What would happen to your programmatic revenue if your consent strings suddenly became invalid overnight? That is the risk publishers face without proper TCF v2 compliance. This blog breaks down exactly what TCF v2 compliance means, what has changed, and what you need to do to stay protected.
The IAB Europe Transparency and Consent Framework (TCF) sets the standard for how publishers, consent management platforms, and ad tech vendors communicate user privacy choices. Version 2 of this framework brought significant changes to how consent is captured, encoded, and passed through the advertising supply chain. Understanding these changes is no longer optional.
Whether you run a media website, a SaaS platform, or a programmatic advertising operation, TCF v2 compliance affects how your ads are served and how your audience data is handled. This guide covers the essentials: what the framework requires, how it works in practice, and how to get fully compliant without disrupting your business.
TCF v2 compliance refers to meeting the technical and policy standards set by IAB Europe’s Transparency and Consent Framework in its second major version.
The TCF was created to standardise how user consent is captured and communicated across the digital advertising ecosystem. Without it, publishers and vendors would have no common language for sharing privacy preferences. The framework creates a reliable signal that travels through the entire ad supply chain.
It sits at the intersection of GDPR requirements and real-world ad tech operations. Rather than leaving each publisher to build their own consent mechanism, the TCF provides a shared technical and policy standard. This makes compliance more consistent and auditable across the industry.
TCF v2 introduced stricter requirements for how user consent is obtained and stored. The framework moved away from implied consent and required publishers to get clear, specific agreement from users. It also gave users more granular control over which vendors and purposes they consented to.
Version 2.2 specifically removed legitimate interest as a legal basis for advertising purposes. This meant vendors could no longer rely on a softer opt-out model for core ad activities. Publishers had to update their consent notices and their consent management platforms accordingly.
TCF v2 compliance applies to publishers, consent management platforms, and ad tech vendors operating within the GDPR regulatory scope. Any business running programmatic advertising on its platform falls within this requirement. If you work with IAB-registered vendors, you almost certainly need to be compliant.
This also includes SaaS businesses that collect data from European users and display ads. Non-compliance does not just carry regulatory risk. It directly affects your ability to earn revenue from programmatic advertising channels.
Understanding TCF v2 compliance requires knowing how consent data moves from your website to the ad auction in real time.
Every time a user interacts with your consent banner, their choices are encoded into a TC string. This string carries information about which vendors the user was shown, which purposes they agreed to, and which they rejected. It travels with ad requests to tell bidders whether they are permitted to serve an ad.
The TC string is a standardised data format, not a simple yes or no. It contains granular records of each vendor’s consent status and each advertising purpose. This makes it possible for hundreds of vendors in a programmatic chain to read a single signal and act accordingly.
A registered Consent Management Platform (CMP) is responsible for collecting, encoding, and transmitting TC strings correctly. Without a compliant CMP, your consent data cannot be read by the vendors you work with. This breaks the consent signal and effectively disqualifies your ad inventory from premium programmatic demand.
The benefits of a Consent Management Platform go beyond legal compliance. A good CMP gives you accurate consent records, supports user preference updates, and ensures your signals remain valid across every ad request. It is the operational backbone of your TCF v2 compliance strategy.
Vendors registered in the IAB Global Vendor List (GVL) are trained to read TC strings and check whether they have consent for each purpose they want to run. If a vendor is not listed in the TC string or lacks the relevant consent, they must not process user data. This creates a traceable accountability chain.
Programmatic platforms like Google’s ad stack will simply not bid on inventory where the consent signal is missing or invalid. That is not a warning. It is how the system functions by design. Proper TCF v2 compliance ensures your inventory remains eligible for the full range of demand.
The framework has evolved through two important updates, each tightening the requirements around transparency and vendor accountability.
TCF v2.2 removed legitimate interest as a permitted legal basis for core advertising purposes. This was a policy-level change that forced publishers and vendors to rely solely on explicit user consent for ad personalisation and targeting. Any CMP that had not updated its configuration by the v2.2 deadline was already out of step with the framework.
Publishers had to review their vendor lists, update their consent banners, and ensure their CMPs were configured to reflect the new rules. Understanding the difference between opt-in vs opt-out became more important than ever as the framework shifted to explicit consent only.
TCF v2.3 introduced a new mandatory segment inside the TC string called “disclosed vendors.” This segment records which vendors were actually shown to the user in the CMP interface at the time of consent collection. It is not enough to have a vendor on your list. The framework now requires proof that they were disclosed.
Before v2.3, vendors receiving a negative signal could not tell whether the user had actively rejected them or simply was never shown their name. The disclosed vendors segment resolves that ambiguity. It creates a verifiable disclosure record that regulators and partners can check.
All TCF participants were required to adopt TCF v2.3 by 28 February 2026. Publishers who missed that deadline would find their TC strings rejected by major demand-side platforms. Ad requests without a valid v2.3 string default to “Limited Ads” status, which excludes most personalised demand from the auction.
The revenue impact of non-compliance is substantial. Estimates suggest that programmatic revenue can fall by more than 50 percent when consent strings are invalid. Understanding how IAB TCF v2 helps protect programmatic ad revenue helps publishers see compliance as a business priority, not just a regulatory one.
Proper TCF v2 compliance is not a cost centre. It is what keeps your ad inventory competitive in a supply chain that runs on consent signals.
When your TC string is valid and properly formatted, premium demand sources can read it and bid on your inventory. When it is invalid or missing the disclosed vendors segment, those same demand sources step back. The difference shows up in your eCPM and fill rates almost immediately.
Here is what TCF v2 compliance protects in practice:
Publishers often assume that consent compliance and ad revenue are in tension. In practice, a well-configured CMP with accurate TCF v2 compliance enables more of your valid inventory to compete in the auction, not less. It also supports stronger consent-based marketing outcomes by ensuring your audience data is clean and verified.
Even publishers with a CMP in place often carry hidden compliance gaps that affect revenue and legal standing.
Many CMPs update their core software but require publishers to manually update their consent notice settings, vendor lists, and TC string configuration. A CMP that was compliant under v2.2 does not automatically become v2.3 compliant. Publishers need to actively check whether the disclosed vendors segment is being generated correctly in their TC strings.
This is one of the most common mistakes. The platform is updated, but the account configuration has not been touched since installation. The result is a TC string that looks valid but fails vendor-level checks downstream.
If your vendor list includes 200 vendors but your CMP only displays 50 in the consent banner, the disclosed vendors segment will flag the discrepancy. Vendors not shown in the UI cannot legally receive consent under v2.3. Your cookie policy and CMP interface must accurately reflect every vendor you are passing data to.
This matters both for compliance and for user trust. When users see an accurate list of data recipients, they can make a genuine choice. When that list is incomplete, the consent collected is not legally valid under the framework.
Ad tech vendor relationships change over time. New partners are added, old ones are removed, and some update their declared purposes in the Global Vendor List. If your CMP configuration is not kept in sync with the current GVL, your TC strings will carry outdated consent records.
Regular vendor list audits are part of ongoing TCF v2 compliance, not a one-time setup task. Most CMPs offer automated GVL synchronisation, but publishers still need to review their vendor selections periodically and ensure their consent notices reflect the current state of their ad tech stack.
Getting to full TCF v2 compliance is a structured process that any publisher can follow with the right tools and habits.
Only CMPs registered with IAB Europe are authorised to generate valid TC strings. Working with an unregistered solution will not produce compliant consent signals. The first step is confirming that your CMP appears on the official IAB Europe CMP list and that it supports TCF v2.3. The best consent management platforms combine ease of integration with robust signal generation and a clean audit trail.
For publishers working across multiple markets, look for a CMP that handles regional compliance requirements alongside TCF. Combining strong TCF v2 compliance with broader GDPR alignment gives your business a complete data governance foundation.
Once your CMP is in place, the next step is ensuring that every vendor you work with is correctly disclosed in the CMP user interface. This means aligning your vendor list with what your CMP banner actually shows users. This is also an opportunity to audit your first-party data collection practices. Publishers who rely on clean, consented first-party data are better positioned for long-term revenue stability.
The disclosed vendors segment in v2.3 will record a mismatch if your vendor list and your banner display are out of sync. Fixing this requires a review of your CMP settings and a comparison against your current ad tech vendor agreements.
Before assuming your configuration is correct, test your TC strings using IAB Europe’s official TC string decoder. This tool lets you verify that the consent data being generated matches what your CMP is supposed to collect. Check that the disclosed vendors segment is present, that purpose consents are correctly recorded, and that the string version matches v2.3 requirements.
Testing is not a one-time step. Any change to your vendor list, CMP configuration, or consent notice design should be followed by a fresh TC string check. Understanding why publishers need IAB TCF v2 compliance makes it easier to build this check into your standard publishing workflow rather than treating it as an occasional task.
TCF v2 compliance is not a bureaucratic checkbox. It is the technical foundation that keeps your ad revenue intact and your consent practices legally sound. Publishers who stay current with the framework protect both their income and their audience relationships. Getting compliant is a manageable process when you work with the right tools and check your configuration regularly.
Seers is an IAB-registered Consent Management Platform built to keep publishers fully aligned with TCF v2 compliance. Configure your consent notices, manage your vendor disclosures, and generate accurate TC strings without the guesswork. Seers handles the complexity so you can focus on growing your business.
START FREE TODAYTCF v2 compliance refers to meeting the standards set by IAB Europe’s Transparency and Consent Framework version 2. It applies to publishers, consent management platforms, and ad tech vendors who operate within the scope of GDPR and process user data for digital advertising. If you run programmatic advertising serving European audiences, TCF v2 compliance is directly relevant to your business and your revenue.
Without valid TCF v2 compliance, your TC strings may be rejected by major demand-side platforms. Ad requests that carry invalid or missing consent signals default to a “Limited Ads” serving mode, which excludes most personalised advertising demand. For publishers relying on programmatic revenue, this can result in a significant and immediate reduction in ad earnings, with estimates suggesting losses of over 50 percent in some cases.
TCF v2.2 focused primarily on policy changes, specifically removing legitimate interest as a valid legal basis for advertising purposes. TCF v2.3 moved the focus to proof: it introduced the mandatory “disclosed vendors” segment inside the TC string, which requires publishers to record which vendors were actually shown to users in the CMP interface. This creates a verifiable disclosure record that was not required under v2.2.
A TC string is a standardised encoded data structure that records a user’s consent choices. It contains information about which vendors were disclosed, which purposes the user consented to or rejected, whether legitimate interest was invoked, and publisher-level restrictions. This string travels with ad requests, allowing every vendor in the supply chain to read the user’s preferences and act accordingly.
Only CMPs registered with IAB Europe are authorised to generate valid TC strings under the TCF. Using an unregistered CMP, even one with a functional consent banner, will not produce consent signals that demand partners can accept. Any publisher working within the TCF framework must ensure their CMP appears on the official IAB Europe registered CMP list and supports TCF v2.3.
The disclosed vendors segment records which vendors from the Global Vendor List were actually shown to the user in your CMP interface during consent collection. If your vendor list contains vendors that were not displayed in the banner, those vendors will not have a valid consent signal under v2.3. This requires publishers to keep their CMP display settings aligned with their actual vendor configurations at all times.
Probably not. If your current banner was configured before TCF v2.3, it is unlikely to be generating the disclosed vendors segment correctly. You will need to update your CMP configuration, review your vendor list, and verify that your TC strings include all required v2.3 fields. The visual design of your banner may remain similar, but the underlying consent signal must be updated to meet current requirements.
TCF v2 compliance is designed to help publishers and vendors meet specific GDPR requirements around user consent for data processing in advertising contexts. The framework does not replace GDPR compliance in full. It addresses the technical standardisation of consent signals across the programmatic advertising ecosystem. Businesses still need to address other GDPR obligations separately from their TCF implementation.
The Global Vendor List (GVL) is a registry maintained by IAB Europe that lists all ad tech vendors registered under the TCF. Publishers use the GVL to select which vendors they work with and to generate accurate TC strings. Vendors must appear on the GVL to legally receive consent signals under the framework. Keeping your vendor selection aligned with the current GVL is an ongoing part of TCF v2 compliance.
Vendor lists should be reviewed whenever you add or remove an ad tech partner, and at minimum on a quarterly basis. IAB Europe updates the Global Vendor List regularly as vendors join, update their declared purposes, or leave the framework. Any change to your vendor configuration should be followed by an update to your CMP settings and a TC string validation check to ensure your consent signals remain accurate.
Rimsha ZafarRimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.
Take our Free Cookie Audit and find out
Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.
United Kingdom
24 Holborn Viaduct
London, EC1A 2BN
Get our monthly newsletter with insightful blogs and industry news
By clicking “Subcribe” I agree Terms and Conditions
Seers Group © 2026 All Rights Reserved
Terms of use | Privacy policy | Cookie Policy | Sitemap | Do Not Sell or Share My Personal Information.