The IAB Transparency and Consent Framework (TCF) is a standardized technical protocol that enables websites, advertisers, and ad-tech vendors to transmit, interpret, and enforce user consent preferences for personal data processing in compliance with the GDPR and ePrivacy Directive. It defines a common vocabulary and API for Consent Management Platforms (CMPs) to capture granular user choices and encode them into a transparent, cryptographically signed consent string disseminated to all downstream partners in the real-time bidding ecosystem.
Glossary
IAB Transparency and Consent Framework (TCF)

What is IAB Transparency and Consent Framework (TCF)?
A standardized technical protocol and API designed by the Interactive Advertising Bureau to communicate user consent choices throughout the digital advertising supply chain.
The framework establishes a Global Vendor List (GVL) of registered ad-tech intermediaries and maps specific processing purposes, legal bases—including legitimate interest—and data categories to standardized integer identifiers. This allows publishers to configure purpose-specific restrictions and enables programmatic systems to parse the TC String deterministically, ensuring that a user's objection to a specific vendor or purpose is technically enforced at the impression level without breaking the supply chain.
Core Components of the TCF
The IAB Transparency and Consent Framework (TCF) is built on a modular technical architecture that standardizes the communication of user consent choices across the digital advertising supply chain. These core components define how consent is captured, encoded, and transmitted between Consent Management Platforms (CMPs) and vendors.
Purposes and Legal Bases
The TCF defines 11 standardized processing purposes (e.g., Purpose 1: 'Store and/or access information on a device', Purpose 7: 'Measure advertising performance') and 6 legal bases (Consent, Legitimate Interest, Consent or Legitimate Interest, Special Purposes, Features, Special Features). Each vendor declares which purposes they operate under and which legal basis they rely on. This granular matrix allows users to consent to specific data uses rather than a binary accept/reject, fulfilling the granular consent requirement under GDPR Article 7.
Publisher Restrictions
A mechanism allowing publishers to override vendor-level consent at the purpose level. Even if a user grants consent to a vendor for a specific purpose, the publisher can programmatically restrict that purpose from executing on their property. These restrictions are embedded directly into the TC String as a bitfield, ensuring downstream ad tech vendors and ad servers respect the publisher's constraints without additional server-side lookups. This is critical for publishers with strict data governance policies.
TCF Signals for In-App Environments
The mobile in-app equivalent of the web-based TC string, transmitted via OpenRTB bid request extensions. Key differences from web implementation:
- Uses
getInAppTCDataAPI method instead of cookie storage - Relies on device-level advertising identifiers (IDFA, AAID) for persistence
- Requires CMP SDK integration rather than JavaScript injection
- Supports app-to-web consent bridging for hybrid user journeys This ensures consistent consent signaling across mobile apps and mobile web environments.
Frequently Asked Questions
Clear answers to the most common technical and operational questions about implementing the IAB Transparency and Consent Framework for digital advertising compliance.
The IAB Transparency and Consent Framework (TCF) is a standardized technical protocol and API designed by the Interactive Advertising Bureau (IAB Europe) to communicate user consent choices throughout the digital advertising supply chain. It works by establishing a common vocabulary and signaling mechanism between three primary actors: Consent Management Platforms (CMPs), which capture user preferences; publishers, who integrate the CMP on their sites; and vendors (ad tech providers, DSPs, SSPs), who receive a standardized Transparency and Consent (TC) String. This encoded string contains the user's consent status for specific processing purposes, their legitimate interest objections, and the list of vendors they have authorized. The framework operates on a Global Vendor List (GVL) , a registry of all registered vendors, their declared purposes, legal bases, and privacy policy URLs, ensuring every participant in the bid stream can decode the signal and act accordingly without direct contractual relationships between every party.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The IAB TCF operates within a broader privacy engineering ecosystem. These related concepts define the technical and legal infrastructure required to operationalize consent at scale.
Consent Management Platform (CMP)
The client-side software responsible for surfacing the consent UI to the user and generating the TC String. A CMP acts as the bridge between the user interface and the downstream vendor ecosystem.
- Captures granular user choices per processing purpose
- Communicates signals via the Consent API to ad tech vendors
- Stores proof of consent for the Consent Audit Trail
Global Privacy Control (GPC)
A browser-level binary signal that communicates a universal opt-out preference. Unlike the granular TCF, GPC sends a single, sweeping objection to the sale or sharing of personal data.
- Legally recognized under CCPA/CPRA
- Transmitted via HTTP
Sec-GPCheader or DOM property - TCF-compatible CMPs must respect GPC as a valid do-not-sell signal
Consent Audit Trail
An immutable, time-stamped log recording the full lifecycle of a consent action. This is the evidentiary backbone proving compliance during a regulatory investigation.
- Captures the specific notice text presented to the user
- Records the TC String generated and the user's IP/User-Agent
- Essential for demonstrating valid consent under GDPR Article 7(1)
Granular Consent
A privacy design pattern requiring separate, specific opt-in choices for distinct processing purposes. The TCF operationalizes this by mapping vendor declarations to specific, user-selectable purposes.
- Rejects bundled or blanket consent mechanisms
- Enables Purpose-Based Access Control enforcement downstream
- Core requirement of the GDPR's freely given standard
Legitimate Interest Assessment (LIA)
A three-part balancing test that a data controller must conduct before relying on legitimate interest as a legal basis. Within the TCF, vendors declare reliance on legitimate interest for specific purposes.
- Assesses purpose necessity, impact on data subject, and reasonable expectations
- Users retain the right to object to legitimate interest processing
- TCF v2.2 removed legitimate interest as a legal basis for advertising personalization
Consent Reconciliation
The backend process of synchronizing conflicting consent states for a single identity across multiple devices, browsers, and internal systems to establish a single source of truth.
- Resolves conflicts between device-level and account-level consent
- Critical for cross-device identity graphs in programmatic advertising
- Prevents unauthorized processing caused by stale or fragmented consent records

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us