1. Overview

The IAB TCF version 2.3, released in June 2025, introduces a mandatory DisclosedVendors segment within the TC String. This update reduces ambiguity in vendor consent signaling and addresses the “ghost vendor” issue present in earlier versions of the framework.

2. What Has Changed (TCF 2.2 → TCF 2.3)

• Under TCF 2.2, there is no explicit requirement to confirm whether a vendor is disclosed to the user within the consent string.
• Under TCF 2.3, the DisclosedVendors segment is mandatory, and platforms are expected to parse and validate it before transmitting personal data signals.

3. What This Means

Effective February 28, 2026, TCF 2.3 compliance is enforced across all applicable European traffic:

• Bid requests containing personal data are sent only when a vendor is properly disclosed and has a valid legal basis.
• If a vendor is not disclosed in the TC String, personal identifiers and consent signals are anonymized before being shared downstream.
• Updated logging and reporting support compliance monitoring and audit requirements.

To support transparency, you can review the relevant vendor lists here for Performance+ Marketplace here

4. Example TC String Structure

Under TCF 2.3, the TC String is composed of dot-separated segments:

[ Core String ] . [ DisclosedVendors ] . [ Publisher TC ]

COsbk4AOSbk4AnWAAAENAwCgAAAAAAAAAAYgACPAAAAA.TDKO4AAqAKAGQAyqAAA.YAAAAAAAAAA

Where:

• Core String: Contains purposes, vendor consent, and legitimate interest signals
• DisclosedVendors (SegmentType = 1): Explicit list of vendors disclosed by the CMP
• Publisher TC : Publisher restrictions and custom purposes (if applicable)