Skip to content
IAB Transparency and Consent Framework (TCF)

Transparency and Consent Framework


What is Transparency and Consent Framework (TCF)?

The Transparency and Consent Framework (TCF) was conceived to facilitate compliance with the European Union's General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) for all stakeholders involved in digital advertising and targeted content delivery. It addresses the processing, access, and storage of personal information on users' devices.

Developed collaboratively by IAB Europe, digital advertising organizations, and industry experts, the TCF made its debut on April 25, 2018. Its primary objective is to establish a mechanism for users to convey their consent preferences to vendors operating within publishers' ecosystems through Consent Management Platforms (CMPs). CMPs serve as centralized hubs for managing user consent and objections transparently.

At its core, the TCF places users in the spotlight, prioritizing their rights to data transparency and control. By offering users insight into how their data is utilized and affording them the authority to determine its usage when consent is granted, the TCF aims to empower individuals in the realm of data privacy.

How does it work?

At its core, the TCF revolves around Consent Management Platforms (CMPs) integrated into publishers' websites. These CMPs serve as the initial point of contact between users and the digital ecosystem.

When a user visits a website, the CMP presents a transparent and user-friendly interface that informs them about the data processing activities taking place. This includes details about the purposes, vendors involved, and types of data collected.

Users are given the option to provide or withhold their consent for data processing. They can choose to allow or deny specific purposes, such as personalized ads or analytics.

If a user consents to data processing, the CMP generates consent signals, which are standardized messages encoding the user's preferences. These signals contain information about the user's consent choices, specifying which vendors can process their data and for what purposes.

Publishers and vendors in the digital ecosystem integrate the TCF framework into their systems. Vendors receive consent signals from CMPs, allowing them to determine whether they have user consent to process data for specific purposes.

Users maintain ongoing transparency and control over their data. They can revisit their consent choices at any time through the CMP's interface, allowing them to modify or withdraw their consent.

The Global Vendor List (GVL)

The Global Vendor List (GVL) is a central repository of information about vendors in the digital advertising and content delivery ecosystem. It plays a pivotal role in the TCF by standardizing consent signals, enhancing transparency, and facilitating compliance with data protection regulations. Users, publishers, and vendors benefit from the GVL's standardized approach to managing consent and data processing preferences.

CookieHub & IAB TCF

CookieHub is a registered Consent Management Platform (CMP) with the Interactive Advertising Bureau (IAB) and has undergone the necessary compliance checks to ensure its alignment with the Transparency and Consent Framework (TCF).

When users visit websites and online services that utilize CookieHub, they encounter a consent dialog that provides essential information about vendors and data processing purposes. This dialogue empowers users to make informed decisions regarding the data processing activities they wish to consent to or deny, such as personalized advertising or analytics. As users interact with the consent dialog, their preferences are recorded and translated into standardized signals following TCF guidelines. These signals are then communicated to the respective vendors, notifying them of the user's consent choices and enabling them to adjust their data processing practices accordingly.

CookieHub's consent management process is designed to enhance transparency. Users have access to clear and concise information about vendors and data processing purposes, fostering an environment where informed consent is prioritized.


As of November 20th, 2023, TCF Version 2.1 will be deprecated, and users are required to transition to TCF Version 2.2. This transition ensures continued compliance with evolving data protection laws and benefits from the latest enhancements and verification measures introduced in TCF 2.2. Website owners and digital advertising professionals are encouraged to update their implementations accordingly to align with the most current TCF version.

TCF 1.0

TCF 1.0 marked the initial launch of the framework, aimed at facilitating compliance with the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) for online advertising. Key features included:

Key Features:

  • Basic Consent: TCF 1.0 offered basic user consent for personalized ads, providing limited transparency and control.
  • Global Vendor List (GVL): It introduced a GVL containing vendor information, although with fewer details compared to later versions.
  • Initial Industry Effort: TCF 1.0 represented an initial industry-wide effort to address GDPR and ePD requirements.

TCF 2.0

TCF 2.0 was introduced as a significant enhancement to the initial TCF version, aiming to provide more transparency and control to users regarding their consent choices in the context of digital advertising.

Key Features:

  • Enhanced Transparency: TCF 2.0 emphasized increased transparency by providing users with detailed information about data processing purposes, vendors, and their purposes.
  • Granular Consent: Users had more granular control over their consent choices, allowing them to selectively opt in or out of specific data processing purposes.
  • Global Vendor List (GVL): TCF 2.0 introduced a centralized Global Vendor List (GVL) that contained comprehensive information about registered vendors and their purposes, simplifying vendor management for website owners.

TCF 2.1

TCF 2.1 builds upon the foundation of TCF 2.0 and further refines the framework based on industry feedback and evolving regulatory requirements.

Key Features:

  • Improved Accessibility: TCF 2.1 places a greater emphasis on accessibility, making it more inclusive for users with disabilities.
  • Enhanced Mobile App Support: Building on the mobile app support introduced in TCF 2.0, TCF 2.1 offers more robust tools for managing user consent within mobile applications.
  • Enhanced Compliance Measures: TCF 2.1 introduces additional compliance checks and requirements to ensure that vendors adhere to transparency and user consent standards.

TCF 2.2

TCF 2.2 represents the latest iteration of the framework, incorporating refinements and updates to address emerging privacy concerns and regulatory developments.

Key Features:

  • Stringent Vendor Verification: TCF 2.2 introduces enhanced verification measures for vendors, ensuring that only compliant vendors can participate in the framework.
  • Adherence to Evolving Regulations: TCF 2.2 is designed to align with the latest regulatory developments, enabling website owners to stay compliant with evolving data protection laws.

Each version of the TCF builds upon the previous one, incorporating feedback and addressing emerging privacy challenges. Website owners and digital advertising professionals can choose the version that best suits their needs while maintaining a focus on user transparency and consent management.


Within the TCF, several key terms and concepts play a crucial role in understanding its functioning. These include "Vendor," "Purpose," "Special Purpose," "Feature," "Special Feature," "Stack," "Legal Basis," and "Legitimate Interest." This glossary will provide detailed definitions for each of these terms to help you navigate and comprehend the TCF framework effectively.


A "Vendor" refers to a company that plays a role in delivering digital advertising within a Publisher's website, app, or other digital content. Vendors do not act as Publishers or Consent Management Platforms (CMPs). They may access an end user's device or process personal data about end users who visit the Publisher's content while adhering to the Framework's Policies. Depending on specific circumstances, a Vendor may be considered a Controller, Processor, or both under the GDPR.


A "Purpose" represents one of the well-defined objectives for processing data, including users' personal data, by participants in the Framework. These objectives are outlined in the Policies or Specifications. Vendors declare a Legal Basis for these Purposes in the Global Vendor List (GVL), and users are presented with a choice – either to provide consent or to object – depending on the Legal Basis for the processing, as facilitated by a CMP.

Special Purpose

A "Special Purpose" denotes one of the predefined objectives for data processing, including users' data, within the Framework. These objectives are defined in the Policies or Specifications. Vendors declare a Legal Basis for these Special Purposes in the GVL. However, users are not given a choice regarding these Special Purposes through a CMP; consent is not sought separately.


A "Feature" represents one of the functionalities related to processing personal data employed by participants within the Framework. These functionalities are defined in the Policies or Specifications and are used to achieve one or more Purposes. Users typically do not have a separate choice regarding Features; their choices are integrated with the choices offered for the associated Purposes.

Special Feature

A "Special Feature" denotes one of the specific functionalities used for processing personal data by participants in the Framework. These functionalities are defined in the Policies or Specifications and are employed in pursuit of one or more Purposes. Users are given the option to opt-in separately for Special Features, distinct from the choices they make regarding the associated Purposes.


A "Stack" refers to one of the combinations of Purposes and/or Special Features used for processing personal data by participants within the Framework. Stacks may be used to replace or supplement more detailed Purpose and/or Special Feature descriptions in the initial layer of a user interface (UI).

Legal Basis

"Legal Basis" represents a lawful ground for data processing as defined in Article 6 of the GDPR (General Data Protection Regulation). The Framework supports various Legal Bases, including consent under Article 6(1)(a) GDPR and legitimate interest as per Article 6(1)(f) GDPR. Legal Bases serve as the foundation for processing personal data within the Framework, ensuring compliance with data protection regulations.

Legitimate Interest

"Legitimate Interest" is a legal basis recognized under the GDPR. It allows data processing when it is necessary for the legitimate interests pursued by the controller or a third party. While consent is a common legal basis for data processing, Legitimate Interest serves as an alternative legal basis, especially when processing aligns with legitimate interests and meets the requirements of the GDPR.

TC String

The TC String is a fundamental component of the Transparency and Consent Framework (TCF) developed by IAB Europe. It plays a crucial role in facilitating user consent for online advertising and data processing activities. The TC String is a standardized, machine-readable piece of information that contains user consent preferences and other relevant data. It is designed to provide transparency, control, and compliance with data protection regulations, notably the General Data Protection Regulation (GDPR) in the European Union (EU).

Key Components of the TC String:

  • Version Number: The TC String begins with a version number that indicates which TCF version it adheres to. For example, "TCFv2" signifies compliance with TCF Version 2.x.
  • Consent Purposes: The string includes consent information related to different purposes for data processing, such as advertising, analytics, and personalization. Each purpose is assigned a unique numerical code.
  • Vendor Consent: The TC String contains information about user consent for specific vendors. Vendors are assigned unique numerical identifiers, and the string records whether the user has granted or denied consent for each vendor.
  • Special Features: It may include details regarding specific special features, such as consent for precise geolocation data or the use of pseudonymous identifiers.
  • Stacking Consents: In TCF Version 2.x, the string allows for "stacking" consents. This means that users can express different consent preferences for different purposes, vendors, and features, providing a more granular level of control.
  • Encoded Information: The TC String is encoded to minimize its size and make it efficient for transmission and storage. This encoding ensures that the string can be parsed by authorized parties for compliance and transparency purposes.

How the TC String Works:

  • User Consent: When a user visits a website or interacts with online content, a Consent Management Platform (CMP) like CookieHub collects the user's consent choices.
  • TC String Generation: The CMP generates a TC String that encapsulates the user's consent preferences, vendor information, and other relevant data.
  • Transmission: The TC String is transmitted to relevant parties, including vendors and advertisers, to inform them of the user's consent choices.
  • Parsing: Authorized parties can parse and decode the TC String to understand the user's preferences and ensure compliance with GDPR and other data protection regulations.
  • Consent Transparency: The TC String enhances transparency by providing a standardized format for conveying consent information, making it easier for users to understand and manage their data preferences.
  • Compliance Verification: Regulatory authorities can use the TC String to verify compliance with data protection regulations, ensuring that user consent is properly obtained and respected.

Overall, the TC String is a critical tool in the TCF ecosystem, enabling users to exercise their data privacy rights while ensuring that online advertising and data processing activities remain compliant with evolving privacy laws. It represents a collaborative effort to strike a balance between user privacy and the needs of the digital advertising industry.


Consent Management Platforms (CMPs) play a pivotal role in ensuring transparency, obtaining user consent, registering objections, and capturing user preferences through Signals. These Signals are encapsulated within a standardized, easily communicable payload known as a TC String. The CMP API serves as the standardized gateway, allowing various entities, such as hosting publishers and advertising vendors, to access and utilize the user preferences effectively managed by the CMP.

Accessing User Preferences with the CMP API

The CMP API streamlines the process of obtaining the TC String payload and its associated information. This payload is readily accessible and usable, sparing the need to decipher its format. Consequently, scripts and organizations can promptly make data processing decisions based on the retrieved information, without the necessity to understand the intricate details of unpacking the payload format.

Proprietary Interfaces in CMPs

CMPs may also offer proprietary interfaces tailored to specific functionalities or capabilities. These proprietary interfaces are comprehensively documented in the IAB Europe Transparency and Consent Framework Policies, ensuring clarity regarding their design and operation.

CookieHub & CMP API Integration

CookieHub facilitates interaction with the CMP API by exposing the standard __tcfapi function in accordance with IAB's specifications. This function serves as a crucial tool for vendors seeking to access the user's consent state.


To ensure seamless integration with __tcfapi, the CMP API Stub must be loaded synchronously before any other scripts relying on __tcfapi. The stub provides a basic implementation of __tcfapi temporarily until the full implementation is loaded. You can access the CookieHub CMP Stub at the following URL:

Sample Code for Interaction

Here's an example of using __tcfapi for common interactions:


The "ping" command triggers the callback immediately without involving asynchronous logic. It returns a PingReturn object that helps determine whether the main CMP script has loaded and whether GDPR regulations are applicable.

__tcfapi('ping', 2, (pingReturn) => {
  // Handle pingReturn data


The "getTCData" command retrieves the complete, unencoded TC String, including the current consent state and information about the CMP.

__tcfapi('getTCData', 2, (tcData, success) => {
  if (success) {
    // Handle tcData
  } else {
    // Handle other scenarios
}, [1, 2, 3]);

For more details on the exposed commands and a comprehensive list of available commands, refer to the Consent Management Platform API specification (opens in a new tab).