In March 2024, the Court of Justice of the European Union issued its ruling in IAB Europe v Gegevensbeschermingsautoriteit (C‑604/22), concluding that Transparency and Consent (TC) strings may qualify as personal data within the meaning of Article 4(1) GDPR where they relate to an identifiable user and can reasonably be combined with other data available to framework participants, such as IP addresses or device identifiers.

The Court also held that IAB Europe may act as a joint controller for processing operations related to the creation and dissemination of the TC string, given its role in defining the framework’s rules and managing the Global Vendor List. However, this qualification does not automatically extend to all downstream processing performed by TCF participants.

The underlying enforcement action was initiated by the Belgian Data Protection Authority, whose decision raised concerns about transparency, governance, and the legal qualification of processing activities within the framework. Proceedings before the Brussels Court of Appeal led to the preliminary reference to the CJEU.
Against this regulatory backdrop, TCF v2.3 was introduced by IAB Europe in 2025, with a mandatory implementation deadline of 28 February 2026, aiming to address compliance concerns and strengthen the framework’s governance and transparency mechanisms.

The Signaling Flaw That the disclosedVendors Segment Fixes

The core issue TCF 2.3 addresses is a grey zone arise from the use of legitimate interest used by a specific class of vendors. Under TCF 2.2, vendors relying on Legitimate Interest for Special Purposes such as fraud detection and security, that distinction is legally material: Special Purpose processing is permissible without explicit consent, but only if the vendor was disclosed to the user as part of the CMP's transparency layer. Without proof of disclosure, "no consent" and "never shown" were indistinguishable in the signal — meaning vendors couldn't confirm whether they had a legitimate basis to process at all.TCF 2.3 resolves this by making the disclosedVendors segment mandatory in every TC string.

What Changed in the TC String Structure — and What Didn't

In TCF v2.3, the TC string begins with the Core String segment, which may be followed by additional segments, including the Disclosed Vendors segment (now mandatory where vendors are disclosed) and, where applicable, the PublisherTC segment.

What TCF 2.3 does not change is equally important to understand.

The removal of Legitimate Interest as a valid legal basis for key advertising purposes — specifically Purposes 3 through 6 in the IAB purpose taxonomy — was introduced in TCF v2.2 and remains unchanged in version 2.3. These purposes continue to require explicit user consent.

IAB Europe has also clarified that the transition to TCF 2.3 does not require publishers to re-surface consent interfaces to existing users solely because of the framework update. TC strings generated before the 28 February 2026 implementation deadline may continue to exist within the ecosystem even if they do not contain newly introduced segments such as disclosedVendors.

In other words, the update primarily introduces forward-looking infrastructure changes to improve transparency and governance within the framework, rather than retroactively invalidating previously collected consent signals.

What the Pattern of TCF Updates Signals About Where Regulation Is Heading

Each successive version of the TCF has moved in the same direction — from assumed transparency toward verifiable transparency, with fewer policy-layer workarounds available. TCF 2.2 eliminated Legitimate Interest for advertising purposes and forced explicit consent. TCF 2.3 added a technical audit trail proving that disclosed vendors were actually shown to users. The pattern is consistent: regulators and courts have repeatedly rejected the model where transparency is declared rather than demonstrated, and the framework has had to follow. There is no indication this direction reverses in future versions.
 

Explain through AI