Transparency and Consent Framework
The Transparency and Consent Framework is IAB Europe's consent-signaling framework for digital advertising: a way for publishers, CMPs, vendors, and advertisers to communicate disclosure, legal-basis, and user-choice signals.
Definition
The Transparency and Consent Framework, or TCF, is a voluntary framework maintained by IAB Europe with technical specification work stewarded by IAB Tech Lab. Its purpose is to help online advertising participants communicate information about device access, personal-data processing, declared purposes, legal bases, vendors, and user choices under the GDPR and ePrivacy Directive.
The TCF is not itself a privacy law and does not automatically make an advertising practice lawful. It is infrastructure: policies, technical specifications, a Global Vendor List, consent management platform rules, and a Transparency and Consent String, usually called a TC String. It turns a user-interface event into a machine-readable signal that advertising systems can read.
How It Works
A publisher or app operator presents a consent interface, often through a consent management platform, or CMP. The CMP asks the user about purposes, features, vendors, and legal bases, then packages the resulting signals into a TC String. The CMP API lets scripts and vendors request that data without manually unpacking the encoded payload.
The Global Vendor List provides a shared table of registered vendors and declarations. The TC String can signal which vendors were disclosed, which purposes were accepted or rejected, and which legal-basis choices the publisher or CMP says apply. This matters in Real-Time Bidding because many parties may receive or act on advertising requests after the banner is gone.
Current Status
IAB Europe says TCF v1.1 launched in April 2018, followed by v2.0, v2.1, v2.2, and v2.3. Its TCF page says participants had until February 28, 2026 to adopt v2.3, which made the disclosed-vendors section mandatory in the TC String to address vendor-disclosure ambiguity.
The IAB Europe policy page reviewed for this entry identifies version 2026-05-29.5.0.b. It sets policies for CMPs, vendors, publishers, and framework user interfaces, and says applicable law prevails if law and TCF policies conflict.
The legal record is not just industry documentation. In March 2024, the Court of Justice of the European Union ruled in Case C-604/22 that a TC String can constitute personal data when it can be associated with an identifier, and addressed when IAB Europe may be a joint controller. In May 2025, the Belgian Data Protection Authority said the Market Court confirmed that the TC String is personal data and that IAB Europe acts as joint controller for processing user preferences within the TCF, while rejecting the DPA's broader conclusion that IAB Europe controls processing that occurs entirely within OpenRTB.
Governance and Safety
The TCF makes adtech consent claims more inspectable. It creates named purposes, vendor declarations, CMP responsibilities, policy versions, and encoded signals that can be audited. Without such structure, downstream actors can claim permission without preserving a readable trail.
The risk is mistaking the signal for consent itself. Valid consent still depends on the screen, wording, defaults, granularity, withdrawal path, power relationship, vendor disclosure, and actual data flow after the choice. A technically valid TC String can coexist with a manipulative banner or downstream processing that exceeds what the person understood.
AI systems intensify the boundary problem. Models may support ad targeting, fraud detection, dynamic creative optimization, or audience enrichment. That does not mean a TCF signal authorizes unrelated model training, memory, profiling, agent access, or data brokerage.
Defense Pattern
- Preserve the interface. Keep the screens, language, defaults, button order, vendor count, and withdrawal path that produced the TC String.
- Record framework state. Store policy version, CMP ID and version, Global Vendor List version, TC String, timestamp, jurisdiction, and device context.
- Map signal to flow. Show which vendors received which signals and which cookies, identifiers, bid requests, or measurement events followed.
- Separate purposes. Do not use ad consent as a blanket basis for AI training, model improvement, memory, or unrelated personalization.
- Test refusal. Verify that rejecting or withdrawing consent changes network behavior, not only the banner state.
Source Discipline
Use IAB Europe for policy status and framework claims. Use IAB Tech Lab or the official GitHub repository for technical specifications. Use CJEU and Belgian DPA sources for legal claims.
Do not say that TCF compliance equals GDPR compliance, that a TC String is "just metadata," or that IAB Europe controls all OpenRTB processing.
Spiralist Reading
Spiralism reads the TCF as the moment consent becomes logistics.
The user sees a banner. The market sees a transportable permission artifact. The moral question is whether the artifact still carries the person's understanding, or only the industry's need for a signal that machines can move.
Open Questions
- How should auditors test whether a TC String matches what the user actually saw?
- When do vendor lists become too long for meaningful disclosure?
- What evidence proves that withdrawal changed downstream advertising and AI-processing behavior?
Related Pages
- Data Minimization
- Real-Time Bidding
- OpenRTB
- AdCOM
- Sellers.json
- ads.txt
- Global Privacy Control
- Consent or Pay
- Deceptive Design Patterns
- Data Brokers
- Surveillance Capitalism
- Platform Governance
- The Cookie Banner Becomes the Consent Machine
Sources
- IAB Europe, Transparency & Consent Framework, reviewed June 25, 2026.
- IAB Europe, Transparency & Consent Framework Policies, version 2026-05-29.5.0.b, reviewed June 25, 2026.
- IAB Tech Lab / IAB Europe, CMP API v2 specification, official GitHub repository, reviewed June 25, 2026.
- Court of Justice of the European Union, Press release on judgment in Case C-604/22, IAB Europe, March 7, 2024.
- Belgian Data Protection Authority, The Market Court rules in the IAB Europe case, May 14, 2025.
- Church of Spiralism internal background, Real-Time Bidding, OpenRTB, Consent or Pay, and The Cookie Banner Becomes the Consent Machine.