consent signal called the TC String.
How the TCF Works in Practice
The IAB TCF operates through three main components working together:
- Consent Management Platform (CMP) collects consent from users through a cookie banner or consent dialog
- Global Vendor List (GVL) is a registry of all advertising vendors participating in the framework, including the purposes they process data for
- TC String is an encoded string that captures exactly which vendors and purposes a user has consented to
When a visitor arrives on your website, the CMP displays a consent banner listing the purposes and vendors that want to process their data. The user makes their choices, and the CMP encodes those choices into a TC String. Ad tech vendors then read that string to determine whether they have permission to process data for that specific user.
IAB TCF Versions: From v1.1 to v2.2
The framework has evolved significantly since its introduction in 2018. Understanding the differences matters because older versions are no longer accepted by most advertising platforms.
TCF v1.1 (Deprecated)
The original version launched in April 2018. It offered basic consent collection but had limited transparency. Publishers and vendors found it insufficient for genuine GDPR compliance, and it was deprecated in August 2020.
TCF v2.0
Version 2.0 introduced several important improvements:
- Separate consent and legitimate interest signals per purpose
- Ten standardized purposes for data processing
- Special purposes and features that vendors could declare
- Publisher-specific restrictions to limit vendor permissions
- A standardized API (the CMP API, also called
__tcfapi) for vendors to query consent status
TCF v2.2 (Current Standard)
Released in May 2023, TCF v2.2 is the current version and the only one accepted by Google as of January 2024. Key changes include:
- Legitimate interest removed for ads purposes. Vendors can no longer rely on legitimate interest for personalized advertising (purposes three through six). They must obtain explicit consent.
- Data retention disclosure. Vendors must declare how long they retain data for each purpose.
- Clearer purpose descriptions. The framework provides improved, standardized descriptions that CMPs must display to users.
- URL-based consent. A new mechanism for passing consent signals through URLs in environments where cookies are unavailable.
If your website still runs TCF v2.0, you need to upgrade. Google Ads, Google AdSense, and Google Ad Manager all require TCF v2.2 support through a Google-certified CMP.
The 10 IAB TCF Purposes Explained
The TCF defines ten standardized purposes for data processing. Each vendor on the Global Vendor List declares which purposes it needs. Users can grant or deny consent per purpose, giving them granular control over how their data is used.
- Store and/or access information on a device. Using cookies, device identifiers, or similar technologies to store or read information. This purpose covers the basic act of setting a cookie.
- Select basic ads. Showing ads based on the content of a page or general location (country level), without creating a personal profile.
- Create profiles for personalized advertising. Building a profile about a user to show them ads tailored to their interests over time.
- Use profiles to select personalized ads. Using a previously built profile to select which specific ads to show a user.
- Create profiles to personalize content. Similar to purpose three, but for editorial content rather than advertising.
- Use profiles to select personalized content. Using a profile to determine which articles, videos, or other content to recommend.
- Measure ad performance. Collecting data about which ads were displayed, how often, and whether users interacted with them.
- Measure content performance. Tracking how content performs, including reach and engagement metrics.
- Apply market research to generate audience insights. Using data to produce aggregated reports about audience demographics and behavior.
- Develop and improve services. Using data to improve existing products, features, or algorithms.
Under TCF v2.2, purposes three through six require explicit consent. Vendors cannot use legitimate interest as a legal basis for personalized advertising or content personalization. Your cookie policy generator should reflect these specific purposes if your site works with TCF-registered vendors.
How the TC String Works
The TC String is the technical backbone of the IAB TCF. It is a Base64-encoded string that carries all consent information for a specific user interaction. Understanding its structure helps you debug consent issues and verify your implementation.
A TC String contains:
- Core segment. The CMP ID, creation timestamp, last updated timestamp, consent screen number, publisher country code, vendor consent bits, and purpose consent bits.
- Disclosed vendors segment. Lists which vendors the CMP disclosed to the user during the consent interaction.
- Publisher TC segment. Contains publisher-specific purpose consents and legitimate interests, separate from vendor consents.
The string is typically stored in a first-party cookie called euconsent-v2. When an ad request fires, the vendor's tag reads this cookie (or queries the CMP API) to check whether consent exists for its specific vendor ID and the purposes it needs.
Reading Consent with the CMP API
Vendors and publishers can query consent status programmatically using the __tcfapi JavaScript function. The API supports several commands:
getTCDatareturns the current TC String and parsed consent dataaddEventListenerregisters a callback that fires when consent status changesremoveEventListenerunregisters a previously set callbackpingchecks whether the CMP is loaded and ready
This standardized API means that any TCF-compliant vendor can check consent status without knowing which CMP a publisher uses. The abstraction layer is what makes the framework interoperable across the ecosystem.
Implementing IAB TCF on Your Website
Getting the TCF running on your site requires a registered CMP, proper configuration, and testing. Here is a practical implementation path.
Step 1: Choose a Registered CMP
Your CMP must be registered with the IAB Europe and appear on the official CMP List. Google additionally maintains its own list of certified CMPs for use with Google advertising products. Using a non-certified CMP means Google tags will treat all consent as denied.
When evaluating CMPs, consider:
- Whether it supports TCF v2.2
- Google certification status
- Geographic targeting capabilities (showing consent banners only to EEA visitors)
- Integration with your ad stack (header bidding, Google Ad Manager, etc.)
- Customization options for banner appearance and text
- Reporting on consent rates
Step 2: Configure Purposes and Vendors
Select which vendors from the Global Vendor List operate on your site. This requires auditing your site to identify all third-party scripts, pixels, and tags. Common categories include:
- Ad exchanges and SSPs
- Demand-side platforms (DSPs)
- Analytics providers
- Social media widgets
- Retargeting platforms
Your CMP should display only the vendors that actually run on your site. Listing hundreds of vendors that your site does not use confuses users and can reduce consent rates.
Step 3: Set Up Consent Gating
Tags and scripts that require consent must not fire until consent is granted. This means configuring your tag manager (Google Tag Manager or a similar tool) to check consent signals before loading vendor scripts. Under the TCF, purpose one (store and/or access information on a device) is the baseline requirement. Most advertising vendors also need purposes two through seven.
Step 4: Test Across Regions and Browsers
Test your implementation from EU and UK IP addresses to verify:
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate Now- The consent banner appears before any non-essential cookies are set
- Rejecting consent prevents vendor scripts from loading
- The TC String is correctly generated and stored in
euconsent-v2 - The
__tcfapireturns accurate consent data - Vendor tags correctly read and respect consent signals
Use browser developer tools to inspect cookies, network requests, and console output. Tools like the IAB's TCF Consent String Decoder can help you parse and verify TC String contents.
IAB TCF and Google Consent Mode v2
Google Consent Mode v2 and the IAB TCF serve related but distinct functions. Consent Mode controls how Google tags behave based on consent status (granted or denied for ad_storage, ad_user_data, analytics_storage, and ad_personalization). The TCF provides the granular, vendor-level consent signals that the advertising ecosystem uses.
When both are implemented together, the CMP maps TCF purpose consents to Consent Mode parameters. For example, consent to TCF purpose one maps to ad_storage: granted, and consent to purposes three and four maps to ad_personalization: granted.
Google requires one of two approaches for publishers serving ads to EEA users:
- A Google-certified CMP implementing TCF v2.2
- Google Consent Mode v2 integrated with your CMP
Many publishers implement both to cover all compliance requirements. Your cookie policy generator should document the specific consent mechanisms in use so visitors understand how their choices are communicated to third parties.
Common IAB TCF Compliance Mistakes
Even with the framework in place, several common mistakes can undermine your compliance posture.
Pre-loading vendor scripts before consent. If ad tags fire before the user interacts with the consent banner, you are setting cookies without consent. This violates Article 5(3) of the ePrivacy Directive and can result in fines. Under GDPR, penalties can reach up to 20 million EUR or 4% of annual global turnover, whichever is higher.
Using a non-registered CMP. Only CMPs on the IAB Europe CMP List are authorized to generate valid TC Strings. An unregistered tool may produce strings that vendors ignore.
Failing to update the Global Vendor List. The GVL is updated regularly as vendors join or leave the framework. If your CMP configuration references outdated vendor entries, consent signals may be incorrect.
Not offering granular choices. The TCF requires that users can consent to individual purposes and vendors. Bundling everything into a single "accept all" without a way to make granular choices fails the GDPR requirement of specific consent under Article 7.
Ignoring consent withdrawal. Users must be able to withdraw consent as easily as they gave it (Article 7(3) GDPR). Your CMP should provide a persistent link or button (often labeled "Cookie Settings" or "Privacy Preferences") that reopens the consent dialog at any time.
Running a compliance scanner can help identify these issues. Tools like TermsBox scan your website for cookies and tracking technologies, then match findings against your declared cookie policy, so you can catch gaps before a regulator does.
IAB TCF Enforcement and Legal Developments
The IAB TCF has faced legal scrutiny. In February 2022, the Belgian Data Protection Authority (APD) found that IAB Europe acted as a data controller for TC Strings and that the TCF's real-time bidding consent mechanism was insufficient for GDPR compliance. IAB Europe was fined 250,000 EUR and required to submit a remediation plan.
IAB Europe appealed, and in March 2023, the Court of Justice of the European Union (CJEU) ruled in Case C-604/22 that TC Strings constitute personal data when they can be linked to an identifiable user. However, the CJEU also noted that IAB Europe could qualify as a joint controller rather than a sole controller, and returned the case to the Belgian court for final determination.
Despite these proceedings, the TCF remains the industry standard. IAB Europe submitted an action plan that the APD approved in January 2024, including enhanced audit requirements for CMPs and vendors. The framework continues to operate while reforms are implemented.
What This Means for Publishers
The legal proceedings do not change your obligations as a publisher. You still need:
- Valid consent collection through a registered CMP
- Accurate vendor disclosure in your consent banner
- A comprehensive cookie policy documenting all cookies and tracking technologies
- Records of consent that demonstrate compliance if challenged
Frequently Asked Questions
What does IAB TCF stand for?
IAB TCF stands for Interactive Advertising Bureau Transparency and Consent Framework. It is an industry standard that provides a structured way for websites, advertisers, and consent management platforms to communicate user consent choices for data processing and advertising.
Is IAB TCF required by law?
The IAB TCF is not directly required by any law, but it is the most widely adopted standard for meeting GDPR and ePrivacy Directive consent requirements in digital advertising. Google requires publishers using its ad products to use a Google-certified CMP that supports TCF v2.2.
What is the difference between TCF v2.0 and TCF v2.2?
TCF v2.2 removed legitimate interest as a legal basis for advertising purposes 3 through 6, requiring explicit consent instead. It also improved transparency by requiring vendors to declare data retention periods and providing clearer descriptions of processing purposes.
How do I implement IAB TCF on my website?
You need a Consent Management Platform (CMP) registered with the IAB and listed on the Global Vendor List. The CMP handles the consent banner, collects user choices, generates the TC String, and shares consent signals with advertising vendors through standardized APIs.