IAB Europe this month published its annual Transparency and Consent Framework Compliance Report, covering activity from January 1 to December 31, 2025. The document provides the most granular view yet of how the industry body enforces its consent management rules across publishers, vendors, and consent management platforms operating in European digital advertising markets. The numbers inside are striking. Enforcement against vendors more than doubled compared to 2024. Suspensions rose sharply. And a new version of the framework - TCF 2.3 - generated around 120 compliance queries to IAB Europe's helpdesk, dominating the organisation's support workload for much of the year.

The report lands at a moment of particular pressure on the TCF. Google mandated migration to TCF v2.3 by February 28, 2026, and the Belgian Market Court handed down a significant ruling in January 2026 that annulled the Belgian Data Protection Authority's validation of IAB Europe's action plan - ordering regulators to reassess with narrower scope. Against that backdrop, the 2025 compliance figures reveal an organisation that significantly ramped up its enforcement operations, even as the legal and technical landscape around the framework continued to shift.

TCF-Compliance-Report-2025
TCF-Compliance-Report-2025.pdf
1 MB
download-circle

What the TCF is and who it covers

Launched in 2017, the Transparency and Consent Framework is, according to the report, "an accountability tool that relies on standardisation to facilitate compliance with certain provisions of the GDPR and ePrivacy Directive." It serves three categories of participant: publishers, who operate websites where personal data is collected; vendors, which include ad servers, demand-side platforms, supply-side platforms, and measurement providers; and Consent Management Platforms (CMPs), which develop the cookie banner interfaces through which users express or refuse consent.

The framework works through a standardised binary string - the TC String - that encodes user choices as a machine-readable sequence of ones and zeros. CMPs capture those choices and communicate them to vendors via proprietary APIs built to common naming conventions. This allows vendors to retrieve TC Strings across multiple websites using a single block of code rather than writing bespoke logic for each publisher. The framework's Global Vendor List (GVL) acts as the central public registry of all registered vendors, updated continuously and available in machine-readable format.

Growth in registrations

According to the report, TCF registrations reached a total of 953 vendors and 181 CMPs by December 31, 2025. That compares with 885 vendors and 177 CMPs at the end of 2024 - a 7.7% increase in vendor participation and a 2.3% rise in CMP registrations. During 2025 alone, 154 new vendors and 19 new CMPs joined the framework.

Of those registered CMPs, 59% are commercial providers. The remaining 41% are private CMPs - platforms built and operated by a publisher exclusively for its own digital properties. The split matters because private CMPs are generally subject to the same TCF compliance requirements as commercial ones, yet their enforcement may be harder to monitor given the absence of third-party distribution.

The report also tracks the technical environments CMPs support. Web-only certification remains dominant, covering 65.4% of registered CMPs in 2025, down slightly from 66.7% in 2024. CMPs supporting web, mobile, and connected television simultaneously grew from 4.8% to 6.6% over the same period. Mobile-only CMPs increased from 8.6% to 9.3%. The pattern signals a slow but consistent shift away from web-centric implementations as publishers extend their digital properties into native app and CTV environments.

The 11 purposes vendors must declare

Vendors registering with the TCF must map their data processing activities to a defined taxonomy of purposes. The report lists 11 in total. Purpose 1 - storing or accessing information on a device - is the most widely declared, covering 767 of the 953 registered vendors in 2025. This is also the purpose that corresponds to Article 5(3) of the ePrivacy Directive, which governs cookie-setting requirements. Notably, the report clarifies that Purpose 1 is not a data processing purpose in itself; any personal data accessed through it still requires a separate declared purpose to be lawfully processed.

Purposes 3 and 4 - creating profiles for personalised advertising and using those profiles to select personalised advertising - were declared by 586 and 589 vendors respectively, making them the second and third most common. Purpose 7, covering measurement of advertising performance including viewability rates, engagement, attribution, conversions, and sales lift, was declared by 558 vendors. At the lower end, Purpose 11 - using limited data to select non-advertising content - was declared by only 121 vendors. According to the report, 180 vendors, representing 19% of all TCF participants, declared no advertising-related purposes at all, operating instead in areas such as audience measurement or fraud prevention.

Enforcement: the numbers that stand out

The most significant figures in the 2025 report concern enforcement. Vendor enforcement procedures more than doubled, rising from 269 in 2024 to 587 in 2025 - an increase of 118.2%. Temporary suspensions of vendors grew by 78.3%, from 23 to 41 instances. According to the report, this escalation was deliberate: the TCF Compliance Team began performing additional verifications over vendors' compliance specifically to detect inconsistencies in cookie duration declarations and the purposes for which those cookies were being used.

On the CMP side, enforcement procedures rose from 40 to 51, a 27.5% increase. One CMP was temporarily suspended - the first such suspension since at least 2024, when zero suspensions were recorded. The suspended CMP was reinstated after returning to compliance with TCF Policies.

IAB Europe also reviewed 180 vendor compliance forms between January and December 2025, randomly selecting 15 vendors per month for detailed scrutiny. The three most common problems identified were: vendors failing to list digital properties where their technologies are deployed; vendors not providing the location of their compliance attestation within their privacy policy; and vendors giving inaccurate information about the mechanisms they use to verify that a TC String originates from a registered CMP.

Weekly automated crawling of all registered vendors identified further issues. According to the report, 155 enforcement procedures were triggered for incorrect Device Storage URLs, leading to 19 temporary suspensions. A further 332 vendors were audited for mismatched information between their registration details and device storage disclosures, resulting in 12 temporary suspensions. Another 85 enforcement procedures were launched over incorrect privacy policy URLs, resulting in 10 suspensions. Each of these tracks falls under Procedure n°3, which in April 2025 was extended to cover vendors that had not properly completed their Vendor Compliance Questionnaires.

What auditors actually found in CMP implementations

The report's section on CMP audit findings offers a detailed breakdown of failure rates across specific technical and policy checks. The most common technical failure - occurring in approximately 14% of audits - was the use of an outdated version of the Global Vendor List. Technical Check n°7 requires CMPs to use the current or penultimate version of the GVL. In 2024, this check failed in 20% of audits, so the improvement is measurable, though the failure rate remains notable given the straightforward nature of the requirement.

The second most common technical failure, occurring in 6% of audits, involved vendor signals for deleted vendors not being reset to zero. The specification requires that any vendor marked as deleted in the active GVL version must have all consent and legitimate interest signals set to zero in the TC String; retaining positive signals for deleted vendors effectively communicates consent where none should exist.

On the policy side, the highest failure rate - 80% of audits - concerned whether the secondary layer of the CMP user interface discloses how and for how long the TC String is stored on the user's device. This is a basic transparency requirement, and its failure rate suggests that a large proportion of cookie banners, even among registered CMPs, are not meeting it. The second most common policy failure, at 53% of audits, was the absence of an equally easy consent withdrawal mechanism. According to the report, in most cases a "Reject All" button was absent when a user returned to the banner to withdraw previously given consent, requiring multiple additional clicks compared to the single action needed to give consent. Policy Check n°9 - whether the first layer of the CMP UI informs users they can withdraw consent and explains how to do so - failed in 44% of audits, down from 50% in 2024.

Through the non-compliance form, 15 enforcement procedures were initiated against CMPs following external reports in 2025. These primarily concerned failures to provide sufficient vendor detail, including data retention periods and categories of data collected. All were resolved without suspension.

For vendor live installations, the most common issues resolved during enforcement procedures included setting non-essential cookies before user consent was obtained, failing to use the addEventListener command of the TCF API to retrieve the TC String in real time, and setting cookies with durations longer than declared in the GVL. A further 15 enforcement procedures were initiated against vendors following external non-compliance reports, primarily targeting vendors setting cookies without consent or using undeclared domains.

TCF 2.3 and the helpdesk burden

According to the report, IAB Europe received around 120 TCF compliance questions in 2025. The majority concerned TCF 2.3, released on June 19, 2025. The update made the previously optional disclosedVendors segment mandatory within the TC String, resolving an ambiguity around how legitimate interest signals are represented when vendors have not been properly disclosed in the CMP interface.

The disclosedVendors segment records which vendors were actually surfaced to a user during the consent interaction. Making it mandatory ensures that vendors can always determine whether they were disclosed, which is critical for those relying on legitimate interest for Special Purposes. IAB Tech Lab had opened TCF 2.3 specifications for public comment on April 19, 2025, with a comment period running until May 19. The full industry transition deadline was ultimately set at February 28, 2026, a date enforced by Google's own systems as well.

The IAB Tech Lab simultaneously opened a device disclosure specification for public comment on November 1, 2025, introducing requirements for vendors to declare cookies used outside the TCF framework, cookies used for Special Purposes, and SDK package identifiers in mobile applications. The device storage disclosure validator has already been updated to allow vendors to self-check their files prior to IAB Europe's crawler enforcing conformance from May 31, 2026.

What 2026 plans look like

The final section of the report outlines four areas of planned expansion for 2026. First, IAB Europe will expand the Device Storage Disclosure specifications so that vendors must declare cookies used for Special Purposes and non-TCF purposes such as global opt-out, and must also declare their SDK package identifiers. The custom crawler will begin verifying conformance with these new declarations after the May 31, 2026 deadline.

Second, the organisation will actively monitor the transition to TCF 2.3, deploying a new version of the CMP validator alongside updated auditing tools to verify that the disclosedVendors segment is correctly included. Third, a new dedicated auditing tool for native app environments is being finalised, complementing the existing web crawler. Fourth, IAB Europe will launch a Request for Proposal to appoint a contractor to develop additional automation capabilities within its proprietary compliance management application, covering audit completion, non-compliance notification preparation, and enforcement deadline tracking.

Why this matters for the marketing industry

The TCF's compliance mechanics are directly relevant to how digital advertising operates across European markets, the UK, and Switzerland. Every bid request carrying a TC String depends on vendors correctly reading and respecting that string. Vendors that set cookies before consent is obtained, or that use cookies lasting longer than declared, are not simply technical violations - they expose publishers to regulatory risk as well, since publishers are responsible for the vendor implementations on their own properties.

The doubling of vendor enforcement procedures signals a more assertive posture from IAB Europe at a point when regulatory scrutiny of the TCF remains intense. The Belgian Market Court's May 2025 ruling confirmed IAB Europe as joint controller for TC String processing while limiting its liability for downstream OpenRTB operations, but the underlying GDPR violations identified by the Belgian Data Protection Authority in February 2022 remain unresolved. IAB Europe still faces a €250,000 fine and is required to implement corrective measures. The compliance report is, in effect, the organisation's public account of what those corrective measures look like in practice.

For CMPs specifically, the 80% failure rate on TC String storage disclosure in the secondary UI layer is a significant finding. It suggests that even registered and validated CMPs - those that have passed IAB Europe's pre-implementation checks - frequently fall short when their implementations are tested against live environments. Auditors who find a CMP in breach of the TCF Policies give it five business days to respond before escalating; if unresolved, a suspension warning provides ten additional business days before a minimum two-week suspension from the GVL takes effect.

The European Commission's November 2025 proposal for machine-readable consent signals adds a further layer of uncertainty. If browser and operating system-level consent signalling becomes mandatory, the current CMP-based model could face structural disruption. Whether the TCF can adapt quickly enough to accommodate that shift will be a defining question in 2026.

Timeline

Summary

Who: IAB Europe, the Brussels-based trade association that manages the Transparency and Consent Framework, published the 2025 TCF Compliance Report. The report covers 953 registered vendors, 181 registered CMPs, publishers across European digital advertising markets, and the IAB Europe TCF Compliance Team.

What: The report documents a sharp increase in enforcement activity during 2025. Vendor enforcement procedures rose 118.2%, from 269 to 587. Vendor temporary suspensions grew 78.3%, from 23 to 41. CMP enforcement procedures increased 27.5%, from 40 to 51. One CMP was temporarily suspended - the first in at least two years. The document also records the release of TCF 2.3 on June 19, 2025, registration growth of 7.7% for vendors and 2.3% for CMPs, and plans for expanded automated auditing across web, mobile, and CTV environments in 2026.

When: The compliance data covers January 1 to December 31, 2025. The report was published in March 2026.

Where: The TCF operates across websites, mobile applications, and connected television environments in the European Economic Area, the UK, and Switzerland. IAB Europe is headquartered at Rond-Point Robert Schumanplein 11, 1040 Brussels, Belgium.

Why: IAB Europe published the report to account publicly for its compliance activities as managing organisation of the TCF, a framework designed to facilitate compliance with GDPR and the ePrivacy Directive. The organisation faces ongoing legal pressure, including a €250,000 fine from the Belgian Data Protection Authority and a series of court rulings that have progressively redefined the scope of its responsibilities. The compliance report documents the enforcement infrastructure IAB Europe operates in response to these obligations, and signals plans to further automate and expand that infrastructure through 2026.

Share this article
The link has been copied!