TL;DR: IAB TCF 2.3 tightens transparency, makes disclosed vendor signalling mandatory in the TC string, and requires publishers and CMPs to support clearer purpose language, resurfacing consent, and stronger vendor disclosure controls before 28 February 2026, according to OneTrust. The practical shift is that consent operations now need auditable data-flow governance, not just updated banners.
NHIMG editorial — based on content published by OneTrust: IAB TCF 2.3: Preparing for Compliance
By the numbers:
- TCF 2.3 becomes mandatory on February 28th, 2026, replacing TCF 2.2.
Questions worth separating out
Q: What breaks when consent disclosure is not encoded clearly in the TC string?
A: When disclosure status is unclear, teams can no longer prove whether a vendor was properly shown to the user before processing began.
Q: Why does TCF 2.3 matter for GDPR accountability teams?
A: TCF 2.3 matters because it turns consent mechanics into evidence-bearing controls.
Q: What do privacy teams get wrong about CMP updates?
A: The common mistake is treating CMP changes as a banner refresh instead of a workflow change.
Practitioner guidance
- Map disclosure state to every vendor record Ensure each vendor in the CMP has an explicit disclosed or not-disclosed status and that the value is generated consistently in the TC string.
- Revalidate consent journeys end to end Test whether users can reopen the CMP, understand each purpose in plain language, and change choices without breaking logging or downstream policy enforcement.
- Review vendor lifecycle and legal basis mappings Check that all active vendors are listed on the current framework version and that consent, legitimate interest, and special purpose handling are aligned.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- The updated TCF 2.3 UI requirements for publishers, vendors, and CMP operators.
- The disclosure ambiguity scenario involving Legitimate Interest, Special Purposes, and the user’s Right to Object.
- The technical change to the TC string that makes the Disclosed Vendors segment mandatory.
- The step-by-step migration actions for organisations still running TCF 2.2 logic.
👉 Read OneTrust's guidance on preparing for IAB TCF 2.3 compliance →
IAB TCF 2.3 and consent governance: what changes for teams?
Explore further
Consent strings are becoming governance objects, not implementation details. TCF 2.3 shows that privacy operations fail when the control surface is treated as a banner problem instead of a data governance problem. Once the TC string can be linked to an individual, it sits at the intersection of identity, consent, and audit evidence. Practitioners should govern it as a lifecycle record with clear ownership and traceability.
A question worth separating out:
Q: Who is accountable when a consent framework update is missed?
A: Accountability usually sits with the organisation operating the CMP, the privacy team governing consent policy, and the business owners relying on the data. Where a standard changes, teams must recheck vendor lists, legal basis logic, and logging before the framework deadline to avoid non-compliant processing.
👉 Read our full editorial: TCF 2.3 raises the bar for consent governance in EU adtech