TCF v2.3 Is Now Mandatory - the Deadline Has Passed
The Transparency and Consent Framework version 2.3 became mandatory on 1 March 2026. Every TC string generated from that date onward must include a disclosedVendors segment, or it will be treated as invalid by platforms that enforce the framework - Google chief among them.
IAB Europe released TCF v2.3 on 19 June 2025, with a transition period running through the end of February 2026. During that window, Google accepted v2.3 strings without validating the disclosed vendors segment, giving publishers and CMPs time to test. That grace period is now over. Google confirmed on 2 March 2026 that validation is active and introduced a new TCF error report code - error 1.4 - to flag requests where the disclosed vendors section is missing, malformed, or does not include Google (vendor ID 755).
If you monetise traffic from the EEA, UK, or Switzerland through Google Ad Manager, AdSense, or AdMob, this affects you directly.
What Actually Changed Between TCF v2.2 and v2.3
TCF v2.2, launched in May 2023, was primarily a policy update. It removed legitimate interest as a legal basis for advertising purposes and introduced stricter requirements for consent banner design. TCF v2.3 is a technical update. The user-facing consent banner stays the same. The change happens entirely within the TC string itself.
The core change: the disclosedVendors segment is now mandatory in every TC string. Previously, this segment was optional.
A TC string under v2.3 follows this structure:
[Core segment].[disclosedVendors segment].[Publisher TC]
The disclosed vendors segment is a binary record (1 = disclosed, 0 = not disclosed) indicating which vendors were actually shown to the user in the CMP interface. Each vendor ID gets a corresponding bit. If vendor ID 755 (Google) has a 1, it means the user saw Google listed in the consent dialogue. If it has a 0, Google was not displayed.
The "Ghost Vendor" Problem
Under TCF v2.2, vendors could receive a consent string but had no reliable way to confirm they were actually shown to the user. Consider this scenario: a vendor declares legitimate interest for Special Purposes (such as fraud prevention or security monitoring). A user exercises their right to object to that vendor's processing. The CMP sets the legitimate interest bit for that vendor to 0.
The vendor receives the string and sees the 0 - but cannot determine what it means. Did the user actively object? Or was the vendor simply never disclosed in the consent UI, meaning the user never had a chance to see it at all?
That ambiguity matters because Special Purposes still require transparency under GDPR. A vendor processing data for fraud prevention without having been disclosed to the user risks a transparency violation, even if it has a legitimate interest basis. TCF v2.3 eliminates this guesswork. If the disclosed vendors bit reads 0, the vendor was not shown. No disclosure means no legal basis for Special Purposes processing - full stop.
Why Google Is Enforcing This So Aggressively
Google is not merely participating in TCF v2.3 - it is treating the transition as a hard enforcement line. The company announced on 3 November 2025 that its systems could accept v2.3 strings immediately, and set 1 March 2026 as the date after which new v2.2 strings would no longer be supported.
The new error code 1.4 sits within Google's "Limited consent scenarios" category alongside errors 1.1, 1.2, and 1.3. All four codes share one critical property: they always take precedence over misconfiguration errors, even when a single request has multiple issues. When error 1.4 triggers, Google defaults the ad request to Limited Ads - contextual ads with no personalisation, no frequency capping, and significantly lower CPMs.
What Limited Ads Mean for Revenue
Limited Ads strip out personalisation and behavioural targeting. Publishers who rely on programmatic demand typically see CPMs drop sharply when inventory shifts to Limited Ads. Some demand sources may not bid at all on inventory flagged as unconsented. The revenue impact is immediate and measurable - check your fill rates and eCPMs for EEA traffic since 1 March 2026. A sudden drop is a strong signal that something is wrong with your TC string output.
The Legal Backdrop: Belgian DPA Ruling and CJEU Precedent
TCF v2.3 arrives against a backdrop of sustained legal scrutiny of the framework itself. The Belgian Data Protection Authority (APD) fined IAB Europe EUR 250,000 in February 2022, ruling that the TCF failed to comply with GDPR requirements. IAB Europe appealed, and the Belgian Market Court referred key questions to the Court of Justice of the European Union.
In March 2024, the CJEU confirmed two critical points: the TC string qualifies as personal data under Article 4(1) GDPR when combined with identifying information such as an IP address, and IAB Europe can be considered a joint controller under Article 4(7) for the creation and use of TC strings within the framework.
On 14 May 2025, the Brussels Market Court (sitting as the Brussels Court of Appeal) delivered its final judgement. It upheld the EUR 250,000 fine against IAB Europe, confirmed that the TC string is personal data, and agreed that IAB Europe acts as a joint controller for processing within the TCF. The Court did narrow the scope, ruling that IAB Europe is not a joint controller for downstream processing in real-time bidding (RTB) over which it has no control.
One important nuance: the ruling addressed TCF versions 1.0 and 2.0 specifically. Versions 2.2 and 2.3 were not under judicial review. Many of the criticised shortcomings were already addressed in v2.2, and v2.3 further strengthens the transparency mechanism. Whether these later versions fully satisfy GDPR requirements remains an open question for future regulatory scrutiny.
Who Needs to Act - and Who Does Not
The answer depends on how you collect consent and serve ads.
| Scenario | Action required |
|---|---|
| You use a commercial CMP (e.g. Kukie.io, Didomi, Usercentrics, iubenda) that is TCF v2.3 certified | Likely none - most commercial CMPs updated automatically. Verify by checking your TC string output in the IAB TCF decoder. |
| You use Google's own Privacy & Messaging CMP | None - Google confirmed it writes v2.3 strings from the 1 March deadline onward. |
| You run a private/custom-built CMP | Update your TC string generation code to include the mandatory disclosedVendors segment after the core segment. |
| You serve ads only outside the EEA, UK, and Switzerland | None - TCF applies to traffic from these regions only. |
| You do not serve third-party ads at all (no AdSense, Ad Manager, AdMob) | TCF is not required. Cookie consent is still required under GDPR/ePrivacy Directive, but not through the TCF specifically. |
Publishers who rely on a commercial CMP should still verify compliance rather than assume it. A quick check takes five minutes and can save weeks of lost revenue.
How to Check If Your Site Is Compliant
Open your website in a browser with no existing consent cookies (incognito mode works). Interact with the consent banner - accept all, then open your browser's developer console and run:
__tcfapi('getTCData', 2, function(tcData, success) { console.log(tcData.tcString); });
Copy the resulting TC string and paste it into the IAB TCF String Decoder. In the decoded output, look for the "Vendors Disclosed" section. If that section is present and includes the vendors configured in your CMP, your site is generating valid v2.3 strings. If the section is missing, your CMP is still outputting v2.2-format strings.
Check Your Google Error Report
If you run Google AdSense, Ad Manager, or AdMob, download your TCF error report to see whether error 1.4 is appearing:
- Ad Manager: Admin > EU user consent
- AdSense: Brand safety > Content > Blocking controls > Manage European regulations
- AdMob: Blocking controls > Manage European regulations
The report covers the last seven days and is only available if errors have been detected. No report means no detected issues - but it is still worth verifying your TC string independently.
What About Older TC Strings Already Stored in Browsers?
TC strings generated before 1 March 2026 under TCF v2.1 or v2.2 remain valid. Google continues to accept them. The enforcement applies only to strings generated on or after that date.
This means you do not need to force a mass re-consent. Your existing users' stored consent strings will continue to work until they naturally expire or the user updates their preferences. At that point, the CMP must generate a new string under v2.3 rules.
IAB Europe has explicitly stated that CMPs should not be required to re-surface the consent UI purely for the v2.3 transition. If your CMP kept records of which vendors were disclosed when a TC string was first created, it may retroactively update existing strings to include the disclosed vendors segment. If it did not keep those records, the string will be updated the next time a user interacts with the consent notice.
TCF v2.3 and Google Consent Mode v2
TCF v2.3 and Google Consent Mode v2 are separate mechanisms that serve different but related purposes. The TCF communicates consent signals across the entire ad tech supply chain through a standardised TC string. Google Consent Mode controls how Google tags (Analytics, Ads, Floodlight) behave based on consent status.
Both must work together for a compliant Google advertising setup in the EEA. Your CMP generates the TC string (now v2.3), and simultaneously sends consent signals to Google tags via Consent Mode. If the TCF string is invalid, Google may fall back to Limited Ads even if Consent Mode signals are correct - because the TCF string takes precedence for programmatic ad serving through Ad Manager, AdSense, and AdMob.
After migrating to v2.3, test your Google Consent Mode integration separately. Confirm that ad_storage, analytics_storage, and ad_personalization signals still pass correctly when consent is granted and when it is denied.
Practical Steps for Publishers Running Late
If you are reading this and have not yet migrated, the priority order is straightforward.
Contact your CMP provider immediately. Ask whether their solution is generating TCF v2.3 strings with the mandatory disclosed vendors segment. Most major CMPs - including Kukie.io - have already rolled out the update automatically, but some require a manual toggle in the dashboard or a script version update.
Verify that Google (vendor ID 755) is included in your disclosed vendors list. Error 1.4 triggers specifically when Google is missing from or not properly flagged in the disclosed vendors segment. Check your CMP's vendor configuration and ensure Google Advertising Products is enabled.
Review your vendor list while you are in there. Each vendor marked as disclosed adds to the TC string length, which can affect page load performance. Remove vendors you no longer work with. The transition to v2.3 is a good opportunity to clean house.
Test thoroughly. Generate a fresh consent string, decode it, and confirm the structure. Then check your Google error report 24-48 hours later to see if any 1.4 errors appear.
For Publishers With Custom CMP Implementations
If you built your own CMP, you need to update your TC string encoder. The disclosedVendors segment must appear immediately after the core segment, identified by segment type ID 1 (binary 001). The segment contains a MaxVendorId field followed by either a bitfield or range encoding of vendor IDs. Set the bit corresponding to each vendor that your CMP UI actually displays to the user.
IAB Tech Lab maintains the official TypeScript library iabtcf-es on GitHub, which includes v2.3 support. If you are not already using it, consider adopting it as your string encoding reference rather than maintaining a custom encoder.
Scanning Your Site for TCF Compliance Issues
A valid TC string is only one part of TCF compliance. The vendors you disclose in the consent UI must match the vendors actually operating on your site. If your banner lists 80 vendors but your site loads tags from 95, you have a transparency gap that no string format can fix.
Regular cookie scanning helps catch this kind of drift. Kukie.io's scanner detects first-party and third-party cookies across your site and maps them to known vendors, making it easier to keep your disclosed vendor list aligned with reality. You can start a free scan to see exactly which cookies your site sets and which vendors they belong to.
Tag drift is real - particularly on sites with multiple teams managing different ad integrations, third-party widgets, or A/B testing tools. A quarterly scan is a reasonable baseline. Monthly is better if you frequently add or change integrations.
What Comes Next for the TCF
The TCF has been through four major iterations since 2018 (v1.1, v2.0, v2.2, and now v2.3), each responding to regulatory pressure, enforcement actions, and technical gaps. The pace of change is unlikely to slow.
IAB Tech Lab opened a device disclosure specification for public comment in November 2025, requiring vendors to declare cookies used outside the TCF framework, cookies for Special Purposes, and SDK package identifiers in mobile apps. This suggests the next wave of changes will focus on mobile and connected TV environments where consent signalling is less mature.
The Belgian Market Court ruling of May 2025, while addressing TCF v2.0, leaves open the question of whether later versions fully satisfy the GDPR concerns the court identified. IAB Europe won an appeal against the corrective measures portion of the APD decision in January 2026, but the substantive findings about TC strings being personal data and IAB Europe's joint controller status remain settled law within the EU.
For publishers, the practical takeaway is that consent infrastructure is not a set-and-forget deployment. Treat your CMP and TCF integration as ongoing infrastructure that requires monitoring, testing, and periodic updates - much like your ad serving stack itself.
Frequently Asked Questions
What is the disclosed vendors segment in TCF v2.3?
The disclosed vendors segment is a mandatory part of the TC string that records which vendors were actually shown to the user in the consent management platform's interface. Each vendor ID is represented by a binary bit: 1 means the vendor was disclosed, 0 means it was not.
Do I need to show the cookie banner again after upgrading to TCF v2.3?
No. IAB Europe has stated that CMPs should not need to re-surface the consent UI for this update. The new TC string is generated automatically the next time a user interacts with the consent notice or renews their preferences.
What does Google TCF error code 1.4 mean?
Error 1.4 indicates that the disclosed vendors section in the TC string is missing, malformed, or does not include Google (vendor ID 755). When this error occurs, Google defaults the ad request to Limited Ads, which reduces revenue.
Will my old consent strings from before March 2026 stop working?
No. TC strings created before 1 March 2026 under TCF v2.1 or v2.2 remain valid and continue to be accepted by Google. Only strings generated on or after that date must follow v2.3 specifications.
Is the TCF legally required or just a Google requirement?
The TCF itself is a voluntary industry standard, not a legal requirement. However, Google requires TCF implementation for publishers serving ads through Ad Manager, AdSense, or AdMob in the EEA, UK, and Switzerland. If you do not serve third-party ads through Google products, you still need cookie consent under GDPR and the ePrivacy Directive, but not through the TCF specifically.
How do I check if my CMP is generating valid TCF v2.3 strings?
Open your site in incognito mode, accept cookies, then use the browser console to call __tcfapi('getTCData', 2, callback) and copy the TC string. Paste it into the IAB TCF String Decoder at iabtcf.com. If the decoded output shows a "Vendors Disclosed" section, your CMP is outputting v2.3 strings.
Does TCF v2.3 affect websites outside of Europe?
TCF v2.3 applies to ad requests originating from the EEA, UK, and Switzerland. Traffic from the US, Asia, and other regions is not affected. Your CMP should apply TCF logic only when geo-detection identifies a visitor from a covered jurisdiction.
Get Your Consent Signals Right
If your Google error report is showing code 1.4 - or you have not checked yet - now is the time to act. Kukie.io detects, categorises, and helps manage every cookie on your site, with built-in support for TCF v2.3 and Google Consent Mode v2. A clean vendor list and valid consent strings keep your ad revenue intact and your compliance on solid ground.
