Understanding IAB TCF v2.3: Managing 5,000+ Vendors in Your Consent Stack

What Is the IAB TCF?

The Transparency and Consent Framework (TCF) is an industry standard developed by IAB Europe that enables publishers, vendors, and Consent Management Platforms (CMPs) to work together to provide users with standardized privacy choices for digital advertising. Since its initial launch in 2018, the TCF has undergone multiple iterations to address regulatory guidance, court rulings, and industry feedback.

TCF Version History

• TCF v1.1 (April 2018): Initial launch ahead of GDPR enforcement.
• TCF v2.0 (August 2019): Major overhaul with publisher controls and legitimate interest handling.
• TCF v2.1 (August 2020): Aligned with the CJEU Planet49 ruling; standardized cookie duration disclosures.
• TCF v2.2 (May 2023): Responded to the Belgian DPA's action plan on IAB Europe's role as controller of TC strings.
• TCF v2.3 (April 2025): Resolves legitimate interest ambiguity by making the Disclosed Vendors section mandatory in the TC string.

TCF participants have until February 28, 2026 to adopt v2.3 and update their implementations.

Key Changes in TCF v2.3

The most significant change in v2.3 is the mandatory Disclosed Vendors section. Previously, the Disclosed Vendors field was optional in the TC (Transparency and Consent) string. This meant a receiving vendor could not always distinguish between "the publisher chose not to disclose me" and "the CMP did not include this information." Version 2.3 eliminates this ambiguity.

This change impacts:

• CMPs: Must now always populate the Disclosed Vendors section in the TC string.
• Publishers: Must ensure their CMP correctly lists all vendors disclosed in their consent interface.
• Vendors: Can now reliably determine if they were disclosed to the user and what consent was collected.

The Global Vendor List (GVL)

The GVL is a registry of 5,000+ vendors that have registered with the TCF. Each vendor entry includes:

• Vendor name and ID
• Purposes for which they process data
• Legal bases (consent and/or legitimate interest) for each purpose
• Special features used (e.g., precise geolocation data)
• Cookie and storage disclosures

Managing this massive list is a key challenge for publishers. You cannot realistically present 5,000+ vendors in a consent interface. Instead, you must:

1. Audit your vendor relationships: Identify which GVL vendors actually operate on your site.
2. Only disclose relevant vendors: Present only the vendors that your site directly or indirectly uses.
3. Implement vendor grouping: Organize vendors by purpose for a comprehensible user experience.

TCF Purposes and Legal Bases

TCF v2.3 defines 11 purposes for data processing, including: storing/accessing information on a device, selecting basic ads, creating a personalized ads profile, measuring ad performance, and developing/improving products. Each vendor declares which purposes they use and their preferred legal basis (consent or legitimate interest).

Implementation for CMPs

CMPs implementing TCF v2.3 must:

• Generate TC strings that include the mandatory Disclosed Vendors section.
• Expose the CMP API (window.__tcfapi) for vendors to query consent status.
• Support both consent and legitimate interest purposes.
• Handle publisher restrictions on vendor purposes.

Jerisaliant is a registered TCF CMP that supports the full v2.3 specification, including automatic GVL synchronization, vendor filtering based on your actual script inventory, and the mandatory Disclosed Vendors section in TC string generation.