DocsBlogIntegrationsSign InSign Up
Consent

Configuring IAB TCF v2.3

How to enable and configure IAB Transparency and Consent Framework (TCF) v2.3 in Concord for GDPR-compliant advertising consent, including vendor management, stacks, legitimate interest, and privacy center integration.

Overview

IAB TCF v2.3 is the industry-standard framework for collecting and managing user consent across the digital advertising ecosystem. It produces machine-readable Transparency and Consent (TC) strings that tell ad-tech vendors exactly what a user has consented to, replacing ambiguity with a clear, auditable signal.

TCF v2.3 introduces a key change: the Disclosed Vendors signal is now a required component of every consent string. This means vendors can verify whether they were actually presented to the user at the point of consent — strengthening accountability, particularly for legitimate interest scenarios, and aligning more closely with GDPR expectations around informed consent.

Organizations that serve ads in GDPR-regulated regions or work with IAB-registered ad-tech vendors should enable TCF in Concord.

Prerequisites

Before enabling TCF, confirm the following:

  • Admin access to your Concord organization
  • A project with a configured region template (TCF settings apply per-project)
  • A list of advertising technology vendors your organization uses
  • Understanding of your Google advertising requirements — specifically whether you need Google Additional Consent support for providers not on the IAB Global Vendor List

Enabling TCF

  1. Navigate to Privacy > Consent > Consent Settings.
  2. Under IAB TCF Framework, open the Mode dropdown and select a mode:
ModeWhen to use
DisabledTCF functionality is off (default). Use if you do not serve ads in GDPR-regulated regions.
IAB TCF v2.3Standard TCF for IAB-registered vendors. Generates TC strings conforming to the v2.3 specification.
IAB TCF v2.3 with Google ATPAdds support for Google Additional Technology Providers (ATPs) that are not on the Global Vendor List. Use if your organization runs Google Ad Manager, AdSense, or other Google advertising technologies.
  1. Click Save.

Once saved, the Vendors, Stacks, and Purposes sub-tabs appear under the IAB TCF section.

Managing Vendors

IAB Vendors

  1. With TCF enabled, click the Vendors sub-tab under Privacy > Consent > Consent Settings > IAB TCF.
  2. The vendor table lists all IAB-registered vendors from the Global Vendor List (GVL), showing:
    • Vendor Name and Vendor ID
    • Purposes — the data processing purposes each vendor declares
    • Framework — always "IAB" for standard vendors
  3. Use Search to find vendors by name.
  4. Check the box next to each vendor your organization uses. Hover over purpose numbers to see detailed descriptions.
  5. Click Save Selected Vendors to apply. Click Discard Changes to revert.

The GVL syncs automatically. Any time you change advertising providers, check for new vendors relevant to your organization.

Google Additional Technology Providers

Available only in IAB TCF v2.3 with Google ATP mode:

  1. Click the Google ATPs tab.
  2. Select the Google advertising technology providers your organization uses.
  3. Click Save Selected Providers.

This generates both TC strings and AC (Additional Consent) strings, covering providers outside the standard GVL.

Configuring Stacks

TCF Stacks group related purposes and special features together, simplifying the consent experience for end users. Instead of presenting each purpose individually, stacks bundle related processing activities.

  1. Click the Stacks sub-tab.
  2. Review the available stacks — each shows a name, description, included purposes, and special features.
  3. Check the stacks that match your use case and click Save Selected Stacks.

Resolving Stack Conflicts

Concord automatically detects when selected stacks share purposes or special features. If a conflict is flagged:

  • Select only one stack from the conflicting group, or
  • Switch to individual purpose management instead of stacks
  • Consult your privacy team if the correct grouping is unclear

Purposes and Special Features

Click the Purposes sub-tab for a reference view of all IAB purposes, including purpose ID, name, description, and legal description. Purposes align with standard categories: Analytics, Marketing, Functional, and Strictly Necessary.

Two special features require explicit user consent:

  • Precise Geolocation — access to precise location data
  • Device Scanning — active device fingerprinting

Legitimate Interest

TCF v2.3 recognizes legitimate interest as a legal basis separate from consent. Enabling it gives users independent controls for consent and legitimate interest on applicable purposes.

Enabling Legitimate Interest

  1. In TCF Settings, locate the Enable Legitimate Interest toggle.
  2. Toggle ON and click Save.

When enabled, users see separate controls for consent and legitimate interest. Legitimate interests are never automatically assigned — users must explicitly grant them, even when they consent to a related category such as marketing or analytics.

When disabled, only consent controls are displayed and all processing requires explicit consent. Disabling legitimate interest is appropriate for organizations following a strict interpretation of TCF v2.3.

Privacy Center Integration

When TCF is enabled, the privacy center automatically adapts to present TCF-specific information.

Tab Ordering

The privacy center displays Purposes & Features before Vendors, so users understand what their data is used for before seeing which vendors process it.

Button Layout

  • Accept All and Reject All are grouped together for quick decisions
  • Confirm Choices appears separately for users who customize individual preferences

Category Detail Pages

When a user views a consent category (e.g., Marketing or Analytics), the detail page shows:

  • Vendor Information — TCF vendors that process data for this category
  • Purpose Details — specific IAB purposes associated with the category
  • Navigation Links — direct links to the full vendor and purpose lists

The layout is responsive: two-column grid on desktop, single-column on mobile.

If cross-device identity is enabled for your organization, TCF consent follows users across devices automatically. A user who grants consent on their laptop will have that same TCF consent applied on their phone once identified.

No additional TCF-specific configuration is required. For setup details, see Implementing Cross-Device Identity and Consent.

Reporting

TCF consent events appear in the standard Concord reporting dashboards alongside other consent activity. You can filter by consent type, purpose, and vendor to see which vendors users accept or reject most frequently.

TC string generation events and consent updates are logged as part of your project's consent audit trail.

Testing Your Configuration

Verify the TCF API

  1. Visit your website where Concord is installed.
  2. Open browser developer tools (Console tab).
  3. Run:
__tcfapi('ping', 2, function (pingData) {
  console.log('TCF API Status:', pingData);
});

The response should show cmpLoaded: true and our CMP ID.

Verify TC String Generation

  1. Clear your browser's localStorage for the site.
  2. Visit the site and interact with the consent banner.
  3. Run:
__tcfapi('getTCData', 2, function (tcData) {
  console.log('TC String:', tcData.tcString);
  console.log('Vendor Consents:', tcData.vendor.consents);
  console.log('Purpose Consents:', tcData.purpose.consents);
});
  1. Confirm the TC string is non-empty and vendor/purpose consent objects reflect your selections.

Verify Google AC String

If using Google Additional Consent mode, check for addtlConsent in the TC data:

__tcfapi('getTCData', 2, function (tcData) {
  console.log('AC String:', tcData.addtlConsent);
});

Ongoing Maintenance

CadenceAction
WeeklyReview the GVL sync for new vendors relevant to your organization. The sync runs automatically.
MonthlyAudit selected vendors to confirm they are still in use. Review consent metrics in reporting dashboards.
QuarterlyReview stack selections. Audit compliance with current regulations.

Troubleshooting

TCF API not available (__tcfapi is undefined)

  • Verify TCF mode is not set to Disabled in Consent > Consent Settings > IAB TCF.
  • Confirm the Concord script is loading without errors.

Vendors not appearing in the table

  • Confirm TCF mode is saved and active.
  • Wait for the weekly GVL sync to complete.
  • Verify the vendor exists in the current IAB Global Vendor List.

Consent not persisting across visits

  • Check that browser localStorage is not disabled or full.
  • Verify third-party cookie settings are not blocking storage.
  • Confirm the domain configuration matches between your site and Concord settings.

TC string is empty or malformed

  • Verify at least one vendor is selected.
  • Confirm required purposes are configured.
  • Check the browser console for error messages.

If these steps do not resolve the issue, contact Concord support at support@concord.tech with your organization ID and any console error messages.

Customizing Consent Banner Styling

Fit the Concord consent banner, privacy center, and floating button to your brand with built-in branding controls, CSS variable overrides, and full custom CSS.

Implementing Cross-Device Identity & Consent

A step-by-step guide for developers to implement Concord's cross-device identity resolution, ensuring a user's consent choices follow them across every browser and device.

On this page

OverviewPrerequisitesEnabling TCFManaging VendorsIAB VendorsGoogle Additional Technology ProvidersConfiguring StacksResolving Stack ConflictsPurposes and Special FeaturesLegitimate InterestEnabling Legitimate InterestPrivacy Center IntegrationTab OrderingButton LayoutCategory Detail PagesCross-Device ConsentReportingTesting Your ConfigurationVerify the TCF APIVerify TC String GenerationVerify Google AC StringOngoing MaintenanceTroubleshooting