IAB TCF 2.2 vs TCF 2.3: Compliance Guide for 2026

The February 28, 2026 deadline has passed. As of March 1, 2026, any TC String generated without the disclosedVendors segment is technically invalid under IAB TCF 2.3. If your Consent Management Platform hasn’t updated yet, ad exchanges may already be rejecting your consent signals, and your programmatic revenue could be taking a hit.

This guide covers exactly what changed between TCF 2.2 and TCF 2.3, who needs to act, and what to do right now if you haven’t migrated. You’ll also find a step-by-step checklist to verify your setup and avoid the most common migration mistakes.

CookieTrust already supports IAB TCF 2.2 natively, so users on the platform are starting from a compliant baseline. If you’re not yet on a managed CMP, this guide will show you what’s involved in getting there.

What Is the IAB TCF and Why Does It Matter for Your Site?

The Transparency and Consent Framework (TCF) is a technical standard created by IAB Europe. It gives publishers, advertisers, and ad tech vendors a shared language for communicating user consent signals across the programmatic advertising supply chain.

In practical terms: when a user clicks “Accept” or “Reject” on your cookie banner, the TCF translates that choice into a standardized string of data called a TC String. That string gets passed to every vendor in your ad stack, telling them what they’re allowed to do with the user’s data.

Any site running programmatic ads, Google Ad Manager, or header bidding through Prebid is affected. Even sites using Google AdSense may see indirect effects, since Google uses consent signals to determine which ad types to serve.

The business case for compliance is straightforward. Non-compliant or malformed TC Strings get rejected by ad exchanges. Rejected strings mean fewer eligible bids, lower fill rates, and reduced CPMs. Publishers who fail to pass valid consent signals to Google, for example, see ad requests default to “Limited Ads,” which can cut programmatic revenue by more than 50%.

The TCF has evolved steadily since its launch: v1.1 in April 2018, v2.0 in August 2019, v2.1 in August 2020, v2.2 in May 2023, and now v2.3 in June 2025. Each version has tightened the requirements around how consent is collected and communicated. TCF 2.3 is the most significant update since 2.0.

For a broader look at how cookie consent fits into your overall GDPR strategy, see our guide on cookie banner GDPR strategies.

TCF 2.2 vs TCF 2.3: What Actually Changed

The headline change in TCF 2.3 is the disclosedVendors segment. But there are several other updates worth understanding before you run your migration checklist.

The disclosedVendors Segment (Now Mandatory)

In TCF 2.2, the disclosedVendors segment was optional. CMPs could include it or leave it out, and TC Strings were still considered valid either way.

TCF 2.3 makes it mandatory. From March 1, 2026, every TC String must include the disclosedVendors segment, or it’s invalid.

The segment itself is a bit field that records which vendors were actually shown to the user in the CMP interface. A bit value of 1 means the vendor was disclosed; 0 means they weren’t. This gives downstream vendors a clear, machine-readable signal about what the user actually saw before making their consent decision.

The full TC String structure looks like this:

[Core Segment] . [disclosedVendors Segment] . [PublisherTC Segment]

The disclosedVendors segment sits between the core consent data and the publisher-specific signals. Without it, the string is now considered incomplete.

Legitimate Interest Signaling Clarity

This is the technical problem that TCF 2.3 was specifically designed to fix.

In TCF 2.2, a Legitimate Interest (LI) bit set to 0 was ambiguous. It could mean one of two things: either the user had actively objected to that vendor’s legitimate interest claim, or the vendor simply wasn’t disclosed in the CMP interface at all. Vendors had no way to tell the difference.

That ambiguity created real problems. A vendor with a Special Purpose (like security or fraud prevention) couldn’t reliably determine whether a 0 bit meant “user objected” or “user was never shown this vendor.” The two situations require completely different responses.

TCF 2.3 resolves this by combining the LI bit with the disclosedVendors signal. Now, if a vendor’s bit in disclosedVendors is 0, the LI bit 0 clearly means “not disclosed.” If the vendor’s bit in disclosedVendors is 1, the LI bit 0 clearly means “user objected.” No more guessing.

UI and Disclosure Requirements

TCF 2.3 also tightens the rules around consent UI design. The “Reject all” button must be as visually prominent as the “Accept all” button. This isn’t a new concept (regulators have been pushing for this for years), but TCF 2.3 makes it a formal requirement within the framework itself.

Vendor disclosure in the consent interface also becomes more explicit. Users must be able to see which specific vendors are being disclosed, not just a count or a category label.

What Stays the Same

The core consent collection mechanics haven’t changed. The same six purposes (storage, personalization, ad selection, etc.) still apply. The basic TC String structure is the same. If your CMP was generating valid TCF 2.2 strings, the migration to 2.3 is an update, not a rebuild.

The Global Vendor List (GVL) is also unchanged in how it works. It’s continuously updated rather than versioned, so there’s no separate “GVL for TCF 2.3” to worry about.

Aspect	TCF 2.2	TCF 2.3
disclosedVendors segment	Optional	Mandatory
LI bit = 0 meaning	Ambiguous	Clear (objection only)
Vendor disclosure to user	Implicit	Explicit signal
Reject-all button	Required	Strictly enforced
TC String validity	Valid until Feb 28, 2026	Required from Mar 1, 2026
Consent mechanism	Same	Same

Who Needs to Act Now

Not every website is equally affected. Here’s how to assess your urgency.

Publishers with programmatic ads (Google Ad Manager, Prebid, header bidding) face the most immediate risk. Your ad stack depends on valid TC Strings to pass consent signals to every vendor in the chain. If your CMP is still generating TCF 2.2 strings without the disclosedVendors segment, those strings are now invalid. Check your fill rates and CPMs now. A sudden drop since March 1 is a strong signal something is wrong.

SMEs using Google AdSense are affected, but with moderate urgency. AdSense primarily relies on Google Consent Mode v2 for consent signaling, so TCF compliance is less directly tied to your revenue. That said, if you’re also running any header bidding or direct programmatic deals, the urgency increases significantly.

Agencies managing multiple client sites face the highest operational complexity. You need to verify TCF 2.3 compliance across every client property, not just your own. A single non-compliant site in your portfolio creates liability and potential revenue loss for that client.

Sites with no programmatic ads may not need TCF at all. If you’re running a content site with no ad monetization, the TCF framework doesn’t apply to you. Standard GDPR cookie consent requirements still apply, but you don’t need a TCF-certified CMP.

This is fundamentally a business continuity issue, not just a legal one. For more context on why GDPR compliance matters beyond the regulatory angle, see our guide on the importance of GDPR compliance for websites today. If you’re running an e-commerce site, our WooCommerce cookie consent guide covers the specific considerations for online stores.

TCF 2.3 Migration Checklist

Work through this list in order. Each step builds on the previous one.

1. Confirm your CMP is TCF 2.3 certified. Check IAB Europe’s registered CMP list at iabeurope.eu. Your CMP must appear on this list with TCF 2.3 certification. If it doesn’t, contact your CMP provider immediately.
2. Verify TC Strings now include the disclosedVendors segment. Use IAB Europe’s TC String decoder tool to inspect a live string from your site. The decoded output should show a disclosedVendors section. If it’s missing, your CMP hasn’t updated yet.
3. Audit your vendor list. Some vendors may still be operating under TCF 2.2 declarations. Check the Global Vendor List for each vendor you’re working with and confirm they’ve updated their entries.
4. Review legitimate interest claims. With the LI signaling ambiguity now resolved, some vendors may have updated their legitimate interest claims. Make sure your consent UI accurately reflects what each vendor is claiming.
5. Test your TC String output using IAB’s decoder. Don’t assume your CMP updated correctly. Generate a test string, decode it, and verify the structure matches TCF 2.3 requirements.
6. Update your privacy policy. If your vendor list changed during the migration, your privacy policy needs to reflect those changes. This is a legal requirement under GDPR, not just a best practice.
7. Check your consent banner UI. The “Reject all” button must be as prominent as “Accept all.” Same font size, same visual weight, same position in the interface.
8. Verify Google Consent Mode v2 integration. TCF 2.3 changes can affect how consent signals flow to Google’s systems. Test your Google tag implementation after migration.
9. Run a post-migration audit. Monitor your fill rates and CPMs for at least 48 hours after confirming the migration.

How CookieTrust Handles TCF Compliance

Managing TCF compliance manually means tracking vendor list updates, verifying TC String structure, and keeping your consent UI in sync with framework requirements. For most publishers, that’s ongoing work that falls through the cracks.

CookieTrust handles TCF vendor consent signals automatically. The platform’s native IAB TCF 2.2 support means vendor consent is managed inside the CMP itself, not through manual configuration on your end. When IAB TCF 2.3 updates roll out at the platform level, sites on CookieTrust get the update without a site-level rebuild.

The integration is two lines of code:

<script src="https://cmp.cookietrust.io/gdpr/autoblocker.umd.js"></script>
<script id="cookietrust-cmp" src="https://cmp.cookietrust.io/gdpr/[YOUR-SITE-ID]/latest/v2consent.js" async></script>

That’s it. TC String generation, vendor signal passing, and consent state management all happen inside the script. You don’t need to write custom logic for any of it.

What you get beyond the basics:

• Proof of Consent: Timestamped consent logs with full TCF consent records, ready for regulatory audits
• Consent Analytics: Track opt-in rates broken down by purpose and vendor, so you can see exactly how your consent UI is performing
• Auto-Blocker: Third-party scripts (Google Analytics, Meta Pixel, TikTok, and others) are blocked automatically until the user gives consent, with no manual script management required
• Google Consent Mode v2 integration: Consent signals pass correctly to Google’s systems without additional configuration

Compare this to the alternative: manually configuring vendor lists, writing custom TC String validation, and monitoring framework updates yourself. For most publishers, the managed approach is faster to set up and more reliable to maintain.

For sites using the automatic cookie blocking approach, CookieTrust’s AI-powered scanner also detects and categorizes cookies automatically, so your vendor list stays current without manual audits.

For WordPress sites, the CookieTrust plugin handles setup through an AI-powered crawler that scans your site, detects your brand colors, identifies all cookies, and categorizes them automatically.

Common Mistakes to Avoid

Assuming your CMP auto-updated without checking. Many CMPs push updates automatically, but “automatic” doesn’t always mean “complete.” Verify the update actually happened by decoding a live TC String from your site.

Not testing TC String output before going live. A malformed TC String fails silently. Your consent banner may look fine, your users may be clicking “Accept,” but if the string structure is wrong, ad exchanges are rejecting it downstream. Always decode and inspect the string after any CMP update.

Breaking Google Consent Mode v2 integration during migration. TCF 2.3 changes can disrupt how consent signals flow to Google’s systems. After migration, test your Google tag implementation specifically. Check that ad_storage, analytics_storage, and other consent parameters are passing correctly.

Treating TCF as a one-time setup. The TCF is a living standard. IAB Europe updates the Global Vendor List continuously, and framework versions will keep evolving. Build a quarterly review into your compliance process.

Forgetting to update privacy policy disclosures. If your vendor list changed during migration, your privacy policy is now out of date. GDPR requires your privacy policy to accurately reflect your data processing activities. Update it before you go live with the new configuration.

For a detailed walkthrough of the Google Consent Mode v2 side of this, see our Google Consent Mode v2 guide for WordPress.

Frequently Asked Questions

Does TCF 2.3 replace TCF 2.2 completely?

Yes. As of March 1, 2026, TCF 2.3 is the current standard. TC Strings generated under TCF 2.2 without the disclosedVendors segment are now invalid. There’s no grace period or parallel operation. If your CMP is still generating TCF 2.2 strings, you need to update now.

Do I need TCF if I only use Google AdSense?

Not necessarily. Google AdSense primarily uses Google Consent Mode v2 for consent signaling, so TCF compliance isn’t strictly required for AdSense alone. That said, if you’re running any header bidding, direct programmatic deals, or other ad tech alongside AdSense, TCF compliance becomes relevant. When in doubt, check with your ad operations team.

What happens now that the deadline has passed?

TC Strings without the disclosedVendors segment are invalid under TCF 2.3. Ad exchanges that enforce TCF compliance will reject these strings, which means fewer eligible bids and lower fill rates. The practical impact depends on how strictly your specific ad partners enforce the standard, but the risk is real and ongoing.

How do I check if my CMP is TCF 2.3 ready?

Two ways. First, check IAB Europe’s registered CMP list at iabeurope.eu and confirm your CMP appears with TCF 2.3 certification. Second, use IAB Europe’s TC String decoder tool to inspect a live string from your site. If the decoded output includes a disclosedVendors section, your CMP has updated. If it doesn’t, contact your CMP provider.

Conclusion

TCF 2.3 compliance is now mandatory. The disclosedVendors segment is required in every TC String, the deadline passed on February 28, 2026, and any strings generated without it are invalid from March 1 onward.

The good news: this is a CMP-level update, not a site rebuild. If your CMP is TCF 2.3 certified and has pushed the update, your site is likely already compliant. The work is in verifying that, testing your TC String output, and checking that your Google Consent Mode v2 integration still passes signals correctly.

Key takeaways:

• Decode a live TC String from your site and confirm the disclosedVendors segment is present
• Verify your CMP appears on IAB Europe’s registered CMP list with TCF 2.3 certification
• Check your consent banner UI: reject-all must be as prominent as accept-all
• Monitor fill rates and CPMs for 48 hours after confirming migration
• Update your privacy policy if your vendor list changed