1. Overview

The IAB TCF version 2.3, released in June 2025, introduces a mandatory new DisclosedVendors segment within the TC String. This update is designed to reduce ambiguity in vendor consent signaling and address the so called the “ghost vendor” issue present in earlier versions of the framework.

2. What Has Changed (TCF 2.2 → TCF 2.3)

• Under TCF 2.2, there was no explicit requirement to confirm whether a vendor was disclosed to the user within the consent string.
• Under TCF 2.3, the DisclosedVendors segment is mandatory, and platforms are expected to parse and validate it before transmitting personal data signals.

3. What This Means

Effective February 28, 2026, we will enforce TCF 2.3 compliance across all applicable European traffic:

• Bid requests containing personal data will only be sent where a vendor is properly disclosed and has a valid legal basis.
• Where a vendor is not disclosed in the TC String, personal identifiers and consent signals will be anonymized before being shared downstream.
• Updated logging and reporting will be implemented to support compliance monitoring and audit requirements.

To support transparency, you can review the relevant vendor lists here for Performance+ Marketplace here

4. Example TC String Structure

Under TCF 2.3, the TC String is composed of dot-separated segments:

[ Core String ] . [ DisclosedVendors ] . [ Publisher TC ]

COsbk4AOSbk4AnWAAAENAwCgAAAAAAAAAAYgACPAAAAA.TDKO4AAqAKAGQAyqAAA.YAAAAAAAAAA

Where:

• Core String: Contains purposes, vendor consent, and legitimate interest signals
• DisclosedVendors (SegmentType = 1): Explicit list of vendors disclosed by the CMP
• Publisher TC : Publisher restrictions and custom purposes (if applicable)