The IAB Transparency & Consent Framework (TCF) standardizes how consent and legitimate-interest signals are passed to ad tech vendors across Europe. Version 2.2 removed support for some legacy legitimate-interest use cases and increased transparency requirements—meaning your CMP configuration and vendor list hygiene matter more than ever.

If you run display ads, work with programmatic partners, or monetize content through ad networks, TCF is likely part of your compliance stack even when you are not a “publisher” in the traditional sense.

Who needs TCF

• Publishers monetizing through ad networks that require a TC String
• Advertisers buying inventory where supply paths validate consent signals
• Sites with many ad tech vendors — SSPs, DSPs, verification, identity solutions
• Apps using IAB-compliant SDKs and CMPs for in-app advertising

Pure lead-gen sites with only GA4 and Meta may not need full TCF—but adding programmatic display usually triggers the requirement overnight.

What TCF 2.2 changed (high level)

• Stricter rules around legitimate interest for certain purposes
• Updated vendor declarations and purpose definitions teams must present clearly
• Expectations that CMPs stay on current policy and vendor list versions

Your legal team should confirm interpretation; engineering’s job is to ensure the TC String your CMP generates matches what tags and partners actually consume.

What a compliant CMP must do

• Present purposes, special features, and vendors with accurate, up-to-date lists
• Capture accept, reject, and granular choices without dark patterns
• Generate and store a valid TC String (and AC String where applicable)
• Pass signals to GAM, Prebid, ad tags, and GTM consistently on each page load
• Support vendor list updates without silent drift between policy and implementation

GTM and ad tag integration

Typical flow:

1. CMP loads and sets __tcfapi or equivalent API
2. Consent string available before ad tags request bids
3. GTM triggers for ad tags require both TCF purpose consent and vendor-specific consent where needed
4. Non-IAB tags (Meta, TikTok) still need separate CMP category gating

Failure at step 2 causes blank ads, consent errors in console, or policy violations if tags fire anyway.

Common integration gaps

• GTM firing programmatic tags before tcData.eventStatus === 'tcloaded' or user action
• Vendor list in CMP does not include all ad partners receiving data
• Stale lists after switching SSP or adding new identity pixels
• Mixed TCF + non-TCF regions without geo routing on the banner
• Developers hardcoding GPT/Prebid outside GTM consent checks

Audit checklist

• Export CMP vendor list and compare to live ad tag recipients
• Run reject-all and verify no ad requests with personal data
• Confirm TC String changes when user updates preferences
• Document Global Vendor List (GVL) update process—who reviews monthly?

When to simplify

If you do not use programmatic ads, avoid adopting TCF “just in case”—it adds UX and engineering overhead. Re-evaluate when ad strategy changes.

For hybrid stacks (content + performance marketing), many teams run TCF for display inventory and separate Consent Mode + category banners for analytics tags—coordinate so users see one coherent experience, not stacked banners.

Audit your vendor manifest against live tags at least quarterly, especially after platform or CMP updates.