In the modern digital landscape, user privacy and data protection are paramount. Regulations like the GDPR have fundamentally changed how websites handle personal data, especially in the complex world of online advertising.

To navigate this, the industry needed a standardized language for communicating user consent. Enter the TC String.

If you've ever dealt with website compliance, cookie banners, or digital advertising, you've likely encountered terms like IAB, TCF, and CMP. The TC String is the technical linchpin that connects them all.

This guide will break down exactly what a TC String is, how it works, and why it is absolutely essential for Consent Management Platforms (CMPs) such as CookieBot.

The TC String is far more than just a random line of code; it is the fundamental building block of privacy compliance and user trust in the modern advertising ecosystem. It is the tangible output of the IAB TCF's principles, turning abstract rules into concrete, actionable data.
For any website operating under GDPR, using a robust, IAB-certified CMP like CookieBot is no longer a choice - it's a necessity.
These platforms do the heavy lifting of presenting choices, generating the compliant TC String, and communicating those preferences to the entire digital supply chain.
By doing so, they empower publishers to respect user privacy, maintain compliance, and sustain their business in a privacy-first world.

The IAB and the TCF

To understand the TC String, you first need to understand the framework it operates within.

The IAB (Interactive Advertising Bureau): This is a global advertising business organization that develops industry standards and best practices. It's a key player in the digital advertising ecosystem.
The TCF (Transparency and Consent Framework): Developed by IAB Europe, the TCF is a standardized framework designed to help all parties in the digital advertising chain (publishers, vendors, advertisers) comply with the EU's GDPR and ePrivacy Directive. Its main goal is to provide a common language for obtaining, recording, and transmitting user consent for data processing.

The TCF's mission is to ensure transparency and choice for users. It requires websites to inform users about what data is being collected, who it's being shared with, and for what purposes. The technical solution for capturing and communicating these choices is the TC String.

What is a TC String?

A TC String (Transparency and Consent String) is a compact, encoded piece of data that represents a user's consent choices made on a website's cookie banner.

Think of it as a digital passport that travels with a user's data request, instantly telling every technology partner whether they have permission to process that user's information.

This string is generated by a Consent Management Platform (CMP) after a user interacts with the consent notice. It captures detailed information in a machine-readable format, ensuring that the user's preferences are respected throughout the entire advertising supply chain.

Key Characteristics of a TC String:

Standardized Format: It follows the strict specifications of the IAB's TCF, meaning any TCF-registered vendor can decode and understand it.
Encoded and Compact: The string is Base64 encoded to be lightweight and easily transmitted in ad calls.
Granular Information: It doesn't just say "yes" or "no." A TC String contains detailed information about:
- Purposes: What the user has consented to (e.g., basic ads, personalized ads, analytics).
- Special Features: Consent for specific data processing activities like using precise geolocation.
- Vendor Permissions: A list of which specific ad tech vendors have been given consent by the user.
- Legitimate Interest: It also signals where a vendor has established a legitimate interest for processing, another legal basis under GDPR.
- Metadata: Information like the TCF version used, when consent was last updated, and which CMP created the string.

This level of detail is crucial for demonstrating compliance and giving users genuine control over their data.

Why is a CMP so important?

Why is a CMP like Cookiebot so important

So, where does a Consent Management Platform (CMP) like CookieBot (from Usercentrics) fit into this picture? The CMP is the engine that creates, manages, and deploys the TC String. Without a CMP, the TCF is just a set of rules with no practical implementation.

Here’s how a CMP like CookieBot makes the TCF and the TC String work:

Providing the User Interface: The CMP provides the cookie banner or privacy pop-up that users see when they first visit a site. This interface must be TCF-compliant, clearly explaining the purposes and listing the vendors requesting data access.
Generating the TC String: This is the core function. When a user makes their selections—clicking "Accept all," "Reject all," or customizing their preferences—the CMP translates these choices into a valid TC String. For example, if a user consents to analytics (Purpose 1) but rejects personalized advertising (Purpose 3) for a specific vendor, the CMP encodes this exact combination into the string.
Storing and Sharing the String: Once generated, the CMP stores the TC String in the user's browser, typically in a first-party cookie named euconsent-v2. It also makes the string available through a specific JavaScript API that other technology on the page can access.
Signaling to the Ad Tech Ecosystem: Ad tech vendors (like SSPs, DSPs, and ad networks) integrated with the IAB TCF are programmed to look for this TC String. Before they drop any cookies or process personal data, they will:
- Call the CMP's API to retrieve the TC String.
- Decode the string to check if they are on the list of approved vendors.
- Verify if the user has consented to the specific purposes for which they need the data.
- Act accordingly - either proceeding with data processing or refraining if consent is not given.

In short, the CMP acts as the trusted intermediary between the user, the website publisher, and the entire ad tech ecosystem.

The journey of a TC String

To make it even clearer, let's trace the journey from a user's click to an ad being served.

User Arrives: A user from the EU visits your website for the first time.
CMP Appears: Your CookieBot CMP displays a TCF-compliant consent banner.
User Makes a Choice: The user decides to allow cookies for analytics but not for ad personalization.
TC String is Born: CookieBot instantly generates a unique TC String that encodes:
- Consent for Analytics = YES
- Consent for Ad Personalization = NO
String is Stored: The string is saved in a cookie in the user's browser.
Ad Call is Made: The website attempts to load an advertisement. The ad-serving technology on the page first checks for a TC String.
Vendor Reads the String: The ad vendor finds and decodes the string. It sees it has permission for basic functions but not for using personal data to tailor the ad.
A Compliant Action is Taken: The vendor respects the user's choice and serves a non-personalized, contextual ad instead of a personalized one.

This entire process happens in milliseconds, ensuring a seamless user experience while maintaining strict GDPR compliance.

Why is the TC String important?

The TC String provides an auditable, time-stamped record of user consent. This is crucial for proving compliance with GDPR if requested by data protection authorities.

For publishers who rely on advertising revenue, the TCF and its TC String are essential. Without a standardized way to signal consent, most major advertisers and demand partners in Europe will not bid on ad inventory, drastically reducing revenue.

By using a TCF-compliant CMP that generates a TC String, you are offering users genuine transparency and control. This builds trust and shows that you respect their privacy choices.

The TC String is the lingua franca of consent. It ensures that the publisher's CMP, the advertiser's ad server, and dozens of other vendors in between can all understand and respect the same set of user preferences without confusion.