How to Implement IAB TCF v2.3 in WordPress?

IAB Europe introduced Transparency and Consent Framework v2.3 in June 2025, marking an important shift in how user consent is validated and enforced. While the TCF 2.2 focused mainly on policy changes, the latest update emphasizes proof of disclosure by requiring a technical mechanism that confirms vendors were clearly disclosed to users via disclosedVendors field.

For publishers that monetize through platforms such as Google Ad Manager, AdSense, or AdMob, this update is critical. If websites do not follow TCF v2.3 by 28 February 2026, consent strings generated after this date will be considered invalid. As a result, ad requests will default to limited ads, which can significantly reduce programmatic advertising revenue.

In this article, we explain what the IAB Transparency and Consent Framework is, what has changed in version 2.3, and how you can implement IAB TCF v2.3 on your WordPress website using WebToffee’s CMP plugin.

The Interactive Advertising Bureau ( IAB Europe) introduced the Transparency and Consent Framework known as IAB TCF, which provided guidelines and best practices for advertisers and publishers to ensure compliance with GDPR for showing ads and personalized suggestions.

The first version of the framework, TCF v1.1, was launched in 2018 by IAB Europe. It enabled publishers using a Consent Management Platform (CMP) to transmit user consent signals to vendors in a structured and interoperable way.

By introducing TCF guidelines, IAB Europe aimed to help businesses establish trust with their users and be responsible for data handling and processing. The framework allows organizations to continue serving relevant advertising and personalized experiences while respecting user privacy and consent choices.

Publisher, CMP, and Vendor – Definitions in IAB

Now, let’s look at some of the key definitions in IAB TCF:

• Publisher: A Publisher is a website that displays ads from businesses (or vendors) to users. Publishers act as a medium between a user and a business.
• CMP: Consent Management Platform (CMP) is a tool that enables websites, publishers, and organizations to collect and manage user consent for processing their personal data. It helps websites to comply with data privacy laws such as GDPR and CCPA.
• Vendor: Vendors are companies that advertise with the help of publishers to serve ads to users. The IAB maintains a Global Vendor List that contains information about vendors and their data processing practices. This list helps publishers and CMPs identify and communicate with registered vendors effectively.

When a visitor lands on a website, they might see a popup or banner asking for consent to process their personal data. This popup or banner is provided by a CMP integrated into the website.

Once a consent signal is received from the users, the website will be able to display ads to the users from the vendors.

TCF v2.3 is the latest version of the IAB Transparency and Consent Framework, designed to improve how user consent and vendor disclosure are captured and communicated across the advertising ecosystem. Released on 19 June 2025, this update addresses a technical gap related to how vendors confirm whether they were disclosed to users in the CMP interface.

Under the earlier versions of the TCF guidelines, in situations where the legitimate interest bit was set to zero, the vendor couldn’t tell

• Whether they were displayed to the user in the CMP interface?
• Or, the user saw the vendor and actively objected to data processing.

This ambiguity created compliance risks. If a vendor was not disclosed at all, any data processing would be unlawful. If the user objected, the vendor also had to stop processing, but the absence of a clear signal made it difficult to identify whether non-disclosure or user objection was the reason.

The issue became critical for vendors processing data for Special Purposes under legitimate interest. Without a definitive disclosure signal, vendors could not confirm that transparency requirements under GDPR had been met.

Therefore, the primary goal of TCF v2.3 is to remove this uncertainty by providing a verifiable method to confirm vendor disclosure, reducing compliance risks, and strengthening GDPR accountability.

TCF v2.3 introduces a mandatory disclosedVendors field in every Transparency and Consent string. This field provides a direct and verifiable signal indicating whether a vendor was disclosed to the user.

The disclosedVendors value works as follows:

• A value of 1 confirms that the vendor appeared in the CMP interface.
• A value of 0 indicates that the vendor was not disclosed.

This update removes guesswork and gives vendors a clear basis for deciding whether they can process data for Special Purposes. If a vendor’s disclosure value is set to zero, they must not process data under the legitimate interest exception because transparency has not been established.

Area	TCF v2.2	TCF v2.3
Vendor disclosure	Inferred indirectly through consent signals	Requires explicit confirmation using disclosedVendors
Legitimate interest ambiguity	Ambiguity around LI for Special Purposes	Ambiguity is resolved by introducing disclosedVendors as a mandatory field
CMP interface changes	Required for major policy changes	Not required for this update
Vendor responsibility	General consent string decoding	Mandatory verification of disclosure status
Enforcement deadline	November 2023	28 February 2026

To comply with IAB’s latest framework, you should have a CMP that supports the latest framework. You don’t need to feel overwhelmed by the TCF requirements, as we have the right solution for you.

Our GDPR Cookie Consent plugin can help you follow the IAB TCF v2.3 standards and lets you easily manage cookie consent for your WordPress website. We will discuss our plugin more in the latter part of this article. Now, let’s have a look at the step-by-step instructions to set up a TCF-compliant consent management system on your WordPress website.

Step 1: Install and Activate the GDPR Cookie Consent Plugin

After purchasing the WordPress Cookie Consent plugin, you will receive an email with a link to download the plugin zip file. You can also download the plugin file from the My Account page.

• Now, log in to your WordPress admin account.
• Navigate to Plugins > Add New.
• Upload the plugin zip file, then install and activate the plugin.

Step 2: Enable IAB Cookie Banner

From your WordPress sidebar menu, go to Cookie Consent.

• Under the Cookie Banner settings, choose the consent law as GDPR.
• Then, enable the cookie banner checkbox.
• Choose Geo-targeting if required. (Geo-targeting allows you to show the GDPR cookie banner only to EU visitors)
• Next, enable the IAB TCF v2.3 checkbox.

Once enabled, three additional settings will appear:

1. Support Google’s Additional Consent: This setting enables your plugin to support Google’s Additional Consent Mode, which works alongside IAB’s TCF to handle Google ad vendors who are not registered with the TCF Global Vendor List. When enabled, the plugin adds a special “additional consent” string to the TC string, listing the Google-approved vendors.
2. Manage Purposes and Features: This lets you select and configure the purposes and features for which user consent is requested. Displaying only relevant purposes improves transparency and compliance.
3. Manage vendor list: Here, you can choose which vendors to disclose to users. The list includes vendors from the IAB TCF Global Vendor List and Google Ad Tech providers.

After configuring these options, click Update settings to save your changes.

Step 3: Choose a Layout for Cookie Banner

• Now, go to the Layout tab under the General settings in Cookie Banner settings.
• Choose a layout style for the cookie notice. You have three different layouts, Box, Banner, and Popup, to create cookie notices on seven different positions on the website’s viewport.
• Then, choose a style for the Preference Center.

Step 4: Customize the Cookie Banner

Go to the Content & Colors tab. From here, you can customize the buttons and color of the cookie banner. However, you can’t modify the text of the cookie banner, as the plugin sets the banner text per the TCF standards.

• Use the Banner Preview option in the top right corner to preview the cookie banner. Then click on Update settings to save the changes.

Step 5: Testing the Banner

Here’s how the banner will look on your website:

• Click on the Third Party Vendor link to view the IAB vendors list and Google Ad Tech Provider to view the Google Ad Tech vendors list.

This allows your website visitors to provide granular consent to specific vendors to accept ads from them.

That’s it! You have successfully configured an IAB TCF (v2.3) compliant consent management system on your website.

GDPR Cookie Consent Plugin is one of the advanced cookie consent solutions for WordPress websites. The plugin supports different privacy laws like GDPR and CCPA. You can display cookie banners as required by specific laws. The banner layout can be customized to match your website theme.

You can configure the plugin to enable the IAB TCF-compliant cookie banner on your website. With the click of a button, the plugin configures the cookie banner as per IAB requirements. Leaving no worries for you. If you are confused about whether to choose a native plugin or go for a cloud-based CMP, check out our article: Why Do You Need a Native WordPress Consent Management Plugin?

Benefits of using the GDPR Cookie Consent Plugin:

• Full Compliance with IAB TCF v2.3
• Supports different privacy laws (GDPR, CCPA, CNIL, etc.)
• Multiple consent mode integration: Google consent mode, Microsoft Clarity v2, and UET.
• GDPR ready out-of-the-box
• Provide revisit consent option to site visitors
• Works within the WordPress dashboard
• Fully customizable cookie banners
• User consent logging

When Was IAB TCF Introduced?

IAB TCF (v1.1) was introduced in 2018 by IAB Europe. The TCF framework provided guidelines for businesses to comply with GDPR when processing personal data for online advertising purposes.

How Does the TCF Framework Work?

The TCF framework provides a channel for communicating the user consent data between publishers, vendors, and the consent management platform used in the publisher’s website. When a user provides consent, the CMP generates a consent string that contains the user’s consent preferences.

Vendors can query this consent string to check if they have the user’s consent for processing personal data. Based on the consent signals, they can determine whether they are allowed to process personal data for personalized advertising.

What Is a Legitimate Interest in IAB?

Legitimate interest means a lawful basis for processing the personal data of users. When registering with the IAB framework, vendors have to specify the purpose and the legal basis for processing personal data.

If a vendor selects “Legitimate Interest” as the reason for processing data, the user doesn’t have to give their consent for that specific purpose. The vendor can process the data based on their legitimate interests without needing the user’s explicit consent.

How do Special Purposes work under Legitimate Interest in TCF v2.3?

In TCF v2.3, Special Purposes, such as ensuring security or preventing fraud, can still be processed without requiring user consent. However, vendors must meet one critical condition: They must have been explicitly disclosed to the user in the CMP UI.

If a vendor was disclosed, they may process data for Special Purposes, even if the user clicked “Reject All”. If the vendor was not disclosed, they must not process data, regardless of the purpose.

What Is the Global Vendors List?

Global Vendors List (GVL) is a list of global vendors or advertisers registered with the IAB framework.

To register with the IAB framework, vendors have to follow the following conditions:
1. Modify their code so that cookies are not set until they receive consent from users or they have a legal basis for using cookies.
2. Specify the purpose for using cookies and the retention period of collected personal data.
3. Refrain from processing personal data until they have obtained explicit consent from the users.

Complying with the latest privacy standards is crucial for businesses operating in the digital space. The IAB Transparency and Consent Framework v2.3 strengthens consent management by removing ambiguity around vendor disclosure and reinforcing transparency requirements under GDPR.

By understanding what has changed in TCF v2.3 and implementing the updated framework before the deadline: 28th February 2026, publishers and website owners can reduce compliance risks, protect advertising revenue, and build greater trust with their users. Using a WordPress-native solution like the WebToffee GDPR Cookie Consent plugin makes it easier to adopt these changes and manage consent in line with IAB and Google requirements.

That brings us to the end of this guide on implementing IAB TCF v2.3 on WordPress. What are your thoughts on this article? Let us know in the comments.

Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.