IAB Europe published the public comment version of the Transparency and Consent Framework 2.0 this week, and the reaction from the ad tech industry has been a mixture of genuine relief and pointed skepticism. Relief because TCF 1.0 was always a legal liability wrapped in a technical specification. Skepticism because 2.0 solves some of those problems by adding complexity that may prove unworkable for mid-tier publishers and vendors.
The consent string — the encoded signal passed through the bid stream that communicates what a user has consented to and which vendors are permitted to process their data — is at the center of both frameworks. In TCF 2.0, it has grown substantially more detailed. For adtech operators who live inside OpenRTB bid requests, this is the practical reality that matters most.
What Changed From TCF 1.0
TCF 1.0 was a binary framework: a user either consented to a vendor processing their data or they did not. Vendors were listed in the IAB’s Global Vendor List, consent was collected via a Consent Management Platform, and the resulting string was appended to bid requests. It was straightforward, and it was almost certainly insufficient under GDPR Article 7 requirements for freely given, specific, informed, and unambiguous consent.
TCF 2.0 introduces several material changes. First, it distinguishes between “consent” and “legitimate interest” as legal bases for processing. Vendors can now declare which purposes they are relying on consent for and which they are relying on legitimate interest — a distinction with significant legal consequences. Second, it introduces “special features” — data processing activities (precise geolocation, device fingerprinting) that require explicit opt-in, not just passive consent. Third, it expands publisher controls, allowing publishers to set their own default states for vendor purposes, restrict vendor access to certain processing types, and even override vendor legitimate interest claims.
The consent string itself now encodes a more complex structure: consent per purpose, legitimate interest per purpose, publisher restrictions, out-of-band legal basis indicators, and special feature opt-ins. Parsing and honoring this string correctly is a non-trivial engineering requirement.
The “Legitimate Interest” Controversy
The most contested element of TCF 2.0 is not a technical specification — it is the inclusion of legitimate interest as a valid legal basis for ad targeting and measurement purposes in the first place.
Under GDPR, legitimate interest is one of six lawful bases for processing personal data. Unlike consent, it does not require an affirmative opt-in from the user. Instead, the data controller must conduct a balancing test: does the controller’s interest in processing the data outweigh the individual’s privacy interest? For many processing activities — fraud prevention, security, basic service delivery — this test clearly passes. For behavioral advertising, the answer is legally contested.
Privacy advocates, regulators including the Belgian DPA, and several national data protection authorities have indicated that behavioral advertising does not pass the legitimate interest balancing test because users have a reasonable expectation that their browsing data will not be used for targeting by hundreds of unknown third parties. The European Data Protection Board has not issued a definitive ruling specifically on advertising legitimate interest, but its guidelines on legitimate interest are generally read as unfavorable to broad advertising use cases.
IAB Europe’s position is that TCF 2.0 enables vendors to use legitimate interest where that legal basis applies but does not endorse any particular vendor’s legitimacy interest claim. Critics argue that building legitimate interest into the framework’s architecture implicitly normalizes a legal basis that is inappropriate for most adtech processing and that it will be widely used to avoid obtaining genuine consent.
For adtech vendors trying to operate within TCF 2.0, the practical question is risk tolerance. Using consent as your legal basis for targeting is harder — users opt out — but defensible. Using legitimate interest is easier to implement at scale but creates legal exposure if a DPA challenges your balancing test.
Whether TCF 2.0 Satisfies GDPR
The honest answer is that no one outside of a courtroom can tell you with certainty. The framework is designed to be GDPR-compatible in its architecture, and IAB Europe has engaged with regulators in its design. But GDPR compliance is ultimately a question of whether a specific organization’s processing of a specific user’s data under specific circumstances meets the law’s requirements. A framework can provide infrastructure for compliance; it cannot guarantee it.
What TCF 2.0 does offer over TCF 1.0 is better granularity and audit trail. The consent string now encodes the specific purposes a user has consented to and the specific vendors permitted for each purpose. If a DPA investigates a complaint, a publisher or vendor with proper TCF 2.0 implementation can produce a more detailed record of what was collected and authorized. That is genuine legal value, even if it does not constitute a compliance guarantee.
Several data protection attorneys who have reviewed the 2.0 specification publicly suggest it is a material improvement over 1.0 but that its use of legitimate interest remains a regulatory flashpoint. The Belgian DPA’s ongoing investigation into the TCF framework itself — separate from any individual vendor complaint — is a signal that regulators are watching the framework, not just the companies using it.
What Publishers Need to Update
For publishers, TCF 2.0 implementation requires a CMP that is certified under the updated framework (IAB Europe maintains the registered CMP list). The CMP must present users with the new purpose-level disclosures, including the distinction between consent and legitimate interest purposes, and give users the ability to object to legitimate interest processing on a purpose-by-purpose and vendor-by-vendor basis.
Publishers who have configured custom vendor lists or publisher-specific restrictions under TCF 1.0 will need to reconfigure those settings in 2.0. The expanded publisher control features are genuinely useful — the ability to set floor consent requirements that override vendor defaults, for example — but implementing them requires understanding the consent string specification in detail.
Publishers should also prepare for user interfaces that are more complex than existing cookie banners. The requirement to present legitimate interest objections alongside consent choices means that a compliant CMP for TCF 2.0 cannot be a simple “Accept / Decline” binary. Users who want to exercise granular choices can do so, and the interface must make that possible.
What Adtech Vendors Need to Update
For vendors on the IAB Global Vendor List, TCF 2.0 requires updating their declared purposes to use the new Purpose taxonomy and indicating which legal basis — consent or legitimate interest — they intend to rely on for each purpose. This is a public declaration and it will be evaluated by both publishers (who can restrict vendor purposes) and regulators.
The more significant technical requirement is updating how vendors read and honor the consent string. TCF 2.0 strings are not backward compatible with TCF 1.0 parsers. Vendors passing bid stream signals that include TCF 2.0 strings must be able to decode the new format. The IAB Tech Lab’s CMP API specification and reference implementations are the starting point, but production implementation requires testing across the range of CMP outputs in the wild, which vary in ways the specification does not fully capture.
The public comment period for TCF 2.0 closes in late February. A final version is expected in the spring. Vendors and publishers who begin implementation planning now — even before the final specification is locked — will be better positioned when the transition window opens.
FAQ
Does TCF 2.0 make us GDPR compliant? TCF 2.0 provides a framework for managing and recording consent and legitimate interest signals in the bid stream. It is a tool for GDPR compliance, not a guarantee of it. Whether your specific data processing activities comply with GDPR depends on your legal basis, your data flows, your retention policies, and other factors the TCF does not control. Consult a data protection attorney who specializes in adtech for an assessment specific to your situation.
What happens if a user declines consent but a vendor claims legitimate interest? Under TCF 2.0, if a publisher passes a legitimate interest signal for a vendor and that vendor’s legitimate interest claim is not objected to by the user (users must be given the ability to object), the vendor may process the data under that legal basis. However, if the user explicitly objects to legitimate interest processing for a given vendor, that objection must be respected. Publishers can also configure their CMP to restrict certain vendors’ legitimate interest claims by default.
Do we need a new CMP to implement TCF 2.0? Not necessarily a new one, but you need a CMP that has been certified under TCF 2.0. Check IAB Europe’s registered CMP list for your current provider’s status. Many major CMP providers are already working on 2.0 certification. The timeline between public comment, final specification, and CMP certification means that full industry migration will take several months after the final spec is published.
How does TCF 2.0 interact with ePrivacy Regulation? The ePrivacy Regulation — the proposed EU law that would replace the Cookie Directive — would, if passed, impose stricter rules on accessing terminal equipment (cookies, device fingerprinting) that go beyond GDPR consent requirements. TCF 2.0 is designed with GDPR compliance in mind, but its legal basis architecture may need to adapt when and if ePrivacy passes. Given that the ePrivacy Regulation has been in negotiation for over three years with no clear resolution, practical planning against it remains difficult.