Are you still relying on TCF 2.0 to manage consent across your ad stack? That decision could leave significant gaps in your legal compliance posture. Keeping up with which framework version your CMP supports is not a back-office concern. It directly affects your ad revenue, your vendor relationships, and your exposure to regulatory risk.
TCF 2.0 was a strong foundation for the digital advertising industry. It gave publishers and vendors a structured way to signal user consent and manage data processing purposes across the ad ecosystem. But as regulators tightened their expectations and scrutiny of the framework increased, IAB Europe had to act. TCF 2.2 arrived in May 2023 to address those gaps.
This blog walks through the exact differences between TCF 2.0 vs TCF 2.2 side by side. You will see what changed in legal basis rules, vendor disclosure requirements, CMP interface design, and user control mechanisms. Each section puts the two versions next to each other so the distinctions are clear.
The IAB Transparency and Consent Framework (TCF) is an industry standard developed by IAB Europe. It provides publishers, vendors, and consent management platforms with a shared technical approach for obtaining and signalling user consent under GDPR. The framework defines how data processing purposes are declared, how legal bases are communicated, and how user preferences are stored and passed across the ad ecosystem.
TCF 2.0 launched in August 2019 as a significant step forward from the original TCF. It introduced structured consent strings, formal purpose definitions, and vendor registration requirements through the Global Vendor List. Publishers and CMPs adopted it widely as the standard mechanism for managing programmatic consent at scale across the ad ecosystem.
TCF 2.2 launched in May 2023 following a ruling by the Belgian Data Protection Authority (DPA). The ruling found that specific aspects of the TCF failed to comply with GDPR requirements. IAB Europe responded by restructuring key elements of the framework to address the concerns raised in that decision.
Before diving into the detail, here is a direct comparison of the key changes TCF 2.2 introduced across legal basis, transparency, user control, and CMP interface requirements.
The shift in legal basis requirements between TCF 2.0 and TCF 2.2 directly affected how vendors could declare their data processing activities.
Under TCF 2.0, vendors had flexibility when choosing their legal basis for processing personal data. For purposes 2 through 10, vendors could declare reliance on either user consent or legitimate interest. This gave vendors the option to process data for personalised advertising without requiring explicit user consent in every case. Many vendors defaulted to legitimate interest for ad personalisation purposes, reducing the friction involved in their initial setup. The framework allowed this dual approach as a practical solution for the industry at the time.
Legitimate interest was widely used across the ecosystem because it removed the need to design consent flows for certain data processing activities. This approach worked under TCF 2.0 but came under regulatory scrutiny as data protection authorities began examining the framework more closely. The Belgian DPA ultimately found this arrangement insufficient, setting the stage for the TCF 2.2 update.
TCF 2.2 removed legitimate interest as an acceptable legal basis for four specific purposes. Purposes 3, 4, 5, and 6 now require explicit user consent as the only valid legal basis under the framework. These purposes cover creating personalised ad profiles, selecting personalised ads, creating personalised content profiles, and selecting personalised content. Vendors who previously relied on legitimate interest for these purposes had to transition to a consent-based model or stop processing data for those activities.
This change came directly in response to the Belgian DPA ruling, which found the legitimate interest basis insufficient for personalisation-related data processing. The ruling determined that users were not being given a genuine choice when vendors relied on this basis without presenting a proper consent request. TCF 2.2 closed that gap by making user consent the only permissible legal route for these core advertising purposes.
Purposes 3, 4, 5, and 6 sit at the heart of personalised digital advertising. Each one plays a distinct role in how ads and content are matched to individual users:
These are core functions of the programmatic advertising ecosystem. The legal basis change for these four purposes had direct implications for vendor operations, CMP design, and ad revenue across the industry. Any vendor active in ad or content personalisation had to reassess their entire legal basis strategy as a result.
TCF 2.2 raised the bar for what publishers and vendors must disclose to users, moving well beyond the minimal requirements set in TCF 2.0.
TCF 2.0 required vendors to register their purposes and legal bases on the Global Vendor List. Publishers passed this information to their CMP, which then displayed it to users during the consent flow. The descriptions of purposes were largely based on formal legal text, which most ordinary users found difficult to interpret or understand in practice. There was no standardised requirement for showing data retention periods or specific categories of data being collected by each vendor.
The framework prioritised technical interoperability across the ecosystem over user comprehension of the consent process. This created a situation where users technically had access to information about vendor data processing, but the presentation made it difficult to make genuinely informed decisions. Regulators identified this as a systemic weakness in the framework that needed to be addressed.
TCF 2.2 introduced a significantly more detailed disclosure model for all framework participants. Vendors must now provide information about the categories of personal data they collect and process for each declared purpose. They must also state how long they retain data per purpose, giving users a clearer picture of the scope of what they are agreeing to. Additionally, vendors must include a link to a page explaining their legitimate interests assessment, where applicable.
CMPs are required to surface all of this updated information in their interfaces before users make their consent choices. The intent is to shift from consent that is technically collected to consent that is genuinely informed. Publishers must coordinate with their CMP providers to ensure their interfaces reflect the full range of new vendor disclosures correctly.
TCF 2.2 introduced a new requirement that changes what users see before they engage with the full consent interface. Publishers must now display the total number of vendors seeking a legal basis on the very first screen of the CMP. This number must include vendors not participating in the TCF as well, not just those registered on the Global Vendor List.
IAB Europe issued a clear warning that an unjustifiably large vendor list could impair users’ ability to make meaningful choices and increase legal risk for publishers. Publishers are encouraged to review and reduce their vendor lists to only those they genuinely work with and need for their operations. This requirement brought immediate transparency to a part of the consent process that was previously invisible to most users.
Giving users genuine ongoing control over their data was a central concern for regulators, and TCF 2.2 addressed this with specific new requirements.
TCF 2.0 did not specify how users should be able to withdraw consent after giving it. There was no mandatory requirement for publishers to keep the CMP interface persistently accessible to users once the initial banner had been dealt with. Once a user dismissed the consent banner, there was often no visible mechanism to revisit or change their choices at a later point. The framework focused heavily on the initial consent collection stage, leaving consent withdrawal as an implementation detail for individual publishers to handle.
This created significant inconsistency across the industry in how ongoing user control was managed. Some publishers provided easy access to consent settings while others made it nearly impossible to find. Regulators viewed this inconsistency as a fundamental problem because consent that cannot be withdrawn is not genuine consent under the GDPR standard.
TCF 2.2 introduced clearer requirements around balancing the choice between accepting and rejecting consent. If a CMP presents an Accept All call to action on the first layer, an equivalent Reject All option must be available when the user resurfaces the CMP interface. Users must also be able to find and access the CMP again easily after their initial interaction. IAB Europe specified that publishers should provide persistent access points, such as a floating icon or a footer link on every page.
This ensures that withdrawing consent is as straightforward as giving it in the first place. The requirement addressed a common design pattern where Accept All was prominently displayed on the first screen but Reject All required multiple clicks through secondary menus. TCF 2.2 took a clear position that the consent experience must be balanced and not designed to nudge users toward acceptance.
When users feel they can change their mind easily, they are more likely to engage meaningfully with the initial consent request. User consent is the foundation of a trustworthy relationship between a publisher and its audience, not merely a regulatory checkbox. Persistent access to consent choices also reduces consent fatigue by giving users a real sense of control rather than a one-time forced decision.
Publishers who implement easy consent withdrawal often find that users are more willing to grant consent when they know they can adjust it at any time. Genuine ongoing control leads to more durable and reliable consent signals across the user base. It also reduces the legal risk associated with consent that was collected under pressure or through a confusing interface.
The changes TCF 2.2 introduced to CMP interfaces go beyond surface-level updates and reflect a shift toward making consent genuinely informative for users.
TCF 2.0 used standardised legal text to describe the purposes for which data was being processed. These descriptions were technically accurate but extremely difficult for non-specialist users to understand during the consent flow. TCF 2.2 replaced that legal language with plain-language descriptions that explain what each purpose actually means in practice. The new descriptions are designed to be understood by an ordinary internet user, not just a legal professional or compliance officer.
This change directly reflects the regulatory expectation that consent must be informed and not just technically collected through a banner. A user who does not understand what they are consenting to cannot provide valid consent under GDPR. TCF 2.2 required the entire industry to rethink how purpose information was written and presented across consent interfaces.
TCF 2.2 went further by requiring CMPs to include illustrations and real-life examples on their second-layer interface. These visual aids help users understand what it actually means to allow a vendor to create a personalised ad profile or to select content based on their browsing behaviour. The inclusion of these examples was a direct response to feedback that users often consented without genuinely understanding what they were agreeing to. Understanding the balance between opt-in vs opt-out mechanics matters here, as better user comprehension directly influences how many people engage meaningfully with consent choices.
More informed users produce more meaningful and legally robust consent signals for publishers. When a user sees a concrete example of how their data will be used to select an ad, the consent they give carries far greater legal weight than a click on an abstract legal description. This was one of the most practically significant user experience changes introduced by TCF 2.2.
One of the most practical additions in TCF 2.2 is the requirement for vendors to declare their data retention periods. Under TCF 2.0, users had no visibility into how long their data would be held after they gave consent. TCF 2.2 changed this by requiring vendors to specify retention periods for each purpose they declare within their Global Vendor List registration. Vendors must also disclose which categories of personal data they collect, moving beyond broad descriptions to specific data types. Working with best consent management platforms that fully support these detailed disclosures is now a practical requirement for any compliant publisher.
These disclosures are made available through the CMP and give users the information needed to make genuinely informed decisions about their data. A user who knows that their data will be retained for 12 months for personalised advertising has a very different basis for consent than one who is given no information about retention at all. This level of detail was absent from TCF 2.0 and represents one of the most meaningful transparency improvements in TCF 2.2.
TCF 2.2 created distinct obligations for each participant in the framework, and understanding those specific impacts helps businesses plan their response effectively.
Publishers had the most visible changes to implement under TCF 2.2. They needed to update their CMP to display the total vendor count on the first layer of the consent interface. They also had to ensure users could easily resurface the CMP after the initial interaction through a floating icon or persistent link on every page. Many publishers used this as an opportunity to review and reduce their vendor lists, improving the quality and credibility of their consent flows. Understanding why publishers need IAB TCF v2 compliance is essential before approaching any update to the framework setup.
Publishers also had to coordinate with their CMP providers to ensure that updated purpose descriptions, illustrations, and vendor information were reflected correctly in their interfaces. This was not a simple settings change for many publishers. It required reviewing the entire consent flow and testing it against the new TCF 2.2 specifications before going live with updated configurations.
Vendors had to update their Global Vendor List registrations with significant new information across several fields. The following updates were required from all registered vendors:
Vendors who relied on legitimate interest for those four purposes had to transition to a consent-only model or stop processing data for those purposes under the TCF. The transition deadline for vendor registrations was 30 June 2023.
Advertisers and demand-side platforms (DSPs) that relied on legitimate interest signals for personalisation purposes had to adapt their targeting logic after TCF 2.2. Without valid consent signals under the updated framework, accessing user data for the affected purposes was no longer permissible. This created pressure across the ad tech ecosystem to improve consent rates through better CMP design and user experience. Consent-driven ad personalisation became more important than ever as advertisers recognised that higher-quality consent signals translate directly to more reliable audience targeting.
Advertisers who invested in better consent practices found that their data quality improved alongside their compliance posture. Higher consent rates driven by clearer, more honest CMP interfaces produced more reliable and legally robust data for targeting and measurement. The shift from legitimate interest to consent for personalisation purposes ultimately encouraged the industry to build more trustworthy relationships with users.
TCF 2.0 is no longer the active compliance standard for participants in the IAB Europe ecosystem. The transition to TCF 2.2 was required by September 30, 2023, and any publisher, vendor, or CMP still running on TCF 2.0 configurations is operating outside the current framework standards. Beyond compliance concerns, TCF 2.0 lacks the user trust mechanisms that regulators and audiences now expect from a consent framework. Publishers still carrying TCF 2.0 configurations face both legal risk and potential disruption to their programmatic revenue streams.
Upgrading is not just a technical task. It is a business decision with real consequences for data quality, first-party data strategies, and ad revenue continuity. The benefits of a Consent Management Platform that fully supports TCF 2.2 far outweigh the effort involved in migration. Businesses that moved quickly to TCF 2.2 protected their programmatic relationships and strengthened the reliability of their consent data at the same time.
TCF 2.0 vs TCF 2.2 is not simply a version number update. It represents a fundamental shift in how the ad industry handles user rights, transparency obligations, and legal accountability across the consent process. TCF 2.2 brought tighter consent requirements, clearer disclosures, and stronger user control into the framework. Businesses that embraced these changes built more trustworthy consent flows and stronger foundations for their first-party data strategies.
Seers helps publishers, vendors, and businesses stay fully aligned with IAB TCF 2.2 requirements without complexity. Our CMP handles purpose disclosures, vendor counts, and withdrawal options automatically. Get your consent infrastructure right from the start.
START FREE TODAYThe biggest change is the removal of legitimate interest as a valid legal basis for purposes 3, 4, 5, and 6. These cover personalised ad and content profiling activities. Under TCF 2.0, vendors could use either consent or legitimate interest for these purposes. TCF 2.2 requires explicit user consent for all four, making the framework stricter and more aligned with what GDPR actually requires for personalisation-related data processing.
IAB Europe set a phased transition timeline for the move to TCF 2.2. Vendors were required to update their Global Vendor List registrations by 30 June 2023. Full support for TCF 2.2 across all framework participants, including publishers and CMPs, was required by 30 September 2023. Any business still operating on TCF 2.0 configurations after that date was considered outside the compliance standards set by IAB Europe for the updated framework.
TCF 2.2 was released primarily in response to a February 2022 ruling by the Belgian Data Protection Authority, which found that the TCF framework had specific GDPR compliance shortcomings. IAB Europe submitted an action plan to the DPA, which was approved in January 2023. TCF 2.2 represents the industry’s structured effort to address those concerns, particularly around legal basis adequacy and the quality of user transparency across consent interfaces.
TCF 2.2 does not mandate a Reject All button on the first layer of every CMP. However, if a CMP presents an Accept All option, an equivalent Reject All option must be available when the user resurfaces the CMP interface. Publishers must also ensure users can easily access the CMP again after their initial interaction, such as through a floating icon or a persistent footer link available on each webpage they visit.
Vendors registered on the Global Vendor List had to update their entries with significant new information under TCF 2.2. This includes declaring the categories of personal data collected, specifying retention periods for each processing purpose, and providing a link to any legitimate interest assessment where applicable. Vendors relying on legitimate interest for purposes 3 through 6 also had to transition to a consent-only model or stop processing data for those four purposes under the framework.
TCF 2.2 requires publishers to display the total number of vendors seeking a legal basis on the first layer of their CMP interface, including vendors not registered in the TCF. The purpose is to give users clear and immediate transparency about the scale of data processing before they engage with the full consent interface. IAB Europe also warned that excessively large vendor lists could undermine the quality of user consent and increase legal risk for publishers.
Running both versions simultaneously is not a recognised approach within the IAB Europe framework. TCF 2.2 superseded TCF 2.0, and all participants were expected to migrate fully by September 2023. Operating on outdated consent strings creates compliance gaps, as vendors and DSPs that have updated to TCF 2.2 may not correctly interpret older-format consent signals. A clean migration to TCF 2.2 is the appropriate and compliant path forward for all framework participants.
TCF 2.2 replaced dense legal text with plain-language descriptions of each data processing purpose. CMPs must also include illustrations and real-life examples on their second-layer interfaces to help users understand what they are actually agreeing to. These changes make consent interactions more meaningful rather than mechanical. Users who genuinely understand what they are consenting to are more likely to engage thoughtfully with the interface, improving the overall quality of consent signals collected.
A CMP that does not support TCF 2.2 cannot generate valid consent strings in the current framework version. This means publishers using that CMP would not be signalling user preferences correctly to vendors and DSPs operating on TCF 2.2. The result is broken consent signals, potential compliance exposure, and loss of ad revenue from vendors that require valid TCF 2.2 strings before they will process data. Choosing a certified, up-to-date CMP is now a fundamental operational requirement.
Legitimate interest remains a valid legal basis under TCF 2.2 for certain purposes, but it is no longer acceptable for purposes 3, 4, 5, and 6. For purposes outside this group, vendors can still declare legitimate interest where it is appropriate and legally supportable under GDPR. However, they must now also provide a link to a web page explaining their legitimate interests assessment, giving users more transparency about how that legal basis has been applied to their data.
Rimsha ZafarRimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.
Take our Free Cookie Audit and find out
Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.
United Kingdom
24 Holborn Viaduct
London, EC1A 2BN
Get our monthly newsletter with insightful blogs and industry news
By clicking “Subcribe” I agree Terms and Conditions
Seers Group © 2026 All Rights Reserved
Terms of use | Privacy policy | Cookie Policy | Sitemap | Do Not Sell or Share My Personal Information.
