All Blog Posts

IAB Transparency and Consent Framework (TCF v2.3)

The IAB's Transparency and Consent Framework (TCF) v2.3 brings important ongoing change to the digital advertising industry. The aim is to continue to align the Framework more closely with the GDPR.

Updated Nov. 10, 2025

IAB Europe created the Transparency and Consent Framework (TCF) to support publishers, technology vendors, and advertisers in compliance with the GDPR and ePrivacy Directive.

On May 16, 2023, the IAB launched a significant update with the TCF v2.2, bringing a variety of policy and technical updates. These changes help businesses comply with the GDPR and ePrivacy Directive requirements in digital advertising while aligning with evolving market needs and regulatory guidelines.

The TCF v2.3 is a smaller update, but still important, and the deadline to comply with it and make necessary updates is February 28, 2026.

Cookiebot Consent Management Platform (CMP) has been updated with the new Framework.

We look at what the TCF is all about, what’s new in the TCF v2.3 and how Cookiebot CMP integration works.

Illustration iab TCF | Cookiebot CMP

On February 2, 2022, the Belgian DPA found the IAB’s Transparency and Consent Framework (TCF) to be noncompliant with several provisions of the GDPR. It required the IAB to present an action plan to implement corrective measures that address the infringements and bring the TCF into compliance with the GDPR.

In response to feedback from the market, as well as evolving case law and guidelines from various national data protection authorities, the IAB implemented the TCF v2.2. That framework aimed to improve the standardization of information presented to users, and give them more control over how their personal data is processed.

The TCF v2.3, which has a compliance deadline of February 28, 2026, is a smaller update in scope, but continues to evolve the Framework to strengthen transparency and privacy compliance.

The Transparency and Consent Framework (TCF) v2.2 was a significant update to the previous version, with policy changes aimed to increase transparency and provide users with more control over their consent choices.

Removal of legitimate interest

With the release of the TCF v2.2, legitimate interest is no longer allowed as a legal basis for data processing operations related to advertising and content personalization. Vendors can now only select explicit consent as an acceptable legal basis for these purposes.

Improved user interface (UI)

The information required in consent management platforms’ (CMP) UI was improved to include user-friendly standard texts, new features of processing, and real use case illustrations to make it easier for users to understand what they’re consenting to and what their options are.

Users are better enabled to change their minds about sharing their data with vendors, and to re-access the CMP UI to change or withdraw consent at any time. The process to withdraw consent must be as easy as the process to give it. The practical implications of this are that the CMP UI must be easily accessible to users and not buried on the website where users must hunt to find it.

More vendor transparency

Detailed disclosures about vendors regarding data categories and retention periods were standardized under TCF v2.2 and must be provided to users in the secondary layer of the CMP.

Enhanced compliance programs

New auditing mechanisms and differentiated enforcement procedures were implemented, including proactive auditing of a larger number of randomly selected CMPs and vendors each month.

In doubt about whether your website is GDPR-compliant? Test it with the free Cookiebot CMP compliance test.

The Transparency and Consent Framework (TCF) v2.3 is a smaller update compared to v2.2. However, it's still important, introducing key adjustments to strengthen transparency and privacy compliance.

Disclosed Vendors are a mandatory segment in TCF signals

Vendors can now better determine if they’re allowed to process data under Special Purposes. Starting February 28, 2026, all new or updated consent signals must include the Disclosed Vendors segment. Special Purposes can be processed under Legitimate Interest only, and with no right to object, but vendors must be explicitly disclosed through the CMP.

Until now, this has been handled through less optimal technical solutions, and with the v2.3 update, clarity on vendor disclosures has been improved.

Existing consent signals created before February 28, 2026, without the TCF v2.3 format, will remain valid until the user updates or renews their consent preferences. There is no requirement to resurface the CMP to all users.

Try Cookiebot CMP free for 14 days... or forever if you have a small website.

Cookiebot CMP and the new IAB Framework (TCF v2.3)

CMPs must implement the new policies and specifications of the TCF v2.3 by February 28, 2026. Cookiebot CMP’s IAB integration supports the new IAB framework (TCF v2.3).

Cookiebot CMP integration with the IAB Transparency and Consent Framework v2.3 continues to be an optional supplement to the core consent framework in the Cookiebot CMP solution.

Cookiebot CMP integration consists of an extra panel in the consent banner of websites registered with the IAB. The panel is called "Ad Settings", and from there, end users can choose between IAB Purposes and Vendors before submitting their consent.

We recommend using the IAB framework integration as a supplement and not a replacement for the regular Cookiebot CMP solution. This is because IAB’s consent model works through signaling the user’s consent to advertising vendors, whereas Cookiebot CMP consent model works through blocking non-consented vendors.

This is a key difference because, according to the GDPR, it is the publisher — i.e., the website owner — who is liable for all tracking and personal data collection taking place on their domain, including by third parties.

Cookiebot CMP eliminates the dependency on the good faith of the vendors and gives true control to the website owner. By using Cookiebot CMP as an integration in the IAB framework (TCF v2.3), you help to ensure your GDPR compliance.

To ensure that user consents are being honored by advertising vendors, the Cookiebot CMP patented scanning technology monitors all cookies and similar trackers used by vendors on the website and marks them as non-consensual in the scan report.

Read our technical support article here to learn more about implementation and technical details of the IAB framework (TCF v2.2 and v2.3) and Cookiebot CMP.

Cookiebot CMP also supports the IAB CCPA Compliance Framework.

Cookiebot CMP's patented scanning technology supports ongoing privacy compliance

Cookiebot CMP is one of the few consent management platforms on the market that supports full privacy compliance with privacy regulations around the world.

Cookiebot CMP's unmatched scanning technology finds all cookies and trackers in use on your website, then takes automatic control to block them from firing until users have given their consent, in line with the requirements of the EU’s General Data Protection Regulation and ePrivacy Directive.

Cookiebot CMP performs monthly deep scans of your domain to make sure that you always know what tracking technologies are loading on your website as your operations change.

Learn more about website tracking and how to make it compliant with requirements of privacy regulations.

Cookieboot Pop Up Banner - Cookiebot
Cookiebot CPM standard consent banner for GDPR/ePR compliance.

Your scan report can be published as a cookie declaration on your website, e.g., as an integrated part of your website’s privacy or cookie policy.

Consent must be renewed regularly. Every 12 months is fairly standard, however, some national data protection guidelines recommend more frequent renewal, like every months. Check your local data protection guidelines, and if you need to comply with regulations in multiple jurisdictions, choose the shortest renewal period as a best practice.

Using Cookiebot CMP is free if you have fewer than 50 subpages (unique URLs).

Start free now

What is the IAB Framework and how does it meet GDPR requirements?

The Interactive Advertising Bureau Europe — IAB Europe — is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.

In preparation for the enforcement of the EU law on data protection and privacy, the General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a framework in collaboration with IAB Europe. That is the IAB Europe Transparency & Consent Framework (TCF).

The TCF establishes a common ground for cooperation among publishers, advertisers, and consent management providers that can help smooth the process of achieving and maintaining GDPR compliance.

The TCF works as a standardized means for communicating the state of user consent between first parties like publishers, third parties like advertisers, and the consent management solution in use on the first party’s website.

What are the GDPR requirements and what do they mean for advertisers?

The GDPR sets out strict requirements for how the personal data of European residents can be collected, stored, used, and shared.

In order for your consent management to be GDPR-compliant, it must meet specific criteria. All data processing must take place under one of six legal bases: consent, contractual obligation, legal obligation, vital interests, public task, or legitimate interests. When consent is used, it must be obtained before or when data collection and processing begins, and it must be as easy to withdraw consent as it was to give it.

  • Freely given: Users cannot be manipulated into consenting or prevented from declining.
  • Specific: It must be clear what users are consenting to, and they must have granular options for all purposes. Only offering "Accept All" is not compliant.
  • Informed: What data is processed and for what purpose? Who may have access to it? This information must be presented clearly, with no jargon.
  • Unambiguous: Users must make an active choice with an explicit action to provide consent, e.g., clicking a button. No pre-ticked checkboxes.

Consent information must also be securely stored and kept updated over time. In the case of an audit or data subject request, you must be able to provide details about what the user consented to, what information they were presented, and when the consent action was taken.

What is the purpose of the IAB Framework?

The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.

Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).

Publishers, vendors, and CMPs under the IAB TCF

  • Publishers under the IAB Framework includes digital media that publishes content online. Publishers generally represent the first party, i.e., the website that the user visits. In digital advertising, publishers are often are dependent on displaying third-party advertisements on their websites as a form of monetization. This usually involves an ad network that directs relevant ads to website visitors.
  • Vendors under the TCF include ad networks and advertisers, the third-parties that publishers partner with to run ads on their sites. The vendors display third-party content on the publishers’ websites. They set marketing cookies on the end user’s browser to enable displaying relevant ads.
  • Consent management solution providers supply the platform that enables publishers to obtain valid user consent to collect and process personal data on their sites. The consent management platform then signals end users’ consent choices to the vendors operating on the current website to control what data is collected and processed for advertising functions like personalization.

How does the IAB TCF work?

The IAB Framework enables communicating the state of user consent among the publishing and advertising ecosystem of publishers' websites, vendors, and consent management platforms.

In the TCF, publishers select their vendors of choice from a list of those that have enrolled in the TCF. This list is called the Global Vendor List or GVL.

In order to participate in the TCF, the vendor has agreed to a set of conditions:

  • Updating their code so that cookies are not set unless they have received a consent signal from a CMP, or unless they have an applicable legal basis to set a cookie.
  • Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP.

The Global Vendor List is a sort of registry of allowlisted vendors that have committed to the TCF's rules. When a publisher enrols, they select one or more vendors from the Global Vendor List that they want to partner with.

A users' consent status is stored via a first-party cookie in their browser and shared down the TCF's advertisement information chain. Once the user has made their consent choice, these vendors —and no others — have access to processing the user’s data for relevant disclosed purposes.

FAQ

How does the IAB TCF work?

IAB Transparency and Consent Framework (TCF) works as a system for communicating the state of user consent between first parties (publishers), third parties (advertisers), and the consent management platform in use on the first party’s website. Publishers select their vendors of choice from a list of vendors that have enrolled in the TCF. When a publisher enrolls, they select one or more vendors from the Global Vendor List. The consent state of the user is stored in a first-party cookie in the user’s browser and shared down the advertisement chain of information in the TCF.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

What’s new in the IAB TCF 2.3?

The TCF v2.3 update introduces key adjustments to strengthen transparency and privacy compliance:

  • Disclosed Vendors become a mandatory segment in TCF signals, enabling vendors to determine if they’re allowed to process data under Special Purposes.
  • Starting February 28, 2026, all new or updated consent signals must include the Disclosed Vendors segment.

Existing consent signals created before February 28, 2026, without the v2.3 format, will remain valid until the user updates or renews their consent preferences. There is no requirement to resurface the CMP to all users.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

How does Cookiebot CMP integrate with the IAB TCF 2.3?

Cookiebot CMP integrates with the IAB Transparency and Consent Framework v2.3 through an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end users are able to choose between IAB Purposes and Vendors before submitting their consent.

Learn more about Cookiebot CMP and try free for 14 days

* Where are the figures coming from?

*The figures presented are based on an analysis of the studies below; actual results may vary depending on your business setup and potential data tracking limitations. Usercentrics has not independently verified the accuracy, completeness, or reliability of the underlying data, and has only analyzed and interpreted the information therein. Usercentrics makes no representations or warranties, express or implied, regarding the validity or quality of the source data.

Funnel Metric / KPI Detail Source link
Bounce‑rate driver
(page‑load / LCP) 		Up to 5.6 s faster page‑load and an 11 % ↓ in LCP for a multinational retailer after Adobe‑suite tags were migrated server‑side — a performance delta Google research links to materially lower bounce risk (see §2) Thinkwithgoogle.com
Add‑to‑cart and checkout data capture Nemlig moved “add to cart” and other high‑volume events into a GTM server container, eliminating collector‑side throttling and delivering a 40 % jump in 90‑day conversions from new shoppers marketingplatform.google.com
Sign‑up / first‑transaction tracking Square enriched server events (e.g., first payment) and saw +46 % more conversions recorded across channels, enabling smarter bid strategies marketingplatform.google.com
Overall conversion‑rate
  • Irish Iron CR rose from 4.3 % → 5.6 % (+30 %) after SST;
  • European university site recorded a +100 % increase in web‑page conversions after SST rollout
https://cosmoforge.io/
Cost per acquisition (CPA) / CAC
  • Irish Iron ‑22 % CPA on paid media;
  • University case ‑57 % CPA; (US university site (New Path Digital, sGTM))
https://cosmoforge.io/
newpathdigital.com

The most used solution for compliant use of cookies and online tracking

Used on
2.3 million
websites
Manages
7 billion
monthly user consents
Supports
47+
languages

Resources

IAB updates its Transparency & Consent Framework

AdExchanger: IAB Europe And IAB Tech Lab Go Live With GDPR Consent Framework

ClearCode: How the IAB’s GDPR Transparency and Consent Framework Works From a Technical Perspective

Digiday.com: IAB Europe’s GDPR guidelines, explained

Digitalcontentnext: Why the IAB GDPR Transparency and Consent Framework is a non-starter for publishers

IAB Europe: Transparency & Consent Framework specification launches global as industry participation increases

IAB Tech Lab: GDPR TRANSPARENCY AND CONSENT FRAMEWORK

IAB Tech Lab: Proposal for data transparency framework and automation standards across the data supply-chain

MarTech Today: Google to join IAB Europe’s Transparency and Consent Framework

MarTech Today: IAB Tech Lab releases a Data Transparency Framework

The General Data Protection Regulation

YouTube: IAB Europe's Transparency and Consent Framework - Deep Dive on the Technical Specification

Pepco
rural-king
orbico
credit-exchange
canon
bauhaus