Europe News

TCF enforcement more than doubled in 2025, IAB Europe report displays

Founder News Team 0
TCF enforcement more than doubled in 2025, IAB Europe report shows


IAB Europe this month published its annual Transparency and Consent Framework Compliance Report, covering activity from January 1 to December 31, 2025. The document provides the most granular view yet of how the industest body enforces its consent management rules across publishers, vconcludeors, and consent management platforms operating in European digital advertising markets. The numbers inside are striking. Enforcement against vconcludeors more than doubled compared to 2024. Suspensions rose sharply. And a new version of the framework – TCF 2.3 – generated around 120 compliance queries to IAB Europe’s assistdesk, dominating the organisation’s support workload for much of the year.

The report lands at a moment of particular pressure on the TCF. Google mandated migration to TCF v2.3 by February 28, 2026, and the Belgian Market Court handed down a significant ruling in January 2026 that annulled the Belgian Data Protection Authority’s validation of IAB Europe’s action plan – ordering regulators to reassess with narrower scope. Against that backdrop, the 2025 compliance figures reveal an organisation that significantly ramped up its enforcement operations, even as the legal and technical landscape around the framework continued to shift.

What the TCF is and who it covers

Launched in 2017, the Transparency and Consent Framework is, according to the report, “an accountability tool that relies on standardisation to facilitate compliance with certain provisions of the GDPR and ePrivacy Directive.” It serves three categories of participant: publishers, who operate websites where personal data is collected; vconcludeors, which include ad servers, demand-side platforms, supply-side platforms, and measurement providers; and Consent Management Platforms (CMPs), which develop the cookie banner interfaces through which utilizers express or refutilize consent.

The framework works through a standardised binary string – the TC String – that encodes utilizer choices as a machine-readable sequence of ones and zeros. CMPs capture those choices and communicate them to vconcludeors via proprietary APIs built to common naming conventions. This allows vconcludeors to retrieve TC Strings across multiple websites applying a single block of code rather than writing bespoke logic for each publisher. The framework’s Global Vconcludeor List (GVL) acts as the central public registest of all registered vconcludeors, updated continuously and available in machine-readable format.

Growth in registrations

According to the report, TCF registrations reached a total of 953 vconcludeors and 181 CMPs by December 31, 2025. That compares with 885 vconcludeors and 177 CMPs at the conclude of 2024 – a 7.7% increase in vconcludeor participation and a 2.3% rise in CMP registrations. During 2025 alone, 154 new vconcludeors and 19 new CMPs joined the framework.

Of those registered CMPs, 59% are commercial providers. The remaining 41% are private CMPs – platforms built and operated by a publisher exclusively for its own digital properties. The split matters becautilize private CMPs are generally subject to the same TCF compliance requirements as commercial ones, yet their enforcement may be harder to monitor given the absence of third-party distribution.

The report also tracks the technical environments CMPs support. Web-only certification remains dominant, covering 65.4% of registered CMPs in 2025, down slightly from 66.7% in 2024. CMPs supporting web, mobile, and connected television simultaneously grew from 4.8% to 6.6% over the same period. Mobile-only CMPs increased from 8.6% to 9.3%. The pattern signals a slow but consistent shift away from web-centric implementations as publishers extconclude their digital properties into native app and CTV environments.

The 11 purposes vconcludeors must declare

Vconcludeors registering with the TCF must map their data processing activities to a defined taxonomy of purposes. The report lists 11 in total. Purpose 1 – storing or accessing information on a device – is the most widely declared, covering 767 of the 953 registered vconcludeors in 2025. This is also the purpose that corresponds to Article 5(3) of the ePrivacy Directive, which governs cookie-setting requirements. Notably, the report clarifies that Purpose 1 is not a data processing purpose in itself; any personal data accessed through it still requires a separate declared purpose to be lawfully processed.

Purposes 3 and 4 – creating profiles for personalised advertising and applying those profiles to select personalised advertising – were declared by 586 and 589 vconcludeors respectively, creating them the second and third most common. Purpose 7, covering measurement of advertising performance including viewability rates, engagement, attribution, conversions, and sales lift, was declared by 558 vconcludeors. At the lower conclude, Purpose 11 – applying limited data to select non-advertising content – was declared by only 121 vconcludeors. According to the report, 180 vconcludeors, representing 19% of all TCF participants, declared no advertising-related purposes at all, operating instead in areas such as audience measurement or fraud prevention.

Enforcement: the numbers that stand out

The most significant figures in the 2025 report concern enforcement. Vconcludeor enforcement procedures more than doubled, rising from 269 in 2024 to 587 in 2025 – an increase of 118.2%. Temporary suspensions of vconcludeors grew by 78.3%, from 23 to 41 instances. According to the report, this escalation was deliberate: the TCF Compliance Team launched performing additional verifications over vconcludeors’ compliance specifically to detect inconsistencies in cookie duration declarations and the purposes for which those cookies were being utilized.

On the CMP side, enforcement procedures rose from 40 to 51, a 27.5% increase. One CMP was temporarily suspconcludeed – the first such suspension since at least 2024, when zero suspensions were recorded. The suspconcludeed CMP was reinstated after returning to compliance with TCF Policies.

IAB Europe also reviewed 180 vconcludeor compliance forms between January and December 2025, randomly selecting 15 vconcludeors per month for detailed scrutiny. The three most common problems identified were: vconcludeors failing to list digital properties where their technologies are deployed; vconcludeors not providing the location of their compliance attestation within their privacy policy; and vconcludeors giving inaccurate information about the mechanisms they utilize to verify that a TC String originates from a registered CMP.

Weekly automated crawling of all registered vconcludeors identified further issues. According to the report, 155 enforcement procedures were triggered for incorrect Device Storage URLs, leading to 19 temporary suspensions. A further 332 vconcludeors were audited for mismatched information between their registration details and device storage disclosures, resulting in 12 temporary suspensions. Another 85 enforcement procedures were launched over incorrect privacy policy URLs, resulting in 10 suspensions. Each of these tracks falls under Procedure n°3, which in April 2025 was extconcludeed to cover vconcludeors that had not properly completed their Vconcludeor Compliance Questionnaires.

What auditors actually found in CMP implementations

The report’s section on CMP audit findings offers a detailed breakdown of failure rates across specific technical and policy checks. The most common technical failure – occurring in approximately 14% of audits – was the utilize of an outdated version of the Global Vconcludeor List. Technical Check n°7 requires CMPs to utilize the current or penultimate version of the GVL. In 2024, this check failed in 20% of audits, so the improvement is measurable, though the failure rate remains notable given the straightforward nature of the requirement.

The second most common technical failure, occurring in 6% of audits, involved vconcludeor signals for deleted vconcludeors not being reset to zero. The specification requires that any vconcludeor marked as deleted in the active GVL version must have all consent and legitimate interest signals set to zero in the TC String; retaining positive signals for deleted vconcludeors effectively communicates consent where none should exist.

On the policy side, the highest failure rate – 80% of audits – concerned whether the secondary layer of the CMP utilizer interface discloses how and for how long the TC String is stored on the utilizer’s device. This is a basic transparency requirement, and its failure rate suggests that a large proportion of cookie banners, even among registered CMPs, are not meeting it. The second most common policy failure, at 53% of audits, was the absence of an equally simple consent withdrawal mechanism. According to the report, in most cases a “Reject All” button was absent when a utilizer returned to the banner to withdraw previously given consent, requiring multiple additional clicks compared to the single action necessaryed to give consent. Policy Check n°9 – whether the first layer of the CMP UI informs utilizers they can withdraw consent and explains how to do so – failed in 44% of audits, down from 50% in 2024.

Through the non-compliance form, 15 enforcement procedures were initiated against CMPs following external reports in 2025. These primarily concerned failures to provide sufficient vconcludeor detail, including data retention periods and categories of data collected. All were resolved without suspension.

For vconcludeor live installations, the most common issues resolved during enforcement procedures included setting non-essential cookies before utilizer consent was obtained, failing to utilize the addEventListener command of the TCF API to retrieve the TC String in real time, and setting cookies with durations longer than declared in the GVL. A further 15 enforcement procedures were initiated against vconcludeors following external non-compliance reports, primarily tarreceiveing vconcludeors setting cookies without consent or applying undeclared domains.

TCF 2.3 and the assistdesk burden

According to the report, IAB Europe received around 120 TCF compliance questions in 2025. The majority concerned TCF 2.3, released on June 19, 2025. The update built the previously optional disclosedVconcludeors segment mandatory within the TC String, resolving an amhugeuity around how legitimate interest signals are represented when vconcludeors have not been properly disclosed in the CMP interface.

The disclosedVconcludeors segment records which vconcludeors were actually surfaced to a utilizer during the consent interaction. Making it mandatory ensures that vconcludeors can always determine whether they were disclosed, which is critical for those relying on legitimate interest for Special Purposes. IAB Tech Lab had opened TCF 2.3 specifications for public comment on April 19, 2025, with a comment period running until May 19. The full industest transition deadline was ultimately set at February 28, 2026, a date enforced by Google’s own systems as well.

The IAB Tech Lab simultaneously opened a device disclosure specification for public comment on November 1, 2025, introducing requirements for vconcludeors to declare cookies utilized outside the TCF framework, cookies utilized for Special Purposes, and SDK package identifiers in mobile applications. The device storage disclosure validator has already been updated to allow vconcludeors to self-check their files prior to IAB Europe’s crawler enforcing conformance from May 31, 2026.

What 2026 plans view like

The final section of the report outlines four areas of planned expansion for 2026. First, IAB Europe will expand the Device Storage Disclosure specifications so that vconcludeors must declare cookies utilized for Special Purposes and non-TCF purposes such as global opt-out, and must also declare their SDK package identifiers. The custom crawler will launch verifying conformance with these new declarations after the May 31, 2026 deadline.

Second, the organisation will actively monitor the transition to TCF 2.3, deploying a new version of the CMP validator alongside updated auditing tools to verify that the disclosedVconcludeors segment is correctly included. Third, a new dedicated auditing tool for native app environments is being finalised, complementing the existing web crawler. Fourth, IAB Europe will launch a Request for Proposal to appoint a contractor to develop additional automation capabilities within its proprietary compliance management application, covering audit completion, non-compliance notification preparation, and enforcement deadline tracking.

Why this matters for the marketing industest

The TCF’s compliance mechanics are directly relevant to how digital advertising operates across European markets, the UK, and Switzerland. Every bid request carrying a TC String depconcludes on vconcludeors correctly reading and respecting that string. Vconcludeors that set cookies before consent is obtained, or that utilize cookies lasting longer than declared, are not simply technical violations – they expose publishers to regulatory risk as well, since publishers are responsible for the vconcludeor implementations on their own properties.

The doubling of vconcludeor enforcement procedures signals a more assertive posture from IAB Europe at a point when regulatory scrutiny of the TCF remains intense. The Belgian Market Court’s May 2025 ruling confirmed IAB Europe as joint controller for TC String processing while limiting its liability for downstream OpenRTB operations, but the underlying GDPR violations identified by the Belgian Data Protection Authority in February 2022 remain unresolved. IAB Europe still faces a €250,000 fine and is required to implement corrective measures. The compliance report is, in effect, the organisation’s public account of what those corrective measures view like in practice.

For CMPs specifically, the 80% failure rate on TC String storage disclosure in the secondary UI layer is a significant finding. It suggests that even registered and validated CMPs – those that have passed IAB Europe’s pre-implementation checks – frequently fall short when their implementations are tested against live environments. Auditors who find a CMP in breach of the TCF Policies give it five business days to respond before escalating; if unresolved, a suspension warning provides ten additional business days before a minimum two-week suspension from the GVL takes effect.

The European Commission’s November 2025 proposal for machine-readable consent signals adds a further layer of uncertainty. If browser and operating system-level consent signalling becomes mandatory, the current CMP-based model could face structural disruption. Whether the TCF can adapt quickly enough to accommodate that shift will be a defining question in 2026.

Timeline

Summary

Who: IAB Europe, the Brussels-based trade association that manages the Transparency and Consent Framework, published the 2025 TCF Compliance Report. The report covers 953 registered vconcludeors, 181 registered CMPs, publishers across European digital advertising markets, and the IAB Europe TCF Compliance Team.

What: The report documents a sharp increase in enforcement activity during 2025. Vconcludeor enforcement procedures rose 118.2%, from 269 to 587. Vconcludeor temporary suspensions grew 78.3%, from 23 to 41. CMP enforcement procedures increased 27.5%, from 40 to 51. One CMP was temporarily suspconcludeed – the first in at least two years. The document also records the release of TCF 2.3 on June 19, 2025, registration growth of 7.7% for vconcludeors and 2.3% for CMPs, and plans for expanded automated auditing across web, mobile, and CTV environments in 2026.

When: The compliance data covers January 1 to December 31, 2025. The report was published in March 2026.

Where: The TCF operates across websites, mobile applications, and connected television environments in the European Economic Area, the UK, and Switzerland. IAB Europe is headquartered at Rond-Point Robert Schumanplein 11, 1040 Brussels, Belgium.

Why: IAB Europe published the report to account publicly for its compliance activities as managing organisation of the TCF, a framework designed to facilitate compliance with GDPR and the ePrivacy Directive. The organisation faces ongoing legal pressure, including a €250,000 fine from the Belgian Data Protection Authority and a series of court rulings that have progressively redefined the scope of its responsibilities. The compliance report documents the enforcement infrastructure IAB Europe operates in response to these obligations, and signals plans to further automate and expand that infrastructure through 2026.


Share this article


The link has been copied!





Source link

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *