IAB TCF v2.3 implementation for EU publishers
A self-hosted, EU-based TCF v2.3 implementation — full TC String codec, GVL proxy, Google Consent Mode v2, AC string. Feature-complete and ready for the IAB CMP Validator. Publisher-activatable as soon as IAB Europe assigns our CMP ID.
Ships with the Compliance plan (€199*/month) once IAB Europe assigns our CMP ID. While registration is pending, TC Strings emit cmpId=0 — programmatic vendors treat that as an invalid signal, so live ad monetisation is not possible yet.
Registration status: pending
Our TCF v2.3 CMP is technically complete and passes our internal conformance tests. The IAB Europe application is not yet submitted, so we do not yet hold a CMP ID. Until then, this product is available as a technical preview / waitlist only — no live publisher traffic.
- Engine complete (codec, GVL, widget, consent log, 12 EU languages)
- Interactive demo live — test the full flow today
- IAB Europe application + CMP Validator iteration — next step
- Live publisher activation — once CMP ID is assigned
What TCF participation is — and is not
IAB Europe runs a technical conformance programme. Registering our CMP means our __tcfapi, TC String, and GVL handling pass the IAB CMP Validator. It does NOT certify your publication as GDPR-compliant under Art. 42 GDPR. The European Data Protection Board confirmed that in 2023, and the Brussels Market Court (May 2025) held key parts of the Belgian DPA findings against IAB Europe. Our CMP gives you a spec-conformant implementation; the publisher remains the controller responsible for its own GDPR analysis.
Why publishers need a TCF CMP
If you monetise via Google Ad Manager, Xandr, The Trade Desk or most other programmatic partners, a registered TCF CMP is baseline. Without a valid TC String, your inventory is not biddable.
IAB Europe bumped the policy in June 2025 with a 28 February 2026 cut-over. TC Strings without the DisclosedVendors segment are invalid. We encode v2.3 natively — no v2.2 legacy baggage.
The widget runs on your domain via our script tag; consent records live in our EU datacentre. No US-based CMP SDK, no third-country transfers in the consent flow itself.
What's in the box
Everything a TCF CMP needs to pass the IAB Validator and integrate with programmatic partners.
Top-frame API surface with pre-boot queue, cross-origin postMessage bridge, and full v2 command set (ping, getTCData, addEventListener, removeEventListener, getVendorList).
Bit-perfect server-side codec for Core, DisclosedVendors (mandatory in v2.3), and PublisherTC segments. Range/bitfield heuristic for compact encoding.
Hourly refresh of the Global Vendor List into our EU cache. Historical GVL snapshots served for legacy TC String decoding.
First-layer banner with Accept/Reject at equal prominence (post-v2.2 policy requirement). Second-layer preferences with per-purpose and per-vendor toggles, retention disclosure, LI URL, device-storage URL.
Automatic gtag('consent','default','denied') on boot, live updates on user decision. wait_for_update = 2000ms so measurement tags defer to the real state.
Google's parallel consent signal for non-IAB Google partners, encoded per v1 spec and surfaced in addtlConsent.
Every decision persisted with the TC String, AC String, GVL version, policy version, hashed IP and UA. Auditor-ready JSON and CSV export.
Floating icon satisfies GDPR Art. 7(3) — withdraw consent as easily as it was granted.
EN, DE, FR, IT, ES, NL, PL, PT, SV, DA, FI, NB. The remaining 12 EU languages fall back to English until translated.
navigator.globalPrivacyControl = true triggers reject-all; no opt-in banner is forced on signalling users.
What we do not promise
Not a GDPR certification.
TCF participation is run by IAB Europe; it is not an Art. 42 GDPR certification, and no DPA has granted that status to TCF. EDPB clarified this in 2023.
Not a legal safe harbour.
CJEU C-604/22 (March 2024) and the Brussels Market Court (14 May 2025) held that the TC String can be personal data and IAB Europe can be joint controller. A DPA can still find your use of TCF non-compliant on other grounds.
Not a substitute for your own controller analysis.
You decide which vendors to disclose, which purposes apply, and what your privacy policy says. We give you the technical surface to collect, encode, and persist the decision.
Live in three script tags
Paste these in your <head>. Vendor tags that call __tcfapi pre-boot are queued and replayed when the dispatcher loads.
<script src="https://cmp.siteguardian.io/v1/tcf/tcfapi-stub.js"></script>
<script src="https://cmp.siteguardian.io/v1/tcf/tcfapi-core.js" defer></script>
<script src="https://cmp.siteguardian.io/v1/tcf/widget-tcf.js"
data-site-id="YOUR_SITE_ID" defer></script>Optional: add gcm-bridge.js to emit Google Consent Mode v2 signals automatically.
Test the demo, join the waitlist
The demo runs the same codec and UI a publisher would integrate. Inspector shows the live TC String, GVL version, and Google Consent Mode v2 signals. Waitlist members get early access the moment our IAB CMP ID is assigned.