Quick Answer: IAB TCF 2.3 is the current version of the IAB Europe Transparency and Consent Framework, mandatory for all publishers and advertisers serving personalized ads to EU/EEA users since March 1, 2026. It introduces a "Disclosed Vendors" segment in the TC string that eliminates ambiguity around which vendors were shown to users. Publishers must deploy a registered Consent Management Platform (CMP), configure vendor lists, and pass valid TCF 2.3 consent strings to their ad tech stack to remain compliant and protect ad revenue.
Key Takeaways
- As of March 1, 2026, all TC strings must comply with TCF 2.3 specifications, the transition period has ended [1]
- TCF 2.3 introduces a mandatory "Disclosed Vendors" segment that resolves the "ghost vendor" ambiguity present in earlier versions [5]
- The TC string structure is now:
[Core String].[DisclosedVendors].[Publisher TC], all three segments must be correctly generated [5] - Google (Ad Manager, AdSense, AdMob) accepts TCF 2.3 strings, making compliance directly tied to programmatic revenue [3]
- Non-compliance can result in ad networks serving only non-personalized ads or restricting access entirely [2]
- A February 2026 study found 66.2% of TCF-based Android apps shared personal data without a lawful basis, underscoring how widespread non-compliance remains [7]
- Small publishers can implement TCF 2.3 through a registered CMP with relatively low cost; large publishers require deeper technical integration and legal review
- Testing and validation via IAB Europe's official CMP validator is a non-negotiable step before going live
What Is IAB TCF 2.3 and Why Do Publishers Need It
IAB TCF 2.3 is the latest version of the standardized framework that governs how publishers collect, record, and transmit user consent for data processing to advertising vendors under GDPR and ePrivacy regulations. Publishers need it because without a valid TCF 2.3 consent signal, most programmatic ad networks, including Google, will either restrict personalized ad serving or disengage entirely, directly reducing revenue [2][3].
The framework defines:
- Legal bases under which vendors may process user data (consent, legitimate interest)
- Purposes for data processing (e.g., ad personalization, measurement, content delivery)
- Vendor lists registered with IAB Europe's Global Vendor List (GVL)
- TC string format that encodes user choices and is passed through the ad tech supply chain [6]
Any publisher monetizing EU/EEA traffic through programmatic advertising must treat TCF 2.3 compliance as a baseline operational requirement, not an optional enhancement.
How IAB TCF 2.3 Differs from Previous Versions
TCF 2.3's most significant departure from TCF 2.2 is the mandatory inclusion of the "Disclosed Vendors" segment within the TC string. In earlier versions, vendors had no reliable way to confirm whether they had actually been disclosed to a user, a problem known as the "ghost vendor" issue [5]. TCF 2.3 resolves this directly.
Key differences from TCF 2.2:
| Feature | TCF 2.2 | TCF 2.3 |
|---|---|---|
| Disclosed Vendors segment | Optional | Mandatory |
| Ghost vendor problem | Present | Resolved |
| TC string structure | Core + Publisher TC | Core + DisclosedVendors + Publisher TC |
| Compliance deadline | N/A | March 1, 2026 [1] |
| Google acceptance | TCF 2.2 strings | TCF 2.3 strings required [3] |
The structural change to the TC string means that CMPs and ad tech integrations built for TCF 2.2 required active updates, passive inheritance from the previous version was not sufficient [1].
Step-by-Step Guide to Implementing TCF 2.3 on Your Website
Implementing IAB TCF 2.3 follows a defined sequence. Skipping steps, particularly testing, is the most common cause of compliance failures post-launch.
Step 1: Register or confirm your CMP Select a CMP registered on IAB Europe's official CMP list. Biscotti CMP is one such registered platform that supports TCF 2.3. Unregistered CMPs cannot generate valid TC strings.
Step 2: Configure the Global Vendor List (GVL) Pull the current GVL from IAB Europe and map your active ad tech vendors against it. Only vendors on the GVL can receive TCF consent signals.
Step 3: Design your consent UI Build a consent notice that clearly presents purposes, vendors, and legal bases. The UI must allow users to grant, deny, or withdraw consent per purpose and per vendor.
Step 4: Generate the TCF 2.3-compliant TC string
Ensure your CMP generates strings in the format [Core String].[DisclosedVendors].[Publisher TC]. The DisclosedVendors segment must accurately reflect which vendors appeared in the consent UI [5].
Step 5: Integrate with your ad stack
Pass the TC string to all downstream vendors via the __tcfapi JavaScript API. Confirm that Google Ad Manager, header bidding wrappers, and SSPs are reading the signal correctly [3].
Step 6: Validate and test Use IAB Europe's CMP Validator tool to confirm string structure and completeness before going live.
Step 7: Implement ongoing monitoring Schedule periodic audits of your vendor list against the GVL, and monitor CMP update logs whenever IAB Europe releases GVL updates.
IAB TCF 2.3 Compliance Requirements for Publishers
TCF 2.3 compliance for publishers centers on four non-negotiable requirements: using a registered CMP, presenting a legally adequate consent notice, generating a valid TC string, and passing that string accurately to all vendors [1][6].
Compliance checklist:
- CMP is registered on IAB Europe's official list
- Consent UI presents all active vendors and their purposes
- Users can accept, reject, or granularly configure consent
- TC string includes the DisclosedVendors segment
- Consent records are stored with timestamps for audit purposes
- Consent can be withdrawn as easily as it was given
- CMP SDK/API version supports TCF 2.3 (not just 2.2)
- Publisher TC segment is correctly populated for publisher-specific purposes
Publishers operating in multiple jurisdictions should also verify that their CMP configuration accounts for regional variations (e.g., UK GDPR vs. EU GDPR) without invalidating the core TCF signal.
How Much Does It Cost to Implement IAB TCF 2.3
Implementation costs vary significantly by publisher size and existing infrastructure. There is no single licensing fee for TCF 2.3 itself, the framework is open, but costs arise from CMP licensing, developer time, and legal review.
Estimated cost ranges (2026):
- Small publishers (under 500K monthly sessions): CMP SaaS fees typically range from free tiers to $50,$200/month. Developer integration: 4-16 hours.
- Mid-size publishers: $200,$800/month for CMP licensing, plus 20-60 hours of developer and QA time.
- Enterprise publishers: Custom CMP contracts, dedicated legal review, and integration work can exceed $50,000 annually when accounting for ongoing maintenance.
These are estimates based on publicly available CMP pricing structures and typical developer hourly rates; actual costs depend on your existing tech stack complexity.
Common Mistakes When Implementing IAB TCF 2.3
The most damaging mistakes in TCF 2.3 implementation are not technical errors but process failures: launching without validation, using outdated vendor lists, and treating consent as a one-time configuration rather than an ongoing operation.
Mistakes to avoid:
- Using a non-registered CMP: TC strings from unregistered CMPs are invalid regardless of technical accuracy
- Omitting the DisclosedVendors segment: This is the defining change in TCF 2.3 and the most common gap when upgrading from 2.2 [5]
- Stale GVL data: Vendors change their declared purposes; failing to refresh the GVL means users may be consented to outdated processing descriptions
- Blocking ad calls before consent is established: Causes revenue loss during page load; use a non-blocking CMP initialization pattern
- Not testing on mobile: Consent UI behavior on mobile browsers differs from desktop, and many compliance failures surface only on mobile
IAB TCF 2.3 Implementation for Small Publishers vs. Large Publishers
Small publishers and large publishers face the same compliance obligations under TCF 2.3, but the implementation complexity differs substantially. Small publishers can typically achieve compliance through a turnkey CMP solution with minimal custom development. Large publishers require deeper integration across multiple ad systems, custom consent UIs, and dedicated legal oversight.
Small publishers: Choose a registered CMP with a pre-built consent banner, configure your vendor list through the CMP dashboard, and verify TC string output using the IAB validator. Total implementation time: 1-5 business days.
Large publishers: Require custom CMP API integration, coordination across multiple SSPs and DSPs, A/B testing of consent UI copy for conversion impact, and legal sign-off on purpose descriptions. Total implementation time: 4-12 weeks.
Decision rule: If your ad stack involves more than 5 SSPs, header bidding, or a custom DMP, treat this as an engineering project with a dedicated project owner, not a CMS plugin update.
What Happens If You Don't Comply with IAB TCF 2.3
Non-compliance with TCF 2.3 carries both regulatory and commercial consequences. On the commercial side, ad networks including Google will limit or block personalized ad serving if they do not receive a valid TCF 2.3 consent string, directly reducing CPMs and fill rates [2][3]. On the regulatory side, GDPR enforcement authorities can issue fines up to 4% of global annual turnover for unlawful data processing.
A February 2026 study analyzing TCF-based Android applications found that 66.2% of apps shared personal data without a lawful basis, a finding that signals increased regulatory scrutiny of TCF implementations across platforms [7].
How the IAB TCF 2.3 Consent String Works
The TC string is a Base64-encoded data structure that encodes a user's consent and legitimate interest signals for all vendors and purposes. Under TCF 2.3, the string is composed of three dot-separated segments: [Core String].[DisclosedVendors].[Publisher TC] [5].
- Core String: Contains consent and legitimate interest signals for each vendor and purpose, plus metadata (CMP ID, version, timestamp)
- DisclosedVendors: Lists which vendors were actually presented to the user in the consent UI, the key addition in TCF 2.3 [1]
- Publisher TC: Encodes publisher-specific purpose restrictions and consents
The string is stored in the browser (typically as a cookie or localStorage entry) and accessed by vendors via the __tcfapi JavaScript API. Vendors read the string to determine whether they have a valid legal basis to process data for a given user before firing any tracking or personalization logic [6].
Do Advertisers Need to Implement IAB TCF 2.3 Separately
Advertisers and DSPs must register as vendors on the IAB Europe Global Vendor List and update their systems to correctly read and honor TCF 2.3 consent strings. Publishers implement the consent collection mechanism; advertisers implement the consent consumption mechanism, both sides must be TCF 2.3 compliant for the system to function lawfully.
Specifically, advertisers must:
- Maintain a current GVL registration with accurate purpose declarations
- Update their bidding and tracking systems to parse TCF 2.3 string format
- Suppress data processing for users who have not granted consent for relevant purposes
- Ensure their DSP or ad server passes the TC string downstream to any sub-processors
IAB TCF 2.3 Testing and Validation Best Practices
Testing is not optional, it is the mechanism by which compliance can actually be demonstrated. IAB Europe provides an official CMP Validator that checks TC string structure, version compliance, and segment completeness.
Validation checklist:
- Run the TC string through IAB Europe's CMP Validator before launch
- Verify the DisclosedVendors segment populates correctly for different consent scenarios (full accept, full reject, partial)
- Test consent signal receipt in Google Ad Manager using the "Consent debugging" tool [3]
- Confirm
__tcfapiresponses are correct on both desktop and mobile browsers - Test the consent withdrawal flow end-to-end: user withdraws consent, TC string updates, ad calls adjust accordingly
- Log and audit TC string versions in your consent records system
How long does implementation take? Small publishers: 1-5 days. Mid-size: 2-4 weeks. Enterprise: 4-12 weeks. The primary variable is the number of ad tech integrations requiring validation.
Conclusion: Actionable Next Steps for TCF 2.3 Compliance
Implementing IAB TCF 2.3 is no longer a forward-looking project, the March 1, 2026 enforcement deadline has passed, and any publisher or advertiser still operating on TCF 2.2 or earlier is already out of compliance [1]. The practical consequences are immediate: reduced ad revenue, restricted access to programmatic demand, and exposure to regulatory action.
Actionable next steps:
- Audit your current CMP, confirm it is registered with IAB Europe and generates TCF 2.3-compliant strings with the DisclosedVendors segment. If you need a compliant solution, evaluate Biscotti CMP.
- Refresh your Global Vendor List, ensure your active vendor configuration reflects current GVL entries and accurate purpose declarations.
- Run the IAB CMP Validator, do not assume compliance; verify it with the official tool.
- Coordinate with your ad ops team, confirm Google Ad Manager and all SSP integrations are receiving and parsing TCF 2.3 strings correctly [3].
- Establish a review cadence, schedule quarterly audits of your vendor list, CMP version, and consent record logs.
Compliance with TCF 2.3 is not a competitive differentiator, it is the floor. Publishers who treat it as such, and build reliable consent infrastructure around it, protect both their revenue and their users' trust.
FAQ
What is the TCF 2.3 compliance deadline? The transition period ended February 28, 2026. As of March 1, 2026, all TC strings must comply with TCF 2.3 specifications [1].
What is the "Disclosed Vendors" segment in TCF 2.3? It is a mandatory segment added to the TC string in TCF 2.3 that explicitly records which vendors were presented to the user in the consent UI, resolving the "ghost vendor" ambiguity from earlier versions [5].
Does Google support TCF 2.3? Yes. Google accepts TCF 2.3 strings across Ad Manager, AdSense, and AdMob. Publishers must ensure their CMP generates TCF 2.3-compliant strings for Google's consent management solutions to function correctly [3].
Can a small publisher implement TCF 2.3 without a developer? In many cases, yes. Registered CMPs like Biscotti CMP offer no-code or low-code setup flows. However, validation of the TC string output still requires technical verification.
What happens to ad revenue without TCF 2.3 compliance? Ad networks may serve only non-personalized ads or restrict access entirely, reducing CPMs significantly [2].
Is TCF 2.3 required outside the EU? TCF 2.3 applies to processing of EU/EEA user data under GDPR and ePrivacy. Publishers outside the EU who serve EU users are still subject to these requirements.
How is the TCF 2.3 string different from TCF 2.2? TCF 2.3 adds the mandatory DisclosedVendors segment, changing the string structure from two segments to three dot-separated segments [5].
What is a registered CMP and why does it matter? A registered CMP is one that IAB Europe has verified meets TCF technical and policy requirements. Only registered CMPs can generate valid TC strings recognized by vendors and ad networks [6].
How often should publishers update their vendor list? IAB Europe updates the Global Vendor List regularly. Publishers should review their active vendor configuration at least quarterly, or whenever a new GVL version is published.
What is the biggest compliance risk for TCF 2.3? Based on a February 2026 study, the most widespread risk is sharing personal data without a valid lawful basis, found in 66.2% of analyzed TCF-based applications [7]. Proper TC string generation and vendor-side consumption are both required.
References
[1] All You Need To Know About The Transition To TCF V2.3 - https://iabeurope.eu/all-you-need-to-know-about-the-transition-to-tcf-v2-3/?utm_source=openai
[2] The Complete Guide To Iubenda CMP And IAB TCF - https://www.iubenda.com/en/help/7440-the-complete-guide-to-iubenda-cmp-and-iab-tcf/?utm_source=openai
[3] Google Ad Manager TCF Support - https://support.google.com/admanager/answer/9999955?hl=en&utm_source=openai
[4] TCF 2.3 - Didomi - https://www.didomi.io/regulations/tcf-2-3?utm_source=openai
[5] IAB TCF 2.3 - Verve Developer Docs - https://developers.verve.com/docs/iab-tcf-23?utm_source=openai
[6] IAB Transparency And Consent Framework TCF 2.2/2.3 - CookieHub - https://support.cookiehub.com/article/378-iab-transparency-and-consent-framework-tcf-2-2?utm_source=openai
[7] TCF Privacy Analysis in Android Applications (arXiv, 2026) - https://arxiv.org/abs/2602.20222?utm_source=openai