Publishers still generating v2.2 strings face a predictable sequence: Google and other premium demand sources treat the traffic as unconsented, the ad request defaults to Limited Ads mode, and CPMs drop by 60–80% or more. The fix requires co-ordinated action across your CMP configuration, Global Vendor List (GVL) management, and downstream vendor integrations. This guide walks through what changed, what the migration checklist looks like in practice, and how to diagnose the most common problems after the upgrade.

What Is IAB TCF v2.3?

The IAB Transparency and Consent Framework (TCF) is the standardised technical protocol through which publishers collect user consent and communicate it to every vendor in the programmatic advertising supply chain. A publisher's Consent Management Platform (CMP) captures user choices, encodes them into a TC string, and passes that string with every ad request. Demand-side platforms, SSPs, ad servers, and measurement vendors read the string to determine which purposes they are permitted to process and on what legal basis.

TCF v2.3 was released by IAB Europe on June 19, 2025. It is a technically focused update that addresses a specific signalling gap regulators and courts had identified in earlier versions. It does not change the legal bases available to vendors, the purposes defined in the framework, or the user interface requirements from TCF v2.2. The change is confined to the TC string structure: a segment previously optional is now mandatory.

Why TCF v2.3 Was Introduced

The problem TCF v2.3 solves is known as the "ghost vendor" problem or "signalling ambiguity." Under TCF v2.2, a vendor reading a TC string could encounter a 0 bit in the Vendor Legitimate Interest section and be unable to determine whether it meant the user had objected, or the vendor was never disclosed in the CMP interface. This distinction matters specifically for vendors that process personal data under Legitimate Interest for Special Purposes such as fraud prevention and security. Without a reliable way to distinguish these cases, vendors faced a choice between over-processing and under-processing. The Brussels Court of Appeal's May 2025 judgment and the CJEU's earlier ruling both emphasised the need for mathematical proof that vendors receiving consent signals were actually disclosed to users — which TCF v2.3 provides.

Key Changes in TCF v2.3

The Mandatory disclosedVendors Segment

The single structural change in TCF v2.3 is that the disclosedVendors segment is now required in every TC string. Previously it was optional. This segment is a bitfield in which each position corresponds to a vendor ID in the GVL: a 1 indicates the vendor was shown in the CMP interface; a 0 indicates it was not. The TC string structure is now: [Core String].[disclosedVendors].[PublisherTC]. Any TC string generated on or after March 1, 2026 that lacks the disclosedVendors segment is deemed invalid. Strings created before that date remain valid until progressively replaced as users renew their consent.

No Re-Surfacing Requirement

IAB Europe is explicit that CMPs should not re-surface the consent UI purely because of the v2.3 migration. The disclosedVendors segment is a structural addition to the TC string, not a change to consent categories or vendor lists requiring a new user decision. CMPs that kept records of which vendors were disclosed when the original string was created can update existing strings to include the segment. CMPs that did not must wait for natural renewal events to generate compliant v2.3 strings.

Google Enforcement and Error Code 1.4

Google formally mandated TCF v2.3 migration for all publishers and CMPs in November 2025. From March 2026, Google's systems introduced error report code 1.4 for TC strings missing or carrying a non-compliant disclosedVendors segment. Publishers whose CMP is not Google-certified for v2.3 face Limited Ads serving. This is not a minor degradation: Limited Ads disable personalisation, frequency capping, and audience targeting, and Google explicitly warns that revenue impact can exceed 50%. Choosing the right IAB TCF compliance tool with automated validation is the most reliable way to catch error 1.4 triggers before they affect revenue.

TCF v2.3 Migration Checklist

Step 1: Confirm CMP Support for TCF v2.3

Log into your CMP dashboard and confirm the platform has deployed TCF v2.3 string generation — meaning it populates the mandatory disclosedVendors segment in all new TC strings. Most major commercial CMPs deployed this update automatically or provide a configuration toggle. If your CMP is a private or bespoke implementation, update the string generation logic to include the disclosedVendors segment per the IAB Tech Lab specification and the iabtcf-es TypeScript library.

Step 2: Verify Google CMP Certification Status

Publishing with Google Ad Manager, AdSense, or AdMob requires a Google-certified CMP. Confirm your CMP appears on Google's current approved list and that the certification explicitly covers TCF v2.3. A CMP that is IAB-registered but not Google-certified will result in non-personalised ad serving. The distinction between IAB registration and Google certification — and the validation workflows that confirm your implementation meets both requirements — is a common source of confusion worth reviewing before assuming compliance.

Step 3: Synchronise the Global Vendor List

Your CMP downloads the GVL from IAB Europe and uses it to populate the disclosure bitfield. Confirm your CMP is configured to download the current GVL at least weekly — IAB Europe updates the list as vendors join, update their declarations, or are removed. Stale GVL data causes the disclosedVendors bitfield to misrepresent which vendors are currently registered. Set GVL updates to daily or trigger them on CMP script reload.

Step 4: Verify UI-to-String Alignment

The disclosedVendors segment must accurately reflect which vendors are shown in your consent banner. If a vendor is configured in your CMP but hidden from the UI, its bit should be 0. If a vendor appears in the banner, its bit must be 1. Misalignment between UI and string is the most common compliance gap IAB Europe's automated validators identify. Run your live implementation through the IAB Europe CMP validator before assuming migration is complete.

Step 5: Check Downstream Vendor Parser Versions

Vendors receiving your TC string need to support v2.3 string parsing. Any vendor still running a TCF v2.1 or v2.2 decoder will fail on a valid v2.3 string because the additional segment changes the parsed structure. Contact your SSP and DSP partners to confirm their parsers support v2.3.

Step 6: Test the Full Consent Signal Flow

Decode a live TC string from your production site using the IAB's TC string decoder or the IAB Europe CMP validator browser extension. Confirm: the version field reads 2.3, the disclosedVendors segment is present and populated, vendor IDs in the segment match the vendors shown in your banner, and the string propagates correctly through your ad request headers. Check Google Ad Manager's ad request reports for error code 1.4 within 24 hours of deployment. Cookie consent implementation testing methodology — including automated script blocking verification, consent log validation, and cross-browser testing — applies equally to TCF implementations.

CMP Configuration for TCF v2.3

The publisher's role in TCF v2.3 migration is primarily configuration rather than custom development, provided you are using a commercial CMP. The CMP is responsible for: generating TC strings with the mandatory disclosedVendors segment; maintaining a current GVL; rendering the consent interface with vendor count displayed on the first layer; and storing consent records with timestamps.

Publishers operating private CMPs have a more significant development task. The IAB Tech Lab's iabtcf-es TypeScript library provides the reference implementation for v2.3 TC string encoding and decoding. The library encodes the disclosedVendors segment as a BitField or Range encoded vector immediately following the Core String, with a Segment ID of 1. Publishers should also review their publisher restrictions configuration — the migration is a good moment to audit whether current restrictions are intentional and correctly configured.

Common TCF v2.3 Migration Issues

Ads Defaulting to Limited Ads After Migration

Check Google Ad Manager's Privacy & Messaging report for error code 1.4, which specifically flags a missing or invalid disclosedVendors segment. If it appears, the TC string your CMP is generating does not include the segment or it is malformed. Decode a live string and inspect the structure. Error code 9 (CMP certification failure) is a separate issue indicating your CMP is not on Google's certified list. Effective GDPR consent management requires confirming that both technical string validity and CMP certification status are checked independently.

Vendor List Not Updating

If your disclosedVendors bitfield stops reflecting current vendor registrations, the most likely cause is a stale GVL download. Check your CMP's GVL update schedule and confirm the last successful download timestamp. For CMPs deployed via CDN or tag manager, confirm the script version loaded on your pages is current.

Consent Strings Not Propagating to Ad Partners

If the TC string is generating correctly but downstream vendors report missing consent signals, the issue is typically in the OpenRTB request construction. The TC string must be passed in the regs.ext.gdpr and user.ext.consent fields of the bid request. A secondary cause is string truncation: TC strings with large vendor lists can exceed cookie or URL parameter size limits. Use the encoded base64url string format specified in the TCF technical specification.

disclosedVendors Segment Present but Vendors Not Receiving Valid Signals

Decode the string and confirm the version field in the Core String header reads 6 (binary 000110 — the TCF v2.3 specification version number). If the version field reads 4 or 5 (TCF v2.1 or v2.2), your CMP's string generation has not been updated. Contact your CMP provider to confirm deployment status.

Testing Your TCF v2.3 Implementation

In browser developer tools, inspect the __tcfapi call with command getTCData to retrieve the live TC string. Decode it using IAB Europe's online decoder or the iabtcf-es library. Confirm: version = 2.3, disclosedVendors segment present, vendor IDs match banner UI, no vendors disclosed that are not shown to users. For publishers using Google Ad Manager, check the Privacy & Messaging report for error code 1.4 daily in the week following deployment. A reduction to zero confirms the migration is functioning correctly.

Best Practices for TCF v2.3 Compliance

Treat TCF compliance as a continuous operational process, not a point-in-time migration. Any vendor added to your CMP configuration must be surfaced in your consent UI before its ID can be set to 1 in the disclosedVendors segment — adding a vendor to your backend without updating the UI creates immediate non-compliance. Audit your vendor list quarterly to ensure every disclosed vendor serves a genuine, current business purpose. Excessive vendor lists bloat the TC string, increase page performance overhead, and reduce user comprehension. Cookie consent best practices for the consent interface itself — clear language, prominent decline options, accurate category descriptions — remain legally relevant independent of TCF version, since DPAs evaluate the user experience of the consent interface in addition to technical specification compliance.

Maintain immutable consent logs: timestamps of consent events, the TC string version in use, and the vendor configuration active at the time. These records are the evidence base for demonstrating GDPR accountability to supervisory authorities. The Belgian DPA's enforcement actions against TCF participants have consistently focused on the ability to produce evidence of compliant consent collection, not only technical correctness of the string format.

FAQ

What is TCF v2.3?

TCF v2.3 is the June 2025 update to IAB Europe's Transparency and Consent Framework. Its sole structural change is making the disclosedVendors segment mandatory in all TC strings generated on or after March 1, 2026, resolving the signalling ambiguity for vendors processing under Legitimate Interest for Special Purposes.

What changed from TCF v2.2 to v2.3?

One change: the disclosedVendors segment is now required in every TC string. No changes to legal bases, purposes, UI requirements, or vendor policies. The update affects only what the CMP encodes in the TC string it generates.

Do publishers need to migrate to TCF v2.3?

Yes, if they monetise through programmatic advertising in the EEA, UK, or Switzerland and use a CMP to collect consent. TC strings generated without the disclosedVendors segment are invalid from March 2026, and Google will serve Limited Ads on inventory carrying invalid strings. Publishers using Google's built-in consent tools in Ad Manager or AdSense had their strings updated automatically.

How do you test a TCF v2.3 implementation?

Retrieve the live TC string via __tcfapi getTCData in browser developer tools, decode it using the iabtcf-es library or IAB Europe's online decoder, and confirm the version field reads 2.3 and the disclosedVendors segment is present. Monitor Google Ad Manager's Privacy & Messaging reports for error code 1.4 in the 24 hours following deployment.

What happens if vendors are not compatible with TCF v2.3?

Vendors running outdated TCF v2.1 or v2.2 parsers will fail to correctly decode a v2.3 string. The practical result is these vendors may treat consent as undetermined and default to not processing — reducing demand on your inventory. Contact affected partners to confirm their parser update timelines.

Secure Privacy's CMP is IAB-registered, Google-certified, and supports TCF v2.3 string generation with the mandatory disclosedVendors segment. Get started free or