IAB TCF 2.2 Compliance: A Technical Guide for Developers
The Interactive Advertising Bureau's Transparency and Consent Framework, commonly known as TCF, is the closest thing the ad tech industry has to a universal standard for GDPR consent. Version 2.2, released in 2023, introduced significant changes that every developer working with digital advertising should understand. This guide explains what TCF 2.2 is, how it works under the hood, what changed from 2.0 and how to implement it correctly.
What is TCF and why does it exist
Before TCF, every ad tech vendor had its own consent mechanism. A publisher might show a banner from Vendor A, but Vendor B, C and D each had their own pixels and consent flows. Users were bombarded with multiple requests. Regulators were confused about who was responsible for what. The TCF was created to standardize this mess.
At its core, TCF is a protocol for encoding user consent choices into a compact string (the TC String) and sharing that string across the advertising supply chain. When a user visits a publisher site, the CMP collects consent for specific purposes and vendors. The resulting TC String is then passed to ad servers, SSPs, DSPs and other participants, allowing each to determine whether they have lawful grounds to process personal data.
TCF 2.2: What changed from 2.0
| Change | TCF 2.0 | TCF 2.2 | Impact |
|---|---|---|---|
| Legitimate interest | Allowed for some purposes | Removed for purposes 3-6 | Higher consent requirement |
| Consent signals | Basic opt-in/opt-out | Granular per-purpose + per-vendor | More complex UI needed |
| CMP accountability | Self-certified | Registered + audited | Fewer fake CMPs |
| Data retention | Not specified | Must be disclosed | Better transparency |
| User interface | Flexible | Must show all purposes | Less dark pattern room |
How the TC String works
The TC String is a base64-encoded bitfield that compactly represents user consent decisions. It contains: the CMP ID, consent scope, which of the 12 purposes the user consented to, which vendors they consented to, and various metadata like timestamp and version.
When an ad request is made, the TC String is typically attached as a query parameter or cookie. downstream vendors decode it and check their own vendor ID and the relevant purpose bits. If both are set to 1, processing is allowed. If either is 0, the vendor must refrain from using personal data for that purpose.
Implementing TCF 2.2 on your website
- Choose a registered CMP. Only IAB-registered CMPs can generate valid TC Strings. ConsentScope recognizes TCF-compliant CMPs automatically.
- Configure purposes and vendors. Decide which of the 12 purposes your site uses and which vendors you work with. Be honest - claiming you need purpose 4 (personalization) when you only run basic analytics is a red flag.
- Design the consent UI. TCF 2.2 requires that users can see and toggle each purpose individually. Pre-ticked boxes are not allowed.
- Implement the CMP script. Load the CMP before any advertising or analytics scripts.
- Pass the TC String to ad tags. Most header bidding wrappers and ad servers accept the TC String automatically if the CMP is properly integrated.
- Test with the IAB validator. Use the official TCF validator to ensure your TC String is correctly formed.
Common TCF implementation mistakes
CMP loads after ad scripts
If your header bidding wrapper or GPT tag loads before the CMP initializes, the first ad request goes out without a TC String. Many ad servers treat a missing TC String as "no consent," which reduces fill rates and revenue. Always load the CMP first.
Vendors claim purposes they do not need
The TCF vendor list is self-reported. Some vendors claim more purposes than they actually use, broadening their legal coverage. As a publisher, you should review the declared purposes of every vendor you work with and remove those that seem excessive.
Ignoring the "legitimate interest" removal
TCF 2.2 removed legitimate interest as a legal basis for purposes 3 through 6. If your setup relied on LI for personalization or content selection, you now need explicit consent for those activities. Update your CMP configuration accordingly.
Verifying TCF compliance
Use the IAB Europe TCF Validator browser extension to inspect TC Strings in real time. Check that the CMP ID is valid, the purposes match your configuration and the consent timestamp is recent. Also verify that downstream vendors are actually reading the TC String and not falling back to blanket processing.
FAQ
Is TCF mandatory for GDPR compliance?
No. TCF is an industry standard, not a legal requirement. You can be fully GDPR-compliant without using TCF. However, if you work with programmatic advertising, most demand partners require TCF strings to bid on inventory.
What happens if a vendor ignores the TC String?
That vendor is in breach of their IAB agreement and potentially in breach of GDPR. As a publisher, you have a responsibility to work with reputable vendors and to monitor their behavior. Tools like ConsentScope can help detect when vendors load despite missing consent.
ConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
Third-Party Scripts & GDPR: What Developers Need to Know
Learn how third-party scripts impact GDPR compliance. Technical guide for developers on detecting, blocking and auditing external scripts before user consent.
What Is a GDPR Cookie Violation? Real Examples & How to Fix Them
Real-world GDPR cookie violation examples with screenshots and fixes. Learn what counts as a violation and how to fix it before your next audit.