guides TCF IAB GDPR Compliance Implementation

TCF v2.2 Implementation Guide: Everything You Need to Know

Complete guide to implementing IAB TCF v2.2. Learn about CMP requirements, TC String, and step-by-step integration for GDPR compliance.

K
Kurabiye Team Privacy Engineering
Published
7 min read
Last updated
TCF v2.2 implementation guide for GDPR compliance

The IAB Transparency and Consent Framework (TCF) v2.2 has become the industry standard for managing user consent in digital advertising. If you operate in Europe or work with European audiences, understanding and implementing TCF is essential for compliance and maintaining access to programmatic advertising.

What Is TCF v2.2?

The Transparency and Consent Framework is an industry initiative developed by IAB Europe to help publishers, advertisers, and technology vendors comply with GDPR and ePrivacy requirements. TCF provides a standardized way to:

  • Communicate user consent choices across the advertising ecosystem
  • Document legal bases for data processing
  • Ensure transparency about data usage
  • Maintain auditable consent records

Version 2.2, released in May 2023, introduced important updates including stricter rules around legitimate interest and enhanced transparency requirements.

Key Changes in TCF v2.2

TCF v2.2 brought several significant changes from version 2.0:

Legitimate Interest Restrictions

Vendors can no longer claim legitimate interest as a legal basis for:

  • Creating personalized advertising profiles
  • Selecting personalized ads
  • Creating personalized content profiles
  • Selecting personalized content

These purposes now require explicit user consent.

Enhanced Transparency

Publishers must provide clearer information about:

  • The total number of vendors seeking consent
  • Specific data processing activities
  • How user data flows through the ecosystem

Stricter CMP Requirements

Consent Management Platforms must:

  • Display vendor counts prominently
  • Provide easy access to vendor lists
  • Ensure consent choices are genuinely informed

TCF Components Explained

The TC String

At the heart of TCF is the TC String (Transparency and Consent String), an encoded string containing:

  • User consent choices for each purpose
  • Legitimate interest preferences
  • Vendor-specific consents
  • Publisher restrictions
  • Metadata about when and how consent was collected

The TC String looks like this:

CPXxRfAPXxRfAAfKABENB-CgAAAAAAAAAAYgAAAAAAAA

This encoded string is passed between vendors to communicate consent status.

Purposes and Special Purposes

TCF defines standardized purposes for data processing:

Standard Purposes (require consent):

  1. Store and/or access information on a device
  2. Select basic ads
  3. Create a personalized ads profile
  4. Select personalized ads
  5. Create a personalized content profile
  6. Select personalized content
  7. Measure ad performance
  8. Measure content performance
  9. Apply market research to generate audience insights
  10. Develop and improve products

Special Purposes (legitimate interest only):

  1. Ensure security, prevent fraud, and debug
  2. Technically deliver ads or content

Features and Special Features

Features describe additional data processing activities that support the main purposes:

  • Match and combine offline data sources
  • Link different devices
  • Receive and use automatically-sent device characteristics

Special features require explicit opt-in:

  • Use precise geolocation data
  • Actively scan device characteristics for identification

Step-by-Step Implementation

Step 1: Choose a TCF-Registered CMP

Your consent management platform must be registered with IAB Europe. When evaluating CMPs, consider:

  • TCF v2.2 certification status
  • Google CMP Partner certification
  • Ease of integration
  • Customization options
  • Reporting capabilities
  • Support quality

Kurabiye is fully certified for TCF v2.2 and registered as a Google CMP Partner, ensuring seamless integration with the advertising ecosystem.

Step 2: Register as a CMP User

After selecting your CMP:

  1. Create your publisher account
  2. Configure your IAB vendor list preferences
  3. Set up your consent collection interface

Step 3: Configure Purposes and Vendors

Decide which purposes and vendors to include:

// Example Kurabiye TCF configuration
kurabiye.init({
  tcf: {
    enabled: true,
    version: '2.2',
    publisherCountryCode: 'DE',
    purposes: {
      consent: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10],
      legitimateInterest: [2, 7, 8, 9, 10],
    },
    specialFeatures: [1, 2],
    vendorList: 'latest', // or specific version
  },
});

Step 4: Implement the CMP API

TCF requires implementing the __tcfapi interface:

// Check if TCF API is available
if (typeof __tcfapi === 'function') {
  __tcfapi('getTCData', 2, (tcData, success) => {
    if (success) {
      console.log('TC String:', tcData.tcString);
      console.log('Consent for Purpose 1:', tcData.purpose.consents[1]);
    }
  });
}

The CMP API supports several commands:

  • getTCData - Get current consent data
  • ping - Check CMP availability
  • addEventListener - Listen for consent changes
  • removeEventListener - Remove event listeners

Listen for consent changes and update your data processing accordingly:

__tcfapi('addEventListener', 2, (tcData, success) => {
  if (success && tcData.eventStatus === 'useractioncomplete') {
    // User has made a consent choice
    updateDataProcessing(tcData);
  }
});

Step 6: Test Your Implementation

Verify your TCF implementation:

  1. Use the IAB TCF Validator - Official testing tool from IAB
  2. Check TC String encoding - Ensure proper format
  3. Verify vendor signals - Confirm consent is communicated correctly
  4. Test edge cases - New users, returning users, consent withdrawal

Integration with Google Services

Google requires TCF v2.2 for continued access to advertising features in the EEA and UK.

TCF works alongside Google Consent Mode:

// TCF consent automatically maps to Consent Mode signals
// Purpose 1 (storage) → analytics_storage, ad_storage
// Purpose 3 (ad profiles) → ad_user_data
// Purpose 4 (personalized ads) → ad_personalization
  1. Enable TCF in Ad Manager settings
  2. Configure purpose consent requirements
  3. Set up vendor allowlists
  4. Test with Google Publisher Console

Common Implementation Mistakes

1. Not Waiting for CMP to Load

// Wrong - may execute before CMP is ready
const consent = __tcfapi('getTCData', 2, callback);

// Correct - check CMP status first
__tcfapi('ping', 2, (pingReturn) => {
  if (pingReturn.cmpLoaded) {
    __tcfapi('getTCData', 2, callback);
  }
});

Always check vendor-specific consent, not just purpose consent:

__tcfapi('getTCData', 2, (tcData, success) => {
  const vendorId = 123;
  const hasVendorConsent = tcData.vendor.consents[vendorId];
  const hasPurposeConsent = tcData.purpose.consents[1]; // Purpose 1

  // Both must be true
  if (hasVendorConsent && hasPurposeConsent) {
    // Process data
  }
});

3. Missing Publisher Restrictions

Publishers can restrict how vendors use consent:

kurabiye.init({
  tcf: {
    publisherRestrictions: {
      // Vendor 123 cannot use legitimate interest for purpose 2
      123: { 2: 'require_consent' },
    },
  },
});

Maintaining Compliance

Regular Audits

Conduct quarterly reviews of:

  • Vendor list accuracy
  • Consent collection flows
  • TC String generation
  • API response times

Documentation

Maintain records of:

  • CMP configuration changes
  • Vendor additions and removals
  • Consent rate metrics
  • User complaints and resolutions

Updates

Stay current with:

  • Global Vendor List updates (released regularly)
  • TCF policy changes
  • Regional regulatory guidance

FAQ

What is TCF v2.2?

TCF v2.2 is the latest version of the IAB Transparency and Consent Framework, providing standardized consent management for digital advertising in compliance with GDPR.

Is TCF v2.2 mandatory?

TCF is not legally required, but it is effectively mandatory for participating in programmatic advertising in Europe and for using Google advertising services in the EEA/UK.

How does TCF v2.2 differ from v2.0?

Version 2.2 restricts legitimate interest for personalization purposes, requires consent for ad/content personalization, and mandates enhanced transparency about vendor counts.

What is a TC String?

The TC String is an encoded string containing all user consent choices, vendor consents, and metadata. It is passed between advertising technology vendors to communicate consent status.

Can I use TCF outside Europe?

Yes, TCF can be implemented globally. However, it is specifically designed for GDPR compliance and may be more strict than required in other jurisdictions.

How often is the Global Vendor List updated?

IAB Europe updates the Global Vendor List weekly to add new vendors and update existing vendor information.

What happens if a vendor is not TCF registered?

Non-registered vendors cannot receive consent signals through TCF. They must be handled separately or excluded from your advertising stack.

How do I verify my TCF implementation?

Use the IAB TCF Validator tool, test with Google Publisher Console, and verify TC Strings are properly encoded and transmitted.

No, TCF provides the framework for communicating consent but still requires a visible consent interface (usually a banner or modal) to collect user preferences.

TCF consent signals can automatically map to Google Consent Mode parameters, ensuring consistent consent communication to Google services.

Related Articles

Back to all posts
Free tier available

Ready to upgrade your
infrastructure?

Join the forward-thinking companies building a more respectful internet.

Start for Free Contact Sales
SOC 2 Compliant GDPR Ready 99.9% Uptime