Understanding the IAB TCF (Transparency & Consent Framework)

What is the IAB TCF?

The Transparency & Consent Framework (TCF) was created by IAB Europe to help the digital advertising ecosystem comply with the EU's General Data Protection Regulation (GDPR) and the ePrivacy Directive.

It provides a standardized way for publishers (website owners), advertisers, and ad-tech vendors to communicate user consent choices across the supply chain. Without a framework like the TCF, every website would need a custom way to tell every individual ad provider (like an ad exchange or a DSP) whether a user has consented to tracking.

Key Components

The TCF relies on several interconnected parts to function:

1. The Global Vendor List (GVL)

The GVL is a registry of ad-tech companies ("Vendors") that have agreed to adhere to the TCF's rules. Each vendor in the list specifies:

• Which Purposes they need data for (e.g., "Select basic ads").
• Their legal basis for processing (Consent or Legitimate Interest).
• A link to their privacy policy.

2. Purposes and Special Features

The TCF defines a set of standardized "Purposes" so that users see consistent language across different sites. As of version 2.2, there are 11 Purposes, including:

• Purpose 1: Store and/or access information on a device.
• Purpose 2: Select basic ads.
• Purpose 3: Create a personalised ads profile.

There are also Special Features, such as the use of precise geolocation data, which require explicit user opt-in.

3. The Consent Management Platform (CMP)

The CMP is the software (the "cookie banner") that interacts with the user. In the TCF ecosystem, the CMP's job is to:

• Present the list of vendors and purposes to the user.
• Capture the user's choices.
• Encode those choices into a TC String.

The TC String (Transparency & Consent String)

The TC String is the "source of truth" in a TCF implementation. It is a base64-encoded string that contains all the user's preferences:

• Which vendors are approved.
• Which purposes are allowed.
• Whether the user has opted into special features.

This string is typically stored in a cookie (usually named euconsent-v2) and is passed along the advertising "bid request" to vendors. This allows an ad exchange to know, in milliseconds, whether it is legally allowed to show a personalized ad to that specific user.

Evolution to TCF v2.2

The framework has evolved significantly, particularly following rulings by data protection authorities. The current version, v2.2, introduced several important changes to increase transparency and user control:

• Vendor Counts: CMPs must now disclose the total number of vendors on the initial screen.
• Legitimate Interest Restrictions: Vendors can no longer claim "Legitimate Interest" for certain advertising purposes; they must rely on explicit Consent.
• Ease of Withdrawal: It must be as easy for a user to withdraw consent as it was to give it.
• Standardised Descriptions: More user-friendly explanations of what the purposes actually mean.

Why it Matters

For publishers, using a TCF-compliant CMP is often a requirement for accessing premium ad demand. Major platforms like Google AdSense and Ad Manager require TCF compliance for serving personalized ads in the EEA and UK.

For users, it provides a more consistent experience. Instead of every site having a different way of describing "tracking," the standardized purposes make it easier to understand what is happening with their data.

Checking TCF Implementation

When auditing a site for TCF compliance, experts (and tools like ConsentScout) look for:

1. The __tcfapi function: A standardized JavaScript API that allows tags to query the current consent state.
2. The euconsent-v2 cookie: Ensuring it is present and contains valid data.
3. Vendor transparency: Ensuring the CMP actually lists the vendors it says it does.

If the TCF is misconfigured-for example, if a "TC String" says no consent was given but the site still loads tracking pixels-it can lead to significant regulatory risk.