Consent Management: IAB TCF Explained

What is the IAB TCF?

The IAB (Interactive Advertising Bureau) Transparency & Consent Framework (TCF) is a consent signal and framework that was jointly developed by the publishing, advertising, and online services industries to give users granular control over their data while ensuring the industry could publish content and supply advertising backed services at scale.

The TCF interprets the requirements of various privacy regulations, notably the GDPR in Europe (see note on TCF Canada below) to provide an agreed way for a website, such as a publisher, to obtain a consumer’s consent, record that consent, and distribute it in a format that all other downstream processors of that consumer’s personal data can understand and correctly enforce on their data processes.

TCF lets a visitor to a publisher’s website manage their consent preferences through the publisher’s consent management platform (CMP). Publishers select the vendors they work with and the CMP ensures site visitors are informed of those vendors and the purposes for which they use personal data, such as “content personalization”.

When a user arrives on a website for the first time, they are asked to select who their personal data can be shared with. Once the user takes this action, the CMP records the user’s consent preferences and communicates these using the TCF framework such that vendors are notified and can respect the privacy of the visitor.

What are the benefits of the IAB TCF?

Although the TCF may initially appear complex, it’s intended to provide greater transparency to consumers and site visitors as to how their data is being processed while assuring a standard method of communicating a site visitor’s preferences to advertisers and ad technology vendors on the publisher’s site.

What is the difference between TCF 1.0, 2.0 and 2.2?

TCF 1.0 was the first version of the framework published in 2018 and one of the major points of feedback was that it appeared to disproportionately favor advertising vendors rather than publishers and consumers.

TCF 2.0 Updates

As such, in 2019, TCF 2.0 introduced the following improvements:

• More control for publishers: Publishers had the ability to define which advertisers they worked with and remove vendors as well as specifying what legal reasons vendors can use to collect their visitor's data.
• Inclusion of legitimate interest provisions: In IAB TCF 1.0 publishers were not able to select legitimate interests as the legal reason for collecting and processing data.

TCF 2.2 Updates

As with anything, continuous iteration and improvement is vital and TCF 2.2 further enhanced the capabilities of the TCF standard as follows:

• Legitimate interest limitation: To ensure that legitimate interest couldn’t be misused for certain data processing purposes, it is no longer possible to use it as the legal basis for some data processing activities.
• User-friendly text: TCF 2.2 attempts to improve the consumer experience by further simplifying the names, descriptions and explanations of how data is used with easy-to-follow examples that help a consumer better understand their choices.
• New data processing purposes: The introduction of an 11th data processing purpose, “use limited data to select content”, provides a specific way to cover the use of data for non-advertising content.
• Additional vendor information: TCF 2.2 requires vendors to provide additional information about how they process data to increase transparency and accountability.
• Total vendor transparency: CMP’s must now specify the total number of vendors on their consent notices to simplify understanding for a consumer about who, or how many vendors are requesting to process their data.
• Consent withdrawal: Finally, TCF 2.2 makes specific technical requirements of how a CMP must function on a publisher site in order to allow a user to change or withdraw their consent preferences in the future if they wish to do so, ensuring a consumer has the ability to easily manage their consent.

IAB TCF Library Update, May 2025

Important Changes to Vendor Legitimate Interest Calculations

The IAB has announced a mandatory update to the TCF TypeScript Library (iabtcf-es) that changes how vendor legitimate interests are encoded in the TC String. This update affects all users of the IAB library, including our platform which uses this library internally.

Key Points:

• Library has been updated to version 1.5.15
• Change fixes an issue with Vendor Legitimate Interest signals
• Compliance deadline: May 2025
• No UI changes or resurfacing required

What's Changing

Vendor Legitimate Interest Signal Update

The IAB has identified an issue with how vendor legitimate interest signals were previously encoded in TC strings. As a result of this change, you will see a larger list of 'Vendor Legitimate Interests' encoded in your TC strings.

What has changed:

• Previously, vendors that declared only consent-based Purposes, but also declared Special Purposes, would not appear in the 'Vendor Legitimate Interests' portion of the TC string
• However, after this update, these "consent-only" vendors will now appear in both 'Vendor Consents' and 'Vendor Legitimate Interests' sections of the saved TCF preferences.
• In this case, since these vendors declare no purposes with legitimate interest as the legal basis for processing, the 'Vendor Legitimate Interests' signal is set to properly signal the vendor's use of legitimate interest for 'Special Purposes' only.

Example:

• For example, vendor 2 ("Captify Technologies Limited") only declares consent for several Purposes, but also declares several Special Purposes.
• In previous versions of the IAB library, vendor ID 2 would not appear in 'Vendor Legitimate Interests' erroneously, even though they declared Special Purposes.
• After this update, vendor 2 will appear in the 'Vendor Legitimate Interests' correctly, signalling that their use of Special Purposes has been communicated to the end-user.

Impact on Your Implementation

As we use the IAB library internally, we will be implementing this update before the May 2025 deadline. Here's what you need to know:

1. No user-facing changes required: We are not required to update your UI or resurface consent dialogs to your users.
2. Automatic implementation: We will handle the library update and ensure your TC strings are correctly generated.

Technical Details

For developers and technical teams, here are the specific changes:

• The issue was documented in GitHub issue #457 (opens in a new tab)
• The fix was implemented in PR #472 (opens in a new tab)

Additional Resources

• IAB TCF TypeScript Library on GitHub (opens in a new tab)
• TCF Technical Specifications (opens in a new tab)

TCF Concepts

The TCF concepts of purposes and legal basis are important to understand when configuring TCF for your business. You can find detailed information about TCF terminology from the IAB on the TCF policies website (opens in a new tab). Definitions of purposes and legal basis are provided below for quick reference.

Purposes

11 defined purposes for processing of data, including users’ personal data. Vendor participants in the framework must declare the purposes for which they process data when signing up. The purposes declared by each vendor are exposed for CMPs in the Global Vendor List.

Legal Basis

TCF supports two legal bases for each of the 11 defined purposes of processing personal information: consent and legitimate interest. Purposes 1 and 3-6 must use consent as the legal basis, while vendors can choose between consent and legitimate interest for purposes 2 and 7-11. Additionally, for these purposes, vendors can indicate whether they are flexible and will accept either legal basis or whether they require one or the other.