Businesses throughout Europe find adhering to the transparency requirements and privacy regulations of the European Union a challenging task. For years, there has been a severe need for a mutually agreed-upon standard to unite data-driven businesses on a clear approach to dealing with consent and bans on users’ data usage.
Fortunately, the Interactive Advertising Bureau (IAB) Europe has created a solution to establish such a standard for acquiring and communicating users’ choices that is designed to help businesses meet the transparency and consent-signaling requirements set forth by the General Data Protection Regulation (GDPR). That solution is the Transparency and Consent Framework (TCF).
CookieScript is a registered Consent Management Platform at IAB and is listed as a Google CMP partner for the implementation of Google Consent Mode and Google Tag Manager. Full TCF 2.3 integration with the latest version of IAB TCF 2.3 is available for selected pricing plans. Starting February 28, 2026, all new TC strings must be generated using TCF v2.3 (Google will still accept TCF v2.1 and v2.2 strings created before February 28, 2026). With CookieScript, you can use all functionalities of Google’s advertisement products like Google AdSense, Ad Manager, or AdMob.
What is the IAB Transparency & Consent Framework?
The IAB created the TCF to set the standard for how businesses in the publishing and advertising ecosystem can conduct targeted advertisements in a manner designed to support GDPR-aligned transparency and consent signaling. The overall goal of the TCF is to provide the publishing and advertising industries with a straightforward platform to deliver appropriate digital promotions and content based on user consent.
TCF 2.3 – the latest version of the TCF – has been updated in order to expand its ability to provide technical specifications and policies for companies that use cookies to deliver ads, maintain user profiles, and conduct ad or content analysis online. Many users found challenges in earlier versions of the framework, so the latest TCF version builds on previous updates to address these challenges and enable enhanced consumer transparency and choice — including clearer disclosure and signaling about which vendors were presented to the user.
Businesses are now able to take advantage of the TCF’s upgraded capabilities to comply with privacy regulations while transferring consumer data. Plus, consent is granular for users, who can now control whether vendors are allowed to use their personal data. Under the TCF, users can grant, refuse, or revoke their consent as well as to object to any data sharing not based on their consent.
IAB TCF and GDPR
The IAB Europe TCF is a set of technical specifications and policies built to support GDPR-aligned transparency and consent signaling. In plain terms, it gives website publishers a framework to tell users how their data is processed, and how it’s shared and used by third-party vendors.
The TCF was designed by the IAB to help publishers, advertisers, and their networks apply consistent transparency and consent practices under the GDPR and the eprivacy Directive (cookie law). But it’s not a magic “compliance switch” — using the TCF alone doesn’t automatically make processing compliant.
Data protection authorities (DPA) can impose significant fines on organizations (including publishers) that don’t adhere to the GDPR — up to EUR 20,000,000 or 4% of annual worldwide turnover, whichever is higher. And in the real world, publishers rarely deal with just one or two partners.
They often work with a long list of third parties, which makes clear disclosures and consistent user choices harder to implement (and harder to maintain over time). That’s where the TCF helps: it creates a standardized way to communicate user choices to vendors, supporting privacy requirements while still enabling advertising and measurement where appropriate.
Even so, businesses aren’t legally required to use the TCF to meet GDPR requirements. It’s best seen as a set of useful guidelines that can simplify the process in ad-supported environments — because doing it all manually can quickly turn into a complex, costly, and time-consuming headache.
How does TCF Work?
The TCF is basically the “plumbing” for turning user consent (and related choices) into a standardized signal that can travel through the advertising supply chain in a way that’s usable under the GDPR.
Here’s the mechanics:
- A user is shown choices in a CMP and makes selections (including user consent where required).
- The CMP encodes those choices into a TC string (the standardized consent signal).
- That TC string is stored and made available alongside ad/measurement activity, so downstream parties can read it.
- Vendors — including Google Ad Tech Providers — read the TC string and use it to determine what they’re allowed to do for a given request.
- In TCF v2.3, the TC string also includes a mandatory disclosed vendors signal, which indicates whether a vendor was actually presented to the user in the CMP interface.
The result is one consistent consent signal that can be passed through the advertising supply chain instead of every partner relying on their own format.
IAB TCF 2.3 Vendor List and Google Ad Tech Providers
Publishers don’t just “run ads” — they decide which vendors (and Google Ad Tech Providers) can take part, and for what reasons. Your CMP then presents that vendor information to users and explains the purposes their data may be used for — things like content personalization, targeted advertising, measurement, and more.
At the center of this is the Global Vendor List (GVL). It’s the IAB TCF’s registry of vendors participating in the framework, including their registration details and declared purposes. The TCF also includes a CMP validation program, which checks whether participating CMPs follow the framework’s technical and policy requirements.
On the Google side, publishers can control which Google providers (often referred to as Google ad partners) are allowed to serve and measure ads for users in the European Economic Area (EEA), the UK, and Switzerland. This ties into Google’s EU User Consent Policy, which requires publishers to clearly identify each party with whom data is shared. You can apply a custom selection or use a commonly used set — but either way, those providers must be listed for users.
Google’s listed providers also supply key transparency information (including details about their data use) and agree to follow Google’s data usage requirements. Publishers can typically view and manage these controls inside their Ad Manager, AdSense, or AdMob account.
To work with the GVL, generate a valid TC string, and pass consent signals down the advertising supply chain, you’ll need a CMP with full TCF v2.3 integration. This is especially important now because TCF v2.3 requires a mandatory disclosed vendors signal inside the TC string. You can select vendors and Google Ad Tech Providers using the CookieScript CMP.
Read the related information:
- The list of Google Ad Tech Providers.
- The guide about how to enable the IAB TCF 2.3.
- The guide about how to select global vendors and Google Ad Tech Providers.
Who should use TCF?
If you’re a First-party publisher (or you run a site/app) and you pass user data to third-party advertisers or other parties, the IAB TCF is built for that exact setup. It gives you a standardized way to handle transparency and user choice, and it helps you—as the controller of data—stay in control of how your users’ data is processed and for which purposes.
This is especially relevant for any publisher or website operator serving users in the European Economic Area (EEA), the United Kingdom, or Switzerland who monetizes content through third-party advertising. In those environments, GDPR expectations apply to anyone who handles, keeps, or tracks users’ data using cookies, device identifiers, or other tracking technologies.
And if you rely on Google ad products to serve personalized ads in these regions, a certified CMP that’s integrated with the TCF may also be required for certain advertising use cases. The TCF can also be used by organizations outside these regions that choose to apply GDPR-level requirements across their websites or apps.
IAB Transparency & Consent Framework and CookieScript
CookieScript functions as a solution for ensuring website cookies comply with the latest ePrivacy regulations from the GDPR. Since EU fines for non-compliance with data regulations are so high, having the tools to comply with the latest in Privacy Policy regulations is critical for business websites’ online efforts as well as their long-term financial success.
CookieScript stays up to date with the latest EU regulations while providing easy-to-use and user-friendly options for maintaining full compliance under the TCF guidelines. CookieScript can be fully integrated into the vast majority of popular hosting platforms, from WordPress and Wix to Shopify, SquareSpace, and more. Website publishers can enable IAB TCF 2.3 compliance and select global vendors and Google Ad Tech Providers.
Frequently Asked Questions
What is the Interactive Advertising Bureau Transparency and Consent Framework?
The Transparency and Consent Framework (TCF) was created by the Interactive Advertising Bureau (IAB) to standardize how businesses run targeted advertisements while also remaining in compliance with the GDPR. It’s essentially a framework for running online ads with the appropriate consent levels in place.
What’s the purpose of the TCF?
The Transparency and Consent Framework allows for publishers to use similar communication methods while following the GDPR. You don’t need to follow the TCF to be in GDPR compliance, but it does provide a useful set of guidelines to help ensure compliance. It essentially simplifies some of the complexities surrounding the GDPR.
How does the Transparency and Consent Framework work?
The TCF makes it easier for publishers to gain the consent of users and share that data with advertisers. It allows users to interact with vendors through the Consent Management Platform of the publishers.
Who needs to use the TCF?
The TCF was designed for any First-party publisher working with advertisers. It was designed to simplify the transparency process and provides more control over the data processing of its users.
What’s the Best Way to use the IAB’s Transparency and Consent Framework?
Complying with the GDPR is essential for any first-party publisher that transfers data to third-party publishers. You can use the TCF to stay within GDPR compliance by finding a registered Consent Management Platform (CMP) like CookieScript, through the Interactive Advertising Bureau.
What are Google ad technology providers?
To comply with the GDPR and the DPA 2018, Google allows publishers to select which ad technology providers are allowed to serve and measure ads in the EEA and the UK to support ad delivery, ad measurement, and other functions. See the list of Google Ad Tech Providers. You can select the default or a custom set of Google ad technology providers by using a Consent Management Platforms (CMP), that has the IAB TCF 2.3 integration. Select Google Ad Tech Providers using the CookieScript CMP!
What is a Global Vendor List?
The IAB TCF 2.3 manages a Global Vendor List (GVL) which stores the registration information of vendors who work with website publishers and advertisers and their Consent Management Platforms (CMPs). It also oversees the compliance process for CMPs participating in the TCF. With CookieScript CMP, that is a registered CMP at the IAB, you can select vendors from a Global Vendor List, and comply with the GDPR.