IAB Tech Lab opens device disclosure specification for public comment

IAB Tech Lab, working alongside IAB Europe, opened public comment on version 1.1 of the Device Storage Duration & Access Disclosure specification on November 1, 2025. Comments can be submitted through December 1, 2025, via email to support@iabtechlab.com or directly on the GitHub pull request. According to the announcement, vendors participating in the Transparency and Consent Framework must update their Device Storage Duration & Access Disclosure JSON files as soon as possible to meet compliance requirements.

The specification forms part of the broader Transparency and Consent Framework that addresses data protection obligations under GDPR and ePrivacy Directive. This update reflects continued work to adapt the framework as regulators, users, and participating organizations maintain pressure for enhanced transparency in data processing activities.

Technical modifications expand disclosure requirements

The updated specification introduces three distinct technical enhancements to vendor disclosure obligations. Vendors can now declare cookies and storage mechanisms used for purposes outside the TCF framework. This addresses scenarios where vendors employ tracking technologies for activities beyond standard advertising purposes, including global opt-out mechanisms. The addition provides visibility into cookie deployment that previously fell outside disclosure requirements.

Special Purposes now require explicit cookie and storage mechanism declarations. According to Heinz Baumann, product and engineering consultant at IAB Europe, "This closes a gap we had in this specification in the declarations of purposes and special purposes." The framework previously lacked comprehensive disclosure requirements for Special Purposes, creating uncertainty about vendor data collection activities conducted under this designation.

Mobile application SDK package identifiers must now be declared by vendors operating in app environments. Baumann indicated that "This will provide more transparency in the in-app environment for users and participants." The SDK disclosure requirement addresses a transparency gap that existed between web-based cookie declarations and mobile application tracking mechanisms.

The technical implementation requires modifications to the deviceDisclosure JSON file structure. Vendors must add the "specialPurposes" field to their cookie declarations, following the same array format used for standard purposes. The field accepts numeric identifiers corresponding to Special Purposes defined in the Global Vendor List. The GitHub pull request documentation shows the syntax structure: vendors must include "specialPurposes": [1] within their cookie declaration objects to indicate Special Purpose 1 deployment.

Mobile SDK declarations require vendors to list package identifiers used in their mobile application software development kits. The specification mandates disclosure of SDK package identifiers that enable in-app tracking and data collection. This technical requirement extends transparency standards from web environments into mobile applications, where SDK deployment has historically operated with less visibility.

Implementation timeline establishes vendor compliance deadline

December 2025 marks finalization of the specification following the public comment period. IAB Tech Lab will review submitted feedback and incorporate appropriate modifications before releasing the final version. The one-month comment window provides framework participants and privacy advocates opportunity to identify technical issues or policy concerns requiring resolution.

February 28, 2026 represents the mandatory compliance deadline for all vendors registered in the Transparency and Consent Framework. By this date, vendors must have updated their Device Storage Duration & Access Disclosure JSON files to include all newly required fields. The seven-month implementation window between specification finalization and mandatory compliance aims to provide vendors adequate time for technical implementation and testing.

The staged timeline reflects lessons from previous TCF updates. Earlier this year, TCF version 2.3 addressed vendor disclosure ambiguity with a similar public comment process. That update focused on resolving uncertainty about vendor disclosure status in scenarios involving Special Purposes processed under Legitimate Interest.

Marketing ecosystem faces expanded transparency obligations

The specification update affects vendors across the digital advertising supply chain. Demand-side platforms, supply-side platforms, data management platforms, and other technology vendors must assess their current JSON files against new requirements. Each vendor category faces distinct implementation challenges based on their specific cookie deployment patterns and mobile SDK usage.

Publishers benefit from enhanced visibility into vendor data collection practices. When vendors declare cookies used for non-TCF purposes and Special Purposes, publishers gain clearer understanding of data processing occurring on their properties. This transparency enables more informed decisions about vendor relationships and potential compliance risks. Publishers operating mobile applications particularly benefit from SDK package identifier disclosures, which illuminate tracking mechanisms previously operating with limited visibility.

Cookie deployment for Special Purposes represents a significant disclosure gap addressed by this update. Special Purposes within the TCF framework allow certain data processing activities without requiring user consent, including security measures, fraud prevention, and technical feature delivery. However, prior specification versions did not mandate comprehensive disclosure of cookies deployed for these activities. The updated requirements ensure users and framework participants can review the complete scope of vendor cookie deployment regardless of purpose classification.

Non-TCF purpose declarations address vendor activities outside the framework's standard parameters. Global opt-out mechanisms represent one example where vendors may deploy cookies for purposes technically separate from standard advertising operations. By requiring disclosure of these mechanisms, the specification ensures comprehensive visibility into vendor cookie usage patterns. This proves particularly relevant as cookie consent requirements continue tightening across European jurisdictions.

Mobile SDK package identifiers bring app environment transparency closer to web standards. The requirement addresses a long-standing disparity where web-based cookie disclosures provided detailed tracking mechanism visibility while mobile application SDK deployment operated with less scrutiny. App publishers can now reference vendor disclosures to understand precisely which SDK packages vendors deploy within their applications.

The update arrives as privacy regulations intensify across multiple jurisdictions. French data regulators recently updated cookie exemption rules, establishing strict criteria for audience measurement tools seeking consent exemptions. German courts have issued multiple rulings on cookie consent mechanisms, establishing precedents that restrict pre-consent data collection. The Device Storage Duration & Access Disclosure update positions the TCF framework to address these regulatory developments through enhanced transparency mechanisms.

Consent Management Platforms must adapt their interfaces to incorporate expanded disclosure information. CMPs display vendor lists and data collection practices to users during consent interactions. The addition of Special Purpose cookie disclosures and SDK package identifiers provides CMPs with more comprehensive vendor information to present. This enhanced data enables more informed user consent decisions.

Framework evolution responds to regulatory scrutiny

The Transparency and Consent Framework has faced significant legal challenges since its inception. Belgian courts ruled on IAB Europe's role as joint controller for TC String processing in May 2025, limiting IAB Europe's responsibilities to specific framework components while confirming GDPR violations requiring corrective action. That ruling followed a 2022 Belgian Data Protection Authority finding that the TCF violated Article 6 of GDPR, resulting in a €250,000 fine against IAB Europe.

The framework operates through standardized technical specifications enabling websites and applications to communicate data collection practices to users and capture preference signals. When users visit websites implementing the TCF, Consent Management Platform interfaces appear allowing preference expression regarding data collection and processing. These preferences encode in TC Strings shared with participating vendors and publishers.

IAB Europe launched a vendor compliance program in August 2021 to monitor vendor implementations and enforce policy compliance. The program conducts regular audits of vendor technologies integrated on publisher properties, focusing on unauthorized cookie deployment, accurate cookie duration declarations, and proper signal handling. Vendors found in violation receive 28 days to remedy issues before potential suspension from the Global Vendor List.

Version 2.0 of the TCF specifications launched in August 2019, representing the first major framework update. That release opened for public comment in April 2019, establishing the pattern of industry consultation that continues with the current Device Storage Duration & Access Disclosure update. The framework has evolved through multiple iterations, with version 2.2 implementing changes required by the Belgian Data Protection Authority and version 2.3 addressing vendor disclosure ambiguity.

Mobile in-app specifications joined the framework in June 2018 as a final version ready for industry adoption. That release provided consent management mechanisms for mobile applications, establishing the foundation for the current SDK package identifier disclosure requirements. The framework currently maintains over 350 registered vendors on the Global Vendor List and over 100 registered Consent Management Providers.

The Device Storage Duration & Access Disclosure specification supplements core TCF technical standards. While the main framework specifications govern consent string formats and CMP API implementations, the device disclosure specification addresses the critical question of what data collection mechanisms vendors actually deploy. The specification requires vendors to document cookie names, domains, maximum duration, refresh behavior, and associated purposes. The version 1.1 update expands these requirements to include Special Purpose associations and SDK package identifiers.

Technical implementation occurs through JSON file publication. Each vendor registered in the framework must maintain a publicly accessible JSON file following the specification structure. The file contains arrays of cookie objects with properties defining each tracking mechanism's characteristics. Consent Management Platforms and other framework participants retrieve these JSON files to display accurate vendor information to users and validate vendor claims about data collection practices.

GitHub serves as the technical specification repository. The Interactive Advertising Bureau's GDPR-Transparency-and-Consent-Framework repository hosts all framework specifications including the Device Storage Duration & Access Disclosure document. The pull request mechanism enables public technical review, with industry participants able to submit comments directly on proposed changes. The repository shows five commits implementing the specification updates, including resolution of reviewer feedback on syntax formatting.

Industry comment period enables specification refinement

The public comment period provides opportunity for technical review by framework participants. Vendors can identify implementation challenges or ambiguities requiring clarification before final specification release. Previous TCF updates benefited from public comment feedback that identified technical issues and improved specification clarity.

Privacy advocates can assess whether the specification adequately addresses transparency concerns. The addition of Special Purpose cookie disclosures and SDK package identifiers responds to longstanding calls for comprehensive vendor data collection visibility. Comment submission enables privacy organizations to evaluate whether the enhanced requirements meet transparency standards or require further strengthening.

Consent Management Platform providers must evaluate technical implementation requirements. CMPs serve as intermediaries between vendors and users, displaying disclosure information and capturing consent signals. The specification changes require CMP modifications to retrieve, parse, and display the expanded disclosure data. Public comment enables CMP providers to identify potential technical challenges before mandatory compliance deadlines.

Publishers operating websites and mobile applications can assess how the changes affect their vendor management processes. Enhanced disclosure requirements provide publishers with more detailed information about vendor data collection activities on their properties. This visibility enables more informed decisions about vendor relationships and compliance risk management.

The IAB Tech Lab developed the technical specifications through its GDPR Technical Working Group. Participants in the working group must be Tech Lab members, with technical governance provided by the GDPR Commit Group. The collaborative development process reflects the framework's role as industry-wide standard rather than proprietary solution.

IAB Europe manages the policy framework governing TCF implementation. Resources including the Global Vendor List and CMP List are maintained at iabeurope.eu/tcf. The partnership between Tech Lab and Europe enables technical specification development alongside policy governance, ensuring alignment between technical capabilities and regulatory requirements.

The specifications operate under Creative Commons Attribution 3.0 License, enabling industry adoption while maintaining attribution requirements. The licensing structure facilitates framework implementation across diverse technology platforms and organizational contexts. The open licensing model has contributed to TCF adoption as the digital advertising industry's primary GDPR compliance mechanism.

Timeline

• August 21, 2019: TCF version 2.0 specifications released
• June 12, 2018: Mobile in-app specifications finalized
• August 28, 2021: IAB Europe launches vendor compliance program
• February 2, 2022: Belgian DPA rules TCF non-compliant with GDPR Article 6
• April 19, 2025: TCF v2.3 opens for public comment
• May 14, 2025: Belgian court limits IAB Europe's role in TCF framework
• November 1, 2025: Device Storage Duration & Access Disclosure v1.1 opens for public comment
• December 1, 2025: Public comment period closes
• December 2025: Specification finalization planned
• February 28, 2026: Mandatory vendor compliance deadline

Summary

Who: IAB Tech Lab, in partnership with IAB Europe, announced the update. All vendors registered in the Transparency and Consent Framework must implement the changes. Consent Management Platforms, publishers, and privacy advocates participate in the public comment process.

What: Version 1.1 of the Device Storage Duration & Access Disclosure specification adds three requirements: vendors must declare cookies used for non-TCF purposes, declare cookies used for Special Purposes, and declare SDK package identifiers used in mobile applications. Vendors must update their JSON disclosure files to include these new fields.

When: The announcement occurred on November 1, 2025. Public comment remains open until December 1, 2025. Specification finalization is planned for December 2025. All vendors must comply by February 28, 2026.

Where: The specification applies to all vendors participating in the Transparency and Consent Framework, affecting data collection practices across European Economic Area websites and mobile applications. Technical specifications are published on the IAB GitHub repository.

Why: The update addresses transparency gaps in vendor data collection disclosures. Previous specification versions did not require disclosure of cookies used for Special Purposes or non-TCF activities, creating incomplete visibility into vendor tracking mechanisms. Mobile SDK package identifiers were also previously undisclosed, creating disparity between web and app environment transparency. The enhanced requirements respond to regulatory scrutiny and framework participants' demands for comprehensive vendor data collection visibility.