TCF 2.2: understanding the Transparency and Consent Framework

TL;DR

The TCF 2.2 (Transparency and Consent Framework) is a technical standard from IAB Europe that enables structured transmission of visitor consent choices to advertising vendors (ad tech vendors). It does not replace the GDPR or Google Consent Mode: it complements them by standardising consent communication across the programmatic advertising chain. If your site displays programmatic advertising or uses adtech technologies, your CMP must support TCF 2.2.

What is TCF 2.2?

The TCF 2.2 (Transparency and Consent Framework version 2.2) is a technical framework developed by IAB Europe. It defines a standardised protocol to transmit user consent choices to advertising vendors (SSPs, DSPs, ad exchanges, data management platforms) participating in the programmatic chain.

When a visitor interacts with a TCF-compatible consent banner, the CMP generates a TC String: an encoded character string containing the visitor consent choices for each purpose and for each vendor registered in the IAB Global Vendor List (GVL).

What is the difference between TCF 2.2 and Consent Mode v2?

TCF 2.2 and Google Consent Mode v2 are two complementary mechanisms, not competitors. Consent Mode v2 is proprietary to Google and transmits signals exclusively to Google tags. TCF 2.2 is an open industry standard transmitting choices to all vendors in the IAB GVL (over 1,000 vendors) across 11 purposes.

If your site only uses Google Analytics and Google Ads, Consent Mode v2 is sufficient. If your site displays programmatic advertising via SSPs or ad exchanges, TCF 2.2 is needed in addition.

Who needs to implement TCF 2.2?

Publishers who monetise through programmatic advertising and work with GVL-registered vendors. Adtech vendors (SSPs, DSPs, DMPs) processing consent data in the EEA must also be registered and respect TCF signals.

If your site does not display programmatic advertising, TCF 2.2 is not necessary. A standard consent banner with Consent Mode v2 covers your needs.

TCF 2.2 purposes

TCF 2.2 defines 11 purposes and 2 special purposes. These cover device storage (purpose 1), limited ad selection (purpose 2, new), ad profiling (purposes 3-4), content personalisation (purposes 5-6), performance measurement (purposes 7-8), audience understanding (purpose 9), service improvement (purpose 10), and limited content selection (purpose 11, new).

How does TCF 2.2 work in practice?

The TCF-compatible CMP displays the consent banner with purposes and vendors. The visitor makes their choices. The CMP generates the encoded TC String and stores it. Advertising scripts read the TC String via the CMP API (__tcfapi method) and adapt their behaviour based on consents obtained.

To be valid, a CMP must be registered with IAB Europe and obtain a CMP ID. FlowConsent and the main CMPs on the market support TCF 2.2.

What changed between TCF 2.1 and TCF 2.2?

TCF 2.2, published in May 2023, removes legitimate interest for purposes 3-6 (profiling), requires explicit consent for those purposes, adds two new purposes (2 and 11), and requires vendors to provide processing description URLs for greater transparency.

Common mistakes with TCF 2.2

Confusing TCF with Consent Mode. These are two different mechanisms. TCF concerns the programmatic chain, Consent Mode concerns Google tags.

Enabling TCF on a site without programmatic advertising. TCF adds complexity to the banner. If your site does not need it, it makes the banner unnecessarily complex.

Using a CMP not registered with the IAB. Only registered CMPs can generate valid TC Strings. Adtech vendors reject signals from uncertified CMPs.

Not updating the Global Vendor List regularly. The GVL is updated frequently. An outdated version may cause incorrect consent transmission.

Checklist: implementing TCF 2.2

1. Verify that your site uses programmatic advertising requiring TCF.
2. Choose a CMP registered with IAB Europe.
3. Configure TCF purposes in the consent banner.
4. Identify GVL vendors used on your site.
5. Configure Consent Mode v2 in parallel for Google tags.
6. Test TC String generation with a decoding tool.
7. Verify that adtech scripts correctly read the TC String via __tcfapi.
8. Run a cookie audit to confirm pre-consent blocking.

Conclusion

TCF 2.2 is a necessary standard for sites participating in programmatic advertising in the EEA. It completes the compliance chain by standardising consent transmission to adtech vendors. If your site does not display programmatic advertising, TCF is not necessary. Start with a scan of your site to identify the scripts present and determine whether TCF is relevant for your configuration.