Understanding the IAB TCF v2.3 Update: New Vendor Disclosure Requirements Explained
Learn what changed in IAB TCF v2.3, including new vendor disclosure requirements, TC String updates, CMP considerations, and compliance best practices.
Rob English
Director, Data Solutions
A privacy-focused web analytics implementation specialist, with 19 years experience in development across marketing, advertising and analytics.
The IAB Europe Transparency & Consent Framework (TCF) v2.3 became fully enforceable on March 1, 2026, introducing new requirements for vendor disclosure and consent transparency. Organizations using Consent Management Platforms (CMPs), Google Consent Mode, and digital advertising technologies should understand how these changes affect consent collection and compliance efforts. In this article, we explain what changed in TCF v2.3, why the update was introduced, and what organizations should do next.
On March 1, 2026 IAB Europe officially transitioned to TCF v2.3. This update sees an important shift toward stronger transparency and accountability in consent management, and introduces stricter requirements regarding vendor disclosure and consent signals.
Officially released in June 2025, there was a transition period in which publishers, vendors and CMPs were given to update to the new standards. This period ran through to the end of February 2026, after which full enforcement of v2.3 was rolled out.
After this March 1st deadline, any newly generated TC strings that were not compliant under TCF v2.3 could be considered invalid by vendors and platforms.
Before we dig deeper into what this change means, let's first touch on what IAB TCF is, in general.
What Is the IAB Transparency & Consent Framework (TCF)?
Developed by the Interactive Advertising Bureau (IAB) Europe, the Transparency & Consent Framework (TCF) is an industry-standard framework that is meant to help compliance under GDPR and other privacy regulations.
It sets out to standardize:
User consent preference collection
Communication of those preferences across advertising vendors
Managing compliant data processing for ad and analytics activities
Providing a standardized “TC String” into which consent signals can be encoded.
The TC String is a standardized consent signal that records a user's consent choices and communicates them to participating vendors and advertising platforms. It helps ensure that consent preferences are consistently interpreted across the digital advertising ecosystem.
Why Was TCF v2.3 Introduced?
TCF v2.3 aims to improve transparency surrounding vendor disclosure.
In previous versions of this framework, there could be room for ambiguity surrounding whether users had actually been informed about the vendors allowed to process their data.
In the latest version, there is now a new, mandatory segment in the TC String, called “Disclosed Vendors”, in which the actual vendors shown to the user in a CMP interface are recorded.
This will further reduce ambiguity in consent signals, improve compliance, and provide more transparency to end users.
Before TCF v2.3 was introduced:
Vendors could receive consent signals without explicit proof they were displayed to the user
CMPs were not required to encode disclosed vendor information directly into the TC String
After TCF v2.3 was introduced:
The “Disclosed Vendors” segment became mandatory
CMPs must include which vendors were disclosed to users
Vendors and ad platforms are expected to validate these disclosures before relying on consent signals
What Is the New Disclosed Vendors Segment?
One of the most significant changes introduced in TCF v2.3 is the requirement to include a "Disclosed Vendors" segment within the TC String. This segment records which vendors were actually presented to users within the CMP interface at the time consent was collected.
By requiring disclosure information to be encoded directly within the TC String, TCF v2.3 provides greater transparency and allows vendors to verify that they were properly disclosed before relying on consent signals for advertising or analytics activities.
How Does TCF v2.3 Impact Google Consent Mode?
While Google Consent Mode and the IAB TCF serve different purposes, they are often implemented together as part of a broader privacy and consent strategy.
Organizations using Google Consent Mode should ensure their CMP supports TCF v2.3 and that consent signals are being properly passed to Google tags and platforms. Regular testing and validation of consent behavior can help ensure both compliance and reliable measurement.
TCF v2.3 Compliance Checklist
To remain aligned with TCF v2.3 requirements, organizations should consider the following:
Ensure the CMP you are using on your website supports TCF v2.3
Regularly evaluate vendor disclosures for accuracy and compliance
Regularly audit analytics and advertising scripts to ensure they are only running/firing in accordance with user consent management preferences
Review your Google Consent Mode set-up and TCF integrations
Always maintain and review documentation surrounding your consent practices
As with tracking in general, only track what you absolutely need. If certain vendors become legacy tracking on your website(s) or app(s) minimize and remove where possible
Ensure vendors listed in your CMP match those encoded in the TC String
Periodically test consent behavior across browsers, devices, and regions
For many (if not all) of the above recommendations, these are generally good policies to incorporate into your privacy and compliance programs, always, regardless of this specific change.
While the introduction of the Disclosed Vendors segment may appear to be a relatively minor technical change, TCF v2.3 reflects a broader industry movement toward stronger transparency, accountability, and user control over personal data.
Organizations that proactively review their CMP configurations, vendor disclosures, consent signals, and privacy documentation will be better positioned to meet evolving compliance expectations while maintaining reliable analytics and advertising measurement.
As privacy regulations continue to evolve, regular audits of consent management processes should become a standard part of every organization's digital governance strategy.
More Insights
Understanding the IAB TCF v2.3 Update: New Vendor Disclosure Requirements Explained
Rob English
Director, Data Solutions
Jun 17, 2026
Read More
How to Choose the Right ETL Tool for Your Data Pipeline
Cem Bakar
Cloud Architect
Jun 10, 2026
Read More
CM360 Path to Conversion Reporting: Full Customer Journey Attribution
Monika Boldak
Associate Director, Marketing
Jun 3, 2026
Read More
More Insights
Sign Up For Our Newsletter
Napkyn Inc.
204-78 George Street, Ottawa, Ontario, K1N 5W1, Canada
Napkyn US
6 East 32nd Street, 9th Floor, New York, NY 10016, USA
212-247-0800 | info@napkyn.com
Understanding the IAB TCF v2.3 Update: New Vendor Disclosure Requirements Explained
Learn what changed in IAB TCF v2.3, including new vendor disclosure requirements, TC String updates, CMP considerations, and compliance best practices.
Rob English
Director, Data Solutions
June 17, 2026
A privacy-focused web analytics implementation specialist, with 19 years experience in development across marketing, advertising and analytics.
The IAB Europe Transparency & Consent Framework (TCF) v2.3 became fully enforceable on March 1, 2026, introducing new requirements for vendor disclosure and consent transparency. Organizations using Consent Management Platforms (CMPs), Google Consent Mode, and digital advertising technologies should understand how these changes affect consent collection and compliance efforts. In this article, we explain what changed in TCF v2.3, why the update was introduced, and what organizations should do next.
On March 1, 2026 IAB Europe officially transitioned to TCF v2.3. This update sees an important shift toward stronger transparency and accountability in consent management, and introduces stricter requirements regarding vendor disclosure and consent signals.
Officially released in June 2025, there was a transition period in which publishers, vendors and CMPs were given to update to the new standards. This period ran through to the end of February 2026, after which full enforcement of v2.3 was rolled out.
After this March 1st deadline, any newly generated TC strings that were not compliant under TCF v2.3 could be considered invalid by vendors and platforms.
Before we dig deeper into what this change means, let's first touch on what IAB TCF is, in general.
What Is the IAB Transparency & Consent Framework (TCF)?
Developed by the Interactive Advertising Bureau (IAB) Europe, the Transparency & Consent Framework (TCF) is an industry-standard framework that is meant to help compliance under GDPR and other privacy regulations.
It sets out to standardize:
User consent preference collection
Communication of those preferences across advertising vendors
Managing compliant data processing for ad and analytics activities
Providing a standardized “TC String” into which consent signals can be encoded.
The TC String is a standardized consent signal that records a user's consent choices and communicates them to participating vendors and advertising platforms. It helps ensure that consent preferences are consistently interpreted across the digital advertising ecosystem.
Why Was TCF v2.3 Introduced?
TCF v2.3 aims to improve transparency surrounding vendor disclosure.
In previous versions of this framework, there could be room for ambiguity surrounding whether users had actually been informed about the vendors allowed to process their data.
In the latest version, there is now a new, mandatory segment in the TC String, called “Disclosed Vendors”, in which the actual vendors shown to the user in a CMP interface are recorded.
This will further reduce ambiguity in consent signals, improve compliance, and provide more transparency to end users.
Before TCF v2.3 was introduced:
Vendors could receive consent signals without explicit proof they were displayed to the user
CMPs were not required to encode disclosed vendor information directly into the TC String
After TCF v2.3 was introduced:
The “Disclosed Vendors” segment became mandatory
CMPs must include which vendors were disclosed to users
Vendors and ad platforms are expected to validate these disclosures before relying on consent signals
What Is the New Disclosed Vendors Segment?
One of the most significant changes introduced in TCF v2.3 is the requirement to include a "Disclosed Vendors" segment within the TC String. This segment records which vendors were actually presented to users within the CMP interface at the time consent was collected.
By requiring disclosure information to be encoded directly within the TC String, TCF v2.3 provides greater transparency and allows vendors to verify that they were properly disclosed before relying on consent signals for advertising or analytics activities.
How Does TCF v2.3 Impact Google Consent Mode?
While Google Consent Mode and the IAB TCF serve different purposes, they are often implemented together as part of a broader privacy and consent strategy.
Organizations using Google Consent Mode should ensure their CMP supports TCF v2.3 and that consent signals are being properly passed to Google tags and platforms. Regular testing and validation of consent behavior can help ensure both compliance and reliable measurement.
TCF v2.3 Compliance Checklist
To remain aligned with TCF v2.3 requirements, organizations should consider the following:
Ensure the CMP you are using on your website supports TCF v2.3
Regularly evaluate vendor disclosures for accuracy and compliance
Regularly audit analytics and advertising scripts to ensure they are only running/firing in accordance with user consent management preferences
Review your Google Consent Mode set-up and TCF integrations
Always maintain and review documentation surrounding your consent practices
As with tracking in general, only track what you absolutely need. If certain vendors become legacy tracking on your website(s) or app(s) minimize and remove where possible
Ensure vendors listed in your CMP match those encoded in the TC String
Periodically test consent behavior across browsers, devices, and regions
For many (if not all) of the above recommendations, these are generally good policies to incorporate into your privacy and compliance programs, always, regardless of this specific change.
While the introduction of the Disclosed Vendors segment may appear to be a relatively minor technical change, TCF v2.3 reflects a broader industry movement toward stronger transparency, accountability, and user control over personal data.
Organizations that proactively review their CMP configurations, vendor disclosures, consent signals, and privacy documentation will be better positioned to meet evolving compliance expectations while maintaining reliable analytics and advertising measurement.
As privacy regulations continue to evolve, regular audits of consent management processes should become a standard part of every organization's digital governance strategy.
More Insights
Understanding the IAB TCF v2.3 Update: New Vendor Disclosure Requirements Explained
Rob English
Director, Data Solutions
Jun 17, 2026
Read More
How to Choose the Right ETL Tool for Your Data Pipeline
Cem Bakar
Cloud Architect
Jun 10, 2026
Read More
CM360 Path to Conversion Reporting: Full Customer Journey Attribution
Monika Boldak
Associate Director, Marketing
Jun 3, 2026
Read More
More Insights
Sign Up For Our Newsletter