ComposableStack.AI CDP
Back to agent
Constraintconstraint.iab-tcf-2-2-eu-programmatic-advertising

IAB Europe TCF 2.2 — EU Programmatic Advertising Consent Requirement

IAB Europe Transparency and Consent Framework version 2.2 (effective April 2023, GVL v3) removes legitimate interest (LI) as a valid legal basis for advertising purposes 3–6 in the EU: ad delivery, ad personalization, ad measurement, audience research, and product development at the advertising layer. Consent is now the only permissible basis at CMP registration level for these purposes. CDPs exporting audiences to EU programmatic destinations (DV360, The Trade Desk, Amazon DSP) must enforce per-vendor, per-purpose consent filtering at the audience-export stage — before segment delivery, not after.

confidence 87%v1reviewed Jun 11, 2026iab-tcf, tcf-2-2, eu, consent, gdpr, programmatic-advertising, cmp, gvl-v3, legitimate-interest, purposes-3-6, audience-export, compliance, regulatory, media-publishing, publisher-cdp

The IAB Europe Transparency and Consent Framework version 2.2 (TCF 2.2) is the operative consent standard for EU programmatic advertising as of April 2023 (GVL v3).

Breaking change from TCF 2.0 / TCF 2.1. TCF 2.2 removes legitimate interest (LI) as a valid legal basis for advertising purposes 3–6 at the CMP registration level:

Under TCF 2.2, consent is the only permissible basis for these purposes at CMP registration level. Organizations that relied on LI for programmatic targeting without obtaining explicit consent must now collect consent for each of these purposes before activating EU audiences in programmatic channels.

GVL v3 requirements. Vendors registered in the Global Vendor List (GVL) must declare per-purpose data retention periods and categories of data collected. CDPs exporting audiences to programmatic destinations must verify that downstream DSPs and DMPs are GVL-registered and that the user's consent signal covers each vendor–purpose pair before segment delivery.

CMP obligations. The CMP first-layer display must show total vendor count. Users must be able to resurface the consent UI and withdraw consent at any time.

Architectural implication for CDP activation pipelines. CDP audience activation pipelines targeting EU programmatic channels must enforce purpose-limitation filtering with TCF vendor-purpose vectors at the audience-export stage — not as a post-export reconciliation step. The consent signal must encode: which purposes are consented, which GVL vendors are consented, and the consent timestamp. This is a stricter SLO requirement than pre-TCF-2.2 approaches that applied LI-grounded consent retroactively or batch-filtered after delivery.

Relation to concept.consent-management. The architectural concept node (concept.consent-management) describes how CDP consent design patterns work; this constraint node records the specific regulatory obligation that makes TCF 2.2 compliance non-negotiable for EU programmatic activation.

Source confidence note: source.iabeurope-eu.tcf-2-2-2023 is the IAB Europe official TCF 2.2 specification page — tier 1 primary source, confidence 0.90. source.gdpr-info-eu.art-7-gdpr-2016 provides the underlying GDPR consent validity conditions on which TCF 2.2 consent-as-sole-basis rests.

Sources

Related

← Referenced by

  • governed-byarchetype.media-publisher-first-party-data-cdp-evaluatorOC-111. Archetype body (section 2, section 3, key evaluation criteria) explicitly references IAB TCF 2.2 compliance as a baseline requirement for EU media-publisher CDP deployments — including upstream consent enforcement and TCF vendor-purpose filtering at audience export. The constraint captures the regulatory obligation; the governed-by edge formalises what the body text describes.