Publishers and Consent Management Platforms face a February 28, 2026 deadline to implement IAB Europe’s updated framework, with Google systems accepting v2.3 strings immediately.
Google today announced all publishers and Consent Management Platforms must complete migration to IAB Europe’s Transparency and Consent Framework version 2.3 by February 28, 2026. The transition addresses evolving industry standards for user transparency and consent in digital advertising, according to documentation released through Google AdSense Help and Authorized Buyers Help resources.
Google’s systems can accept and process TCF v2.3 strings immediately, enabling publishers to begin migra…
Publishers and Consent Management Platforms face a February 28, 2026 deadline to implement IAB Europe’s updated framework, with Google systems accepting v2.3 strings immediately.
Google today announced all publishers and Consent Management Platforms must complete migration to IAB Europe’s Transparency and Consent Framework version 2.3 by February 28, 2026. The transition addresses evolving industry standards for user transparency and consent in digital advertising, according to documentation released through Google AdSense Help and Authorized Buyers Help resources.
Google’s systems can accept and process TCF v2.3 strings immediately, enabling publishers to begin migration ahead of the mandatory deadline. The announcement establishes a transition period running through the end of February 2026, during which Google will treat TCF v2.3 strings in the same manner as TCF v2.2 strings.
“Google’s systems can accept and process TCF v2.3 strings today. As such we recommend that you begin this transition well ahead of the deadline to avoid disruption to ad serving,” according to the publisher integration documentation.
The mandatory compliance deadline aligns with IAB Europe’s broader timeline for framework adoption. Publishers using third-party CMPs must coordinate directly with their vendors to confirm migration plans and timelines. Google will handle the transition automatically for publishers using Google’s own CMP solution, which will begin writing TCF v2.3 strings ahead of the February 28, 2026 deadline.
Technical specifications and validation period
During the transition period, Google will not validate the disclosed vendor segment in TCF v2.3 strings. This creates a safe implementation window for publishers to deploy and test updated solutions without risk of ad requests defaulting to Limited Ads serving. The approach differs from previous TCF migrations, which faced criticism over implementation challenges and revenue impacts.
IAB Tech Lab opened the TCF v2.3 technical specifications for public comment on April 19, 2025, with a one-month comment period ending May 19, 2025. The update directly addresses vendor disclosure ambiguity that created uncertainty for vendors processing data under Legitimate Interest for Special Purposes.
Support for new TCF v2.2 strings will officially end on February 28, 2026. However, Google will continue supporting TCF v2.2 strings created before that date. Any TC strings generated on or after February 28, 2026 must comply with TCF v2.3 specifications. Publishers failing to meet this requirement risk having associated ad requests default to Limited Ads serving, which typically generates lower revenue.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Impact on bid request eligibility
The framework integration affects how real-time bidding buyers, including Authorized Buyers, Open Bidding partners, and SDK Bidders, receive bid requests and win auctions. Google reads and passes the TC string for all ad requests from publishers implementing IAB Europe TCF, parsing it to determine which partners have appropriate legal basis for processing personal data.
For personalized ad requests, Authorized Buyers, Open Bidding Networks, and SDK Bidders must register for purposes 1 and 4 with “Consent” as the legal basis, and users must consent to those purposes. Purpose 1 refers to “Store and/or access information on a device,” while Purpose 4 involves “Select personalized ads,” according to IAB Europe Transparency and Consent Framework Policies.
Open Bidding Exchanges face slightly different requirements. They must register for Purpose 1 with consent and Purpose 4 with either consent or “Not used.” Users must consent to Purpose 1, and to Purpose 4 if the exchange registered with consent as the legal basis.
Non-personalized ad requests require consent for Purpose 1 and either consent or legitimate interest for Purpose 2, which covers “Select basic ads.” Limited ads requests demand registration for at least one purpose or special purpose with consent or legitimate interest as the legal basis, with users granting the corresponding permission.
Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.
Creative and vendor pixel requirements
Google will pass the TC string in bid requests only to bidders meeting eligibility criteria. Ad Manager determines which vendors can process user personal data based on user choices expressed in the TC string, requiring buyers to respect these preferences while complying with Google policies and TCF policy.
All vendors in a creative must have at least one legal basis in the TC string for that creative to serve. Vendors registered for “Actively scan device characteristics for identification” (Special Feature 2) face additional restrictions. Creatives containing such vendors only become eligible to serve if users have not opted into Special Feature 2.
Open Bidding Exchanges bear responsibility for passing the TC string to eligible bidders and ensuring returned creatives contain only compliant vendors. Google scans for policy and consent approvals at the domain level in ad creatives. Without domain information, Google cannot confirm consent presence and may block creatives containing unknown domains or unrecognized vendors not appearing on Google’s Ad Technology Providers list for the EEA or UK.
Ad technology providers can register with Google or request domain updates through the Certification process guide. The system aims to prevent unauthorized or non-compliant vendors from serving ads to users who have not provided appropriate consent.
Cookie matching service implications
Cookie match eligibility requires specific consent and legitimate interest criteria. If the “&gdpr” and “&gdpr_consent” parameters appear in a cookie match request, Google will sync cookies with third-party vendors only when specific conditions are met.
Google must have consent for Purpose 1 (Store and/or access information on a device), Purpose 3 (Create a personalized ads profile), and Purpose 4 (Select personalized ads). Legitimate interest must be established for Google regarding Purpose 2 (Select basic ads), Purpose 7 (Measure ad performance), Purpose 9 (Apply market research to generate audience insights), and Purpose 10 (Develop and improve products).
Third-party vendors must register for Purpose 1 under consent, and users must grant consent for that vendor. For Purposes 3 and 4, each vendor requires user consent unless they register under “Not Used,” which removes the consent requirement for those purposes.
Users must also grant consent for vendors regarding Special Feature 2 if vendors are registered for that feature. The multi-layered requirements reflect Google’s implementation of both IAB Europe TCF standards and its own stricter policy requirements.
Technical implementation details
For OpenRTB implementations, the bid request field “User.ext.consent” will contain the TC string. Google will continue populating “Regs.ext.gdpr” to indicate whether GDPR applies to the request. For Google Protocol implementations, the field “AdSlot.ConsentedProvidersSettings.tcf_consent_string” will contain the TC string, with “regs_gdpr” indicating GDPR applicability.
Cookie Match Service users can add “&gdpr” and “&gdpr_consent” parameters to cookie match requests or responses, populating “&gdpr_consent” with the TC string. Google parses the string to determine whether users provided appropriate consent and responds accordingly.
GPT, GPT Passbacks, AdSense, and Ad Exchange Tags will automatically communicate with the IAB CMP to forward the TC string without publisher configuration. IMA SDK and Mobile Ads SDK will automatically obtain, parse, and respect the TC string from local storage. Other tag types require manual passing of signals using “gdpr={0,1}” and “gdpr_consent={tc string}” parameters.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Additional Consent Mode specifications
Google defined Additional Consent Mode as a technical specification intended exclusively for use alongside IAB Europe’s TCF for vendors not yet registered on the IAB Europe Global Vendor List. The specification enables publishers, CMPs, and partners to gather and propagate additional consent alongside TCF implementation for companies on Google’s Ad Tech Providers list but not registered with IAB Europe.
For publishers implementing TCF while also seeking user consent for additional non-TCF providers, Google sends the TC string as described in standard implementations. Additional non-TCF vendor IDs are transmitted in an extension to TCF using existing fields: “User.ext.ConsentedProvidersSettings.consented_providers” for OpenRTB and “AdSlot.ConsentedProvidersSettings.consented_providers” for Google Protocol.
The consented providers field contains only additional non-TCF providers, with TCF vendors sent in the TC string. Google uses the “consented_providers” fields in two scenarios: for publishers not implementing TCF, continuing the current GDPR solution, and for publishers implementing TCF who collected consent for non-TCF vendors.
Policy requirements exceed TCF standards
Google’s interoperability guidance reflects existing policy requirements, particularly Google’s EU User Consent policy and policies against fingerprinting for identification. These policies continue to apply and prove more restrictive than IAB Europe TCF in some cases.
Regardless of how vendors register or publishers’ choices regarding vendor treatment, Google requires all vendors obtain consent as the only valid legal basis for specific purposes. Vendors registering flexibly for “Consent or legitimate interest as a legal basis” give publishers three options: respect the default, specify that consent is required, or specify that legitimate interest is required.
The framework implementation contains complex scenarios depending on vendor registration with IAB Europe TCF, publisher settings, and user consent. Google has registered purposes 2, 7, 9, and 10 as flexible, defaulting to requiring legitimate interest. Unless publishers configure their CMP to restrict Google to consent for these purposes, Google relies on legitimate interest where the CMP has established it with users.
Google is not flexibly registered for purposes 1, 3, and 4 and always requires consent for these purposes. The distinction between Google’s requirements and IAB Europe TCF policies creates additional compliance layers for vendors and publishers navigating the framework.
Enforcement and compliance landscape
The Belgian Market Court confirmed in May 2025 that IAB Europe acts as joint controller for TC String processing within the TCF framework while limiting its responsibilities for subsequent OpenRTB processing operations. The ruling followed a lengthy legal battle and clarified IAB Europe’s position after a February 2022 Belgian Data Protection Authority decision found TCF non-compliant with Article 6 of GDPR.
IAB Europe launched a TCF Vendor Compliance Programme aimed at identifying and enforcing against non-compliant vendor implementations. The program monitors top websites in key European markets and acts on community reports of non-compliance. Vendors face escalating consequences for repeated violations, including suspension from the Global Vendor List.
Over 400 enforcement procedures targeted participating organizations for non-compliance in 2024, resulting in temporary suspension of more than 20 entities until they remedied identified issues. Suspended organizations cannot seek user consent, directly impacting operational capacity and revenue generation.
Why this matters for marketers
The TCF v2.3 transition represents the latest iteration in digital advertising’s ongoing adaptation to privacy regulations and user consent requirements. The framework has undergone several significant updates since its February 2017 inception, when IAB Europe launched the collaborative effort involving more than 70 member companies.
Publishers monetizing through programmatic advertising face revenue implications if they miss the deadline or implement incorrectly. The risk of defaulting to Limited Ads serving creates financial pressure to complete migration early in the transition period. Publishers using third-party CMPs face dependency on vendor timelines and technical capabilities.
Authorized Buyers and other programmatic participants must ensure their IAB Europe TCF registration aligns with Google’s requirements, which exceed basic TCF compliance. The distinction between Google’s policy requirements and IAB Europe TCF policies creates additional technical and legal complexity.
Consent Management Platforms must update their implementations to support TCF v2.3 specifications while maintaining backward compatibility during the transition period. The requirement to handle both disclosed vendor segments and Additional Consent Mode adds technical complexity to CMP operations.
The framework’s continued evolution reflects ongoing tensions between effective digital advertising operations, user privacy protection, and regulatory compliance. Previous TCF versions addressed specific challenges including the Planet49 ruling from the Court of Justice of the European Union and vendor disclosure ambiguity in Special Purpose processing scenarios.
IAB Tech Lab opened a device disclosure specification for public comment in late 2025, introducing requirements for vendors to declare cookies used outside the TCF framework, declare cookies for Special Purposes, and declare SDK package identifiers in mobile applications. These additional transparency requirements demonstrate the framework’s expanding scope.
The digital advertising industry continues navigating complex requirements across multiple jurisdictions. Beyond European GDPR compliance, frameworks now address Canadian privacy laws, with IAB Tech Lab releasing updated TCF Canada specifications in February 2024. The Global Privacy Platform provides technical infrastructure for managing diverse privacy signals across jurisdictions.
Market participants face the challenge of maintaining technical compliance across evolving standards while preserving operational effectiveness and revenue generation. The February 28, 2026 deadline represents a hard cutoff requiring coordinated action across publishers, CMPs, vendors, and ad tech platforms.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Timeline
- February 2017: IAB Europe launched collaborative effort to create TCF with more than 70 member companies
- April 2019: IAB Europe launched TCF v2.0 for public comment with 30-day feedback period
- August 2019: TCF v2.0 launched with major changes accommodating publisher needs
- February 2, 2022: Belgian Data Protection Authority issued decision finding IAB Europe as joint controller, imposing €250,000 fine
- March 2024: Court of Justice of the European Union established TC Strings constitute personal data
- April 19, 2025: IAB Tech Lab opened TCF v2.3 specifications for public comment
- May 14, 2025: Belgian Market Court limited IAB Europe’s joint controller role to TC String processing within TCF
- May 19, 2025: TCF v2.3 public comment period closed
- November 3, 2025: Google announced mandatory transition to TCF v2.3 by February 28, 2026
- Now through February 2026: Transition period where Google treats v2.3 strings same as v2.2 strings
- February 28, 2026: IAB mandatory deadline for all publishers and CMPs to implement TCF v2.3; Google drops support for new v2.2 strings
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Summary
Who: Google, through its AdSense and Authorized Buyers programs, announced the requirement affecting all publishers, Consent Management Platforms, Authorized Buyers, Open Bidding partners, and SDK Bidders participating in its advertising ecosystem. IAB Europe and IAB Tech Lab developed the TCF v2.3 framework specifications.
What: A mandatory migration to IAB Europe’s Transparency and Consent Framework version 2.3, requiring updated technical implementations for handling user consent strings in digital advertising. The transition affects bid request eligibility, creative serving requirements, and cookie matching processes. Google’s systems began accepting TCF v2.3 strings immediately upon announcement.
When: Google made the announcement on November 3, 2025, establishing February 28, 2026 as the mandatory compliance deadline. A transition period runs from the announcement through the deadline, during which Google treats v2.3 strings the same as v2.2 strings without validating disclosed vendor segments. Support for new TCF v2.2 strings ends on the deadline date.
Where: The requirement applies to Google’s advertising products including AdSense, Ad Manager, AdMob, Authorized Buyers, and Open Bidding across the European Economic Area, United Kingdom, and Switzerland. The framework implements GDPR and ePrivacy Directive requirements for these jurisdictions.
Why: The transition aligns with evolving industry standards for user transparency and consent in digital advertising. TCF v2.3 addresses vendor disclosure ambiguity present in previous versions, particularly for vendors processing data under Legitimate Interest for Special Purposes. The update maintains compliance with GDPR requirements while attempting to resolve technical implementation challenges identified in earlier framework versions. Publishers risk having ad requests default to Limited Ads serving if they fail to meet the deadline, potentially impacting revenue.