Skip to main content

DG Release - 6 January 2026 - IAB TCF v2.3

Ben Reppe

    Understanding IAB TCF v2.3: What’s Changing and Why It Matters

    As part of our ongoing commitment to privacy compliance and industry standards, Evidon from Crownpeak now supports the IAB Transparency & Consent Framework (TCF) v2.3.

    This article explains what TCF v2.3 is, why it was introduced, how it differs from TCF v2.2, what problems it solves, and what—if anything—our customers need to do, along with important timelines.

    What is IAB TCF?

    The IAB Transparency & Consent Framework (TCF) is an industry standard designed to help publishers, advertisers, and technology vendors communicate user consent and legal bases (such as consent or legitimate interest) in a consistent, GDPR-aligned way.

    At the core of TCF is the TC String, a standardized signal generated by a Consent Management Platform (CMP) like Evidon, which communicates a user’s choices to vendors in the ad ecosystem.

    Why TCF v2.3 Was Introduced

    While TCF v2.2 significantly improved transparency and user choice, it left one important area unclear:

    Vendors could not reliably determine whether they were disclosed to the user within the consent interface.

    This ambiguity created:

    • Compliance risk for vendors
    • Inconsistent interpretation of consent signals
    • Challenges during audits and regulatory reviews

    TCF v2.3 directly addresses this gap by making vendor disclosure explicit and verifiable.

    What’s New in TCF v2.3 (Compared to v2.2)

    1. Mandatory “Disclosed Vendors” Signal (Key Change)

    New in v2.3

    TCF v2.3 introduces a mandatory Disclosed Vendors segment in the TC String.

    What does “Disclosed Vendors” mean?

    A Disclosed Vendor is a vendor that was explicitly shown to the user in the CMP interface (for example, in the vendor list or second-layer settings).

    The new signal allows vendors to know:

    • Whether they were presented to the user
    • Whether consent or legitimate interest can be relied upon

    This removes guesswork and improves legal certainty.

    In TCF v2.2, this signal was optional and inconsistently implemented.
    In TCF v2.3, it is mandatory.

    2. Updated TC String Structure
    • All new or updated consent interactions now generate TCF v2.3–compliant TC strings
    • Existing TCF v2.2 consent strings remain valid until users update their preferences
    • Vendors can now reliably interpret disclosure status in addition to consent signals
    3. Improved Compliance & Audit Readiness

    TCF v2.3 strengthens:

    • Transparency expectations under GDPR
    • Vendor accountability
    • Publisher confidence during regulatory or partner audits

    By explicitly signaling disclosure, v2.3 reduces the risk of:

    • Vendors processing data without proper transparency
    • Misinterpretation of consent or legitimate interest signals

    How TCF v2.3 Is Different from TCF v2.2 (At a Glance)

    AreaTCF v2.2TCF v2.3
    Vendor Disclosure SignalOptionalMandatory
    Vendor Disclosure ClarityAmbiguousExplicit and verifiable
    TC String FormatNo disclosure requirementIncludes Disclosed Vendors segment
    Audit ReadinessImprovedSignificantly strengthened
    Backward CompatibilityN/ASupports v2.2 during transition

    How Evidon from Crownpeak Supports TCF v2.3

    Evidon has rolled out full support for TCF v2.3, including:

    • Generation of TCF v2.3–compliant TC strings
    • Automatic handling of the Disclosed Vendors signal
    • Continued support for TCF v2.2 during the transition period
    • No breaking changes to existing integrations or user experiences

    All new or updated consent interactions handled by Evidon will follow the v2.3 specification.

    What Do Customers Need to Do?

    For most customers, no immediate action is required.

    However, we strongly recommend the following best practices:

    1. Review your vendor list
      • Ensure vendors shown to users accurately reflect your advertising and data-sharing partners
      • Remove unused or unnecessary vendors where possible
    2. Plan for full TCF v2.3 adoption
      • While v2.2 is supported during the transition, v2.3 will become mandatory
    3. Coordinate with internal teams and vendors
      • Inform advertising and legal teams about the updated disclosure signaling
      • Confirm vendors are prepared to interpret v2.3 signals

    Important Timelines

    • Now: Evidon supports TCF v2.3
    • Transition Period: TCF v2.2 and v2.3 signals can coexist
    • Expected Enforcement: February 2026
    • After Enforcement: New or updated consent signals must use TCF v2.3

    We recommend completing internal readiness well ahead of the enforcement deadline.

    What Problems TCF v2.3 Solves

    • Removes uncertainty around vendor disclosure
    • Improves GDPR alignment and transparency expectations
    • Reduces compliance risk for publishers and vendors
    • Creates more reliable consent signaling across the ad ecosystem
    • Strengthens trust between publishers, users, and technology partners

    Final Thoughts

    TCF v2.3 is an important step forward in making consent signals clearer, more reliable, and more compliant. By explicitly communicating vendor disclosure, it addresses long-standing challenges in earlier versions of the framework.

    Evidon from Crownpeak is committed to helping our customers navigate these changes smoothly and confidently. If you have questions about your implementation or readiness for TCF v2.3, our support and account teams are here to help.

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.