IAB TCF 2.2: What you need to know

IAB Europe updated their Transparency and Consent Framework to improve data privacy for users around how organizations collect and process data

Ryan Karlin
Director, Product Management, OneTrust Consent & Preferences
June 6, 2023

EU flags in front of a government building

What is IAB TCF 2.2?

The IAB Transparency and Consent Framework (TCF) is a set of technical specifications and policies that help publishers and advertisers comply with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. TCF 2.2, the latest version of the framework, was released on May 16, 2023.


Updates in TCF 2.2

TCF 2.2 includes changes that are designed to improve the transparency and control that users have over their data. Some of the key changes include:


Legitimate interest is no longer a legal basis for advertising and content personalization

In TCF 2.2, vendors can only use consent as a legal basis for processing personal data for advertising and content personalization purposes. This change is in line with recent decisions of Data Protection Authorities, which highlighted that consent is the appropriate legal basis for such processing of personal data.


Greater transparency around data use to end users

The information that is provided to end-users about how their data is being processed has been improved in TCF 2.2. This includes more detailed descriptions of the purposes for which data is being collected and processed, with increased transparency around the categories of personal data processed within TCF, as well as the options that users have to control their data. 

Businesses will need to ensure that their CMP user interface (UI) can be easily accessed by users where they can go in and modify their consent and preferences.


Technical updates

TCF 2.2 also includes technical updates, such as the deprecation of the getTCData command and the requirement for vendors to use event listeners to obtain the TC string.  

These changes are designed to improve the performance and reliability of TCF, and will have a major impact on publishers, advertisers, and vendors. 

  • Publishers will need to update their consent management platforms (CMPs) to comply with the new requirements
  • Advertisers will need to ensure that they are only using vendors that are compliant with TCF 2.2
  • Vendors will need to update their systems and processes to comply with the new framework

Overall, TCF 2.2 is a positive step towards greater data transparency and control for users. The changes in the framework will make it easier for users to understand how their data is being used and to make informed choices about their privacy.


What does TCF 2.2 mean for organizations?

The changes in TCF 2.2 will have a significant impact on organizations that collect and process personal data. Here are some of the key things that organizations need to know:


Update consent management platforms (CMPs) to comply with TCF 2.2

This includes updating the text of the consent banners and pop-ups, as well as the way that consent is collected and stored.


Ensure all vendors are compliant with TCF 2.2

This means checking the vendor's privacy policy and making sure that they are using the TCF 2.2 version of the vendor list.


Update systems and processes to comply with the new requirements

This may include changes to the way that data is collected, stored, and used.

Organizations that fail to comply with the new requirements could face fines and other penalties.


3 steps to get started with TCF 2.2

If your organization collects and processes personal data, you need to start planning your migration to TCF 2.2. Here are 3 steps you can take now to get started:


1. Read the TCF 2.2 documentation

The IAB Tech Lab has published detailed documentation on the changes in TCF 2.2. This documentation will help you understand the new requirements and how to implement them.


2. Review your vendor list

Make sure that all of the vendors that you use are compliant with TCF 2.2. You can find a list of compliant vendors on the IAB Tech Lab website.


3. Update your systems and processes

You may need to update your systems and processes to comply with the new requirements. This may include changes to the way that data is collected, stored, and used. Businesses under the TCF must transition to TCF v2.2 requirements by November 20, 2023.

Regarding modalities, any TC strings created before November 20, under TCF v2.1 will remain valid even after the date, i.e. no re-surfacing requirement.

However, TC strings created after November 20 under TCF v2.1 will be considered invalid.

Websites and mobile apps will need to update their CMPs to comply with TCF 2.2. OneTrust Consent & Preferences has updated its CMP in line with the latest requirements and will notify customers who are using TCF templates about changes to be made to the platform.

Migrating to TCF 2.2 can be a complex process, but it’s important to get started as soon as possible. The sooner you start, the more time you will have to make sure that your organization is compliant.

Learn more about how OneTrust can help you comply with the latest TCF requirements.

You may also like


Consent & Preferences

Compliant omni-channel automation: How to be a responsible marketer?

Join this webinar and learn how to create a compliant privacy-first marketing program that respects customer consent across multiple channels.

October 12, 2023

Learn more


Consent & Preferences

Honoring consent throughout the data lifecycle

Watch our webinar and learn how consent can enrich your data while helping you build a brand your customers can trust.

October 04, 2023

Learn more

Resource Kit

Consent & Preferences

The Google CMP requirements toolkit

Master Google's CMP Standards: Stay compliant and excel in the evolving ad landscape. Download our Google CMP Requirements Toolkit now!

September 27, 2023

Learn more