IAB Europe and IAB Tech Lab last month opened a 30-day public comment period on a set of amendments to the Transparency and Consent Framework that advance TCF Policy to version 5.0.b, addressing multi-device consent persistence, consent management platform UI requirements, and a renamed Special Feature 2 related to device fingerprinting.

The joint announcement, dated 29 May 2026, covers three distinct policy changes and activates a technical specification update managed through IAB Tech Lab's public GitHub repository, where pull request #443 consolidates six commits from contributor lamrowena into the TCF v2.4 specification. The public comment window runs until 29 June 2026, with feedback accepted via comments on the pull request or by email at support@iabtechlab.com.

Why this update matters for the ad tech industry

The TCF is the digital advertising industry's primary machine-readable mechanism for collecting and communicating user consent and legitimate interest signals across European Economic Area publishers, vendors, and platforms. It connects consent management platforms, which present privacy choices to users, with the Global Vendor List (GVL), a standardised registry that vendors use to declare their processing purposes.

Any change to TCF policy therefore ripples through hundreds of organisations. TCF enforcement procedures against vendors surged 118% to 587 in 2025, with 953 vendors and 181 CMPs registered at year-end. The framework has also faced sustained legal pressure. The Belgian Market Court handed IAB Europe a significant ruling in January 2026, annulling the Belgian Data Protection Authority's validation of IAB Europe's action plan. In May 2025, the same court had already narrowed IAB Europe's joint controller status to TC String processing within the TCF itself, excluding subsequent OpenRTB processing operations. Against that backdrop, the v5.0.b amendments represent a consolidation of regulatory expectations rather than a structural redesign.

The first and most operationally significant change concerns how the TCF handles consent signals when users are authenticated and move between devices. According to IAB Europe, the policy amendments follow the CNIL's publication of recommendations for cross-device consent - final guidance the French authority adopted on 18 December 2025 and which established concrete requirements for cookie and tracker consent systems that apply across multiple user devices.

The amendments modify two specific chapters: Chapter III(12)(3) and Chapter I(1)(20). The practical effect of these changes is twofold. Publishers will be required to ensure users are informed about the scope of their privacy choices wherever those choices are persisted across devices - for example, where a logged-in account carries consent state from a desktop session into a mobile session. The amendments also give publishers explicit flexibility to manage signalling conflicts: situations where a user's on-device choices at login differ from the privacy preferences attached to their account.

This scenario is not hypothetical. A user may have previously accepted all purposes on a tablet, then later revisited their choices on a desktop browser and rejected them before logging in to a publisher's site. The TCF previously lacked specific policy guidance on resolving this conflict. The v5.0.b amendments acknowledge the gap and require publishers to handle it in a disclosed, user-facing way.

IAB Europe noted that the TCF instances have developed dedicated FAQs - specifically FAQ 15 and 16 - to help TCF participants understand this new iteration.

CMP user interface requirements: standard texts and illustrations

The second area of change targets the consent UI that users encounter on websites and in applications. The amendments to Chapter V, Appendix B(B)(f) introduce a requirement for CMPs to display a standard explanation text alongside each feature listed in the consent layer. That text will clarify that features are means of processing which can only be used in pursuit of one or several purposes for which users are given a choice.

The distinction between features and purposes has been a recurring source of confusion in TCF deployments. Purposes are processing activities for which users can grant or withhold consent or for which legitimate interest can be established. Features, by contrast, are technical capabilities that vendors may use - but only in service of an already-consented purpose. They carry no independent user control. According to IAB Tech Lab, recurring feedback indicated that users don't always grasp the difference between purposes and features, or why there is no user control associated with the latter.

The amendment also prohibits features from being displayed next to controls that cannot be disabled. This change addresses a specific UI design pattern that, in practice, can mislead users into thinking they are making a meaningful choice when no actual control exists.

Additionally, amended Chapter V, Appendix A(C) will require CMPs to include illustrations for each feature. These illustrations are intended to improve comprehension at a glance, particularly for users who may not read detailed legal text. The standard explanation texts and illustrations will be embedded in the GVL and corresponding translations, ensuring that any CMP pulling from the GVL can use them without custom localisation work.

The updated GVL specification will require a new standardTexts field to support these requirements. IAB Tech Lab collaborator HeinzBaumann noted in a review comment on pull request #443 that adding this new element will likely require incrementing the gvlSpecificationVersion field to version 4. According to HeinzBaumann, the IAB EU Framework Steering Working Group is scheduled to discuss this on 17 June 2026.

An example of the updated GVL structure shows a standardTexts object nested within the feature structure, with a featureskey carrying the explanation text. The IAB Tech Lab's announcement includes a code block illustrating this format, which describes features as "means of processing that can be used solely in pursuit of one or several purposes for which you are given a choice in this notice."

Special Feature 2: a renamed label for device identification

The third change involves Special Feature 2, which previously carried the name "Actively scan device characteristics for identification." That label is being replaced with "Identify devices based on information actively requested." According to IAB Europe, the previous wording was considered insufficiently clear.

The underlying vendor guidance for Special Feature 2 under Chapter V, Appendix A(D) was also revised to explicitly reflect the active request of Client Hints for the purpose of creating a fingerprint. Client Hints are a browser API through which websites can request specific device characteristics - screen resolution, operating system version, processor type - from the user agent. Their use for fingerprinting has been a point of regulatory attention, particularly given the growth in fingerprinting as an alternative to cookie-based identification.

This name change is not cosmetic. The precise framing of what a Special Feature does affects how CMPs present it to users and how vendors describe their processing activities in their GVL entries. A label that references "actively requested" information signals to users that their device is providing data in response to a direct request, rather than having it passively scanned. Whether that distinction meaningfully improves user comprehension will be a point regulators may scrutinise.

An unrelated but notable correction was also made within the same policy update. The "Example Stack Combination 3 (Advertisers)" under Chapter V, Appendix A(C) had included Purposes 2, 3, and 4, which relate to the delivery and measurement of advertising. Because advertisers typically do not sell advertising inventory on their own properties, the example was updated to remove these purposes. The correction addresses a practical inconsistency that had existed in the policy documentation.

Technical specification changes in pull request #443

The technical changes accompanying the v5.0.b policy amendments are managed through IAB Tech Lab's public GitHub repository. Pull request #443 involves modifications to the TCFv2/IAB Tech Lab - Consent string and vendor list formats v2.md file, which governs the TCF's consent string encoding and the GVL format specification.

The six commits in the pull request include updates to the Special Purpose-only vendor workaround, a sentence addition regarding the Legitimate Interest bit for vendors with Special Purposes, and broader changes to the TCF specification based on the new policy version 5.0.b.

One key technical change removes the requirement for Special Purpose-only vendors to be disclosed under the Legitimate Interest declaration in the consent string. According to IAB Tech Lab, this workaround was introduced before TCF v2.3 made the disclosedVendors segment a mandatory part of the TC string. The release of TCF v2.3 in June 2025 resolved the underlying ambiguity by requiring all TC strings to include a disclosed vendors segment, making the legacy Legitimate Interest bit workaround redundant.

The practical implication: the Vendor Legitimate Interest section of the TC string will now carry only vendors with genuine legitimate interest disclosures. Vendors declaring only Special Purposes will determine whether they were disclosed to the user by reading the mandatory disclosedVendors segment directly. This simplifies the string structure and removes a legacy representation that had introduced ambiguity in some parsing implementations.

The addition of the standardTexts field to the GVL is a separate structural change. The field is designed to carry feature explanation texts and, according to the documents, will also carry illustrations. How illustrations are represented in a JSON structure - likely as references to external image resources or inline SVG data - is not specified in the pull request itself, but the IAB EU FSWG discussion scheduled for 17 June 2026 is expected to address the specification of this field in detail.

Implementation timeline

According to IAB Europe, the rollout follows a structured four-stage timeline:

  • 29 May 2026: Release of updated policies and start of the 30-day public comment period by IAB Tech Lab for the technical specifications.
  • 29 June 2026: Public comment period ends. CMPs can begin preparing to ingest new GVL information. The updated GVL specification does not introduce any new requirements for vendors at this stage.
  • Mid-July 2026: GVL and corresponding translations are updated with the new standard texts and illustrations for features.
  • Mid-October 2026: Deadline for CMPs to comply with the updated policies in the web environment. The exact date will be confirmed once GVL translations are complete.
  • Mid-February 2027: Deadline for CMPs to comply in native app environments, including mobile and connected television. The exact date will similarly be confirmed after GVL updates.

The gap between the web deadline - mid-October 2026 - and the native app deadline - mid-February 2027 - is consistent with the TCF's historical pattern of giving CTV and mobile environments additional time. IAB Europe's 2025 TCF Compliance Report documented that CMPs supporting web, mobile, and CTV simultaneously grew from 4.8% to 6.6% of registered CMPs during the year, reflecting a slow but steady extension of the framework into app environments. The February 2027 deadline builds on that trajectory.

Policy versioning and the broader TCF governance cycle

According to IAB Europe, the Policies version has been incremented from v5.0.a to v5.0.b. This incremental versioning - a minor letter suffix rather than a major version bump - indicates that the changes do not alter the fundamental architecture of the framework, but they do impose new obligations on CMPs and carry practical consequences for vendors whose GVL entries reference Special Feature 2 or who currently appear in the Vendor Legitimate Interest section without genuine legitimate interest disclosures.

The TCF Steering Group approved these iterations, according to IAB Europe. IAB Europe noted that the updates address regulatory expectations around the ePrivacy Directive and the GDPR.

The CMP and Vendor Notifications page on IAB Europe's website, which lists all framework communications sent to registered participants since 2019, records the 29 May 2026 notification as the most recent entry in a sequence going back to the TCF's early years. Previous entries in that record include the February 2026 update to the Controls Catalogue and CMP Validator for TCF 2.3, the December 2025 update to the Device Storage and Operational Disclosures Specification, and the June 2025 release of TCF v2.3 itself.

The v5.0.b changes arrive less than three months after Google confirmed that TCF v2.3 became mandatory on March 1, 2026, a transition that resulted in non-compliant ad requests defaulting to limited ads or being dropped entirely. With that migration still fresh for many CMPs and publishers, the October 2026 web compliance deadline gives the industry approximately five months to absorb and implement the v5.0.b requirements.

What CMPs need to do

The practical requirements for CMPs are concentrated on two fronts. First, CMPs must update their UIs to display the standard explanation texts and illustrations for features once the GVL is updated in mid-July 2026. These texts will be pulled from the GVL, so the technical integration is relatively straightforward for CMPs that already consume the GVL in a structured way. Second, CMPs must implement the multi-device consent policy requirements, ensuring that users are informed when their consent choices are applied across devices and that signalling conflicts are handled in a disclosed manner.

For vendors, the primary implication is a review of their GVL entries. Vendors currently appearing in the Vendor Legitimate Interest section of the TC string who declare only Special Purposes should expect that their representation in that section will be removed. Their disclosed status will be determined solely through the disclosedVendors segment. Vendors using Special Feature 2 in their GVL declarations should also review whether their description of their processing activity aligns with the renamed feature and updated vendor guidance, particularly if they use Client Hints for device identification.

Timeline

Summary

Who: IAB Europe, headquartered in Brussels, and IAB Tech Lab, in partnership, as the joint stewards of the Transparency and Consent Framework. The affected parties include all registered CMPs - 181 as of end-2025 - and all registered vendors, 953 as of the same date, operating in the European digital advertising ecosystem.

What: A policy update advancing TCF Policies from version 5.0.a to version 5.0.b, accompanied by technical specification changes in TCF v2.4 pull request #443 on GitHub. The update introduces three substantive changes: multi-device consent handling aligned with CNIL guidance, new CMP UI requirements mandating standard explanation texts and illustrations for features, and a renamed Special Feature 2 now called "Identify devices based on information actively requested." A legacy Legitimate Interest workaround for Special Purpose-only vendors is also removed.

When: The policy was released and the public comment period opened on 29 May 2026. The comment window closes on 29 June 2026. The GVL update follows in mid-July 2026. CMPs must comply in web environments by mid-October 2026 and in native app and CTV environments by mid-February 2027.

Where: The policy amendments govern TCF-compliant implementations across European Economic Area publishers, vendors, and platforms. The technical specifications are managed through IAB Tech Lab's public GitHub repository. IAB Europe is based at Rond-Point Schuman 11, B-1040 Brussels, Belgium.

Why: The amendments respond to the CNIL's December 2025 final recommendations on cross-device consent, address persistent user confusion between TCF features and purposes, and clarify vendor guidance on device fingerprinting via Client Hints. They also remove a legacy technical workaround made redundant by the mandatory disclosedVendors segment introduced in TCF v2.3.