Implementing IAB TCF 2.3 on your WordPress Site

The IAB Transparency and Consent Framework (TCF) is a standardized framework designed to ensure transparency and compliance in digital advertising practices. It explicitly addresses GDPR requirements and provides guidelines and technical specifications for Consent Management Platforms (CMPs) to manage user consent and preferences regarding data processing activities. To align with this industry standard, WebToffee is officially registered and certified under IAB Europe and included in the CMP list of IAB Europe’s CMP Compliance Programme. This would be beneficial as it adds an extra level of credibility. After installing the GDPR Cookie Consent plugin, follow the steps below to make your site TCF-compliant.

1. Choose the law as GDPR.
2. Enable IAB TCF 2.3 support.

TCF 2.3 is an update from IAB Europe to solve the “Ghost Vendor” issue during consent collection. The vendors were previously not able to tell whether the user rejected them or if they were not shown in the banner. This has been overcome in the TCF 2.3 update, where adding the disclosed vendor list is compulsory in the consent string. There’s no change to user experience and no need to collect consent again — just update before the February 28, 2026 deadline.

A TC string (Transparency and Consent string) is a compact, encoded piece of data generated by the Consent Management Platform (CMP) in this case, the WebToffee GDPR Cookie Consent plugin — at the moment a user accepts, rejects, or customises their cookie preferences. It capturs in a single encoded value the TCF framework version, the timestamp of consent, the CMP ID, the purposes for which consent was granted or denied, and as of TCF 2.3 the list of vendors that were disclosed to the user, which is then passed to advertising vendors and platforms such as Google Ad Manager so they can verify whether they have the legal basis to process a user’s data, effectively acting as a machine-readable consent receipt that travels with the user’s session across the ad tech ecosystem.

The TC string is stored in a first-party cookie named euconsent on your domain. To find it, open developer tools, go to the Application tab (in Chrome) or Storage tab (in Firefox), expand Cookies, and select your domain. Look for the cookie named euconsent, its value is the TC string.

The TC string is Base64-encoded and not human-readable on its own. To decode it and inspect the consent data it contains, you can use the following tools:

IAB TCF Decoder (official) Visit https://iabtcf.com/#/decode and paste your TC string. It will break down every field — including the CMP ID, consent purposes, legitimate interest purposes, vendor consents, and the Disclosed Vendors segment.

When you decode the string, look for the DisclosedVendors segment. Under TCF 2.3, this segment must be present. If it is missing, the consent string is not compliant with the updated framework.

TCF is an accountability tool that relies on standardization to facilitate compliance with GDPR. So it’s necessary to choose GDPR as the law.

1. From the Dashboard, Navigate to Cookie Consent > Cookie Banner.
2. In the Cookie banner tab, ensure to select the Consent law as GDPR.
3. In the Customize option, select GDPR.

To make your site compliant, you must manually enable the IAB TCF. Follow the steps below to enable TCF.

1. From the Dashboard, Navigate to Cookie Consent > Cookie Banner.
2. In the General section, click on IAB TCF 2.3 to support it.
3. Click on Update settings to save the changes.

After implementing IAB TCF v2.3 the user must :

• Initiate a page scan because of the additional cookie.
• Update the Privacy Policy page to inform visitors that your site shares data with vendors/ partners using cookies to improve their experience.

Once the changes are saved, the TCF-complaint consent banner will be delivered automatically to those users who access your site from the applicable regions. 

The first and second layers of the cookie banner are non-editable, as IAB TCF v2.3 enforces strict policies on the wording used to ensure clear and concise information for users about the collection and processing of their data.

Users can click the Customize button in the Cookie banner to state their preferences. Consent preferences include the user’s choices or preferences regarding vendors, purposes, and special features defined within the TCF framework. Once IAB TCF is enabled and the user interacts with the website, the CMP sends consent signals to vendors, indicating each vendor’s consent preferences and purpose. These signals help vendors determine whether they have the user’s consent to process their data for specific purposes.

The Purposes & Features and Vendor list can be edited from the General settings tab.

• Manage Purposes and Features – Select the purposes and features to be displayed on the second layer of the Cookie banner for user consent.
• Manage vendor list – Select TCF-listed vendors to display in the cookie banner. All vendors selected will receive consent to purpose, features, and special features if applicable.

Google Additional Consent is a specification that allows TCF v2.3-compliant publishers to obtain consent and work with ad tech providers that are not registered with the IAB Europe’s Transparency & Consent Framework (TCF) but are listed on Google’s Ad Tech Providers (ATP) list.

• Support Google’s Additional Consent – Enable this option to add Google’s Ad Tech Providers to the cookie banner and Vendor list.

1. From the dashboard, click on Cookie Consent > Cookie banner.
2. In the General section, toggle IAB TCF 2.3 option. Enabling this option will also display the additional consent option.

3. Click on Support Google’s Additional Consent to enable Google’s additional consent.

4. Enabling this option will add Google’s Ad Tech Providers to the cookie banner and Vendor list.
   

The IAB TCF framework helps websites handle user consent in a clear and standardized way to meet GDPR requirements. With WebToffee’s officially certified GDPR Cookie Consent plugin, you can make your site TCF-compliant by simply choosing GDPR as the law and enabling IAB TCF 2.3. Once turned on, the plugin automatically shows a compliant banner, manages vendor preferences, and sends the correct consent signals—making it easier to stay transparent, trustworthy, and aligned with industry standards.