WordPress personal website: Do I Need an IAB TCF Certified Cookie Consent?

Short answer: almost certainly not.

And before anything else: if you are still reading about “TCF v2.2”, that version is done. Participants had until 28 February 2026 to move to TCF v2.3, and Google made v2.3 mandatory for newly generated TC strings on that same date.

If a vendor or article is still advertising v2.2 support in 2026, that is a signal the information is stale.

What TCF actually is

The TCF is not a cookie banner standard. It is a machine-readable protocol for programmatic advertising.

Its job is to encode a user’s consent decision into a TC string that ad-tech vendors read to decide what they may legally do. It is the standardized protocol used across Europe to pass consent signals between publishers, advertisers, and ad tech vendors.

In other words: TCF exists so that hundreds of ad partners in a real-time bidding auction can agree on what a user consented to.

Why that matters for you

Your business site does not run a real-time bidding auction. It runs GA4 and maybe a Meta Pixel.

Passing a TC string to nobody accomplishes nothing. There is no vendor on the other end waiting to read it.

Site typeTCF needed?
SME business site with GA4 + Google AdsNo
E-commerce with Meta Pixel and GA4No
Blog with no ads, or with affiliate links onlyNo
Site monetized via AdSense, Ad Manager, or AdMob in the EEAYes
Site selling programmatic inventory to ad partnersYes

The only real trigger is programmatic advertising, and for most people that means Google’s publisher products.

The Google connection

This is where the two requirements meet. Google’s rule is not “use a certified CMP” or “use TCF”. It is both at once.

Google requires publisher-product partners to use a CMP that is certified by Google and integrates with the IAB TCF. The two come as a package.

So in practice you rarely choose TCF on its own. You end up with it because AdSense or Ad Manager forces the issue.

TCF is not a compliance guarantee

Worth knowing, because it gets sold as one.

The TCF has been through a long legal fight with the Belgian data protection authority. In January 2026, the Belgian Market Court annulled the APD’s January 2023 decision and required a new assessment reflecting the narrower scope of IAB Europe’s joint controllership, as determined by the Court of Justice and the Market Court.

The framework itself describes its role honestly: it is an accountability tool relying on standardisation to facilitate compliance with certain provisions of the ePrivacy Directive and the GDPR.

Facilitate, not guarantee. TCF participation does not make you GDPR compliant, and non-participation does not make you non-compliant.

The moving target problem

TCF is not a stable thing you implement once.

  • v2.2: superseded
  • v2.3: mandatory since 28 February 2026, changing how disclosed vendors work
  • Policy v5.0.b / v2.4: amendments covering multi-device consent, CMP UI requirements, and a renamed Special Feature 2 around device fingerprinting, with CMP deadlines running from October 2026 to February 2027

Publishers sending outdated TC strings risk having their signals treated as invalid, which means the inventory is effectively unconsented.

This is a real argument for a commercial CMP if you are a publisher. Keeping up with this is somebody’s full-time job, and you want that to be their job, not yours.

It is also an argument against TCF if you are not a publisher. You would be signing up for a maintenance treadmill that buys you nothing.

Where Kansleri Cookie Consent fits

Kansleri Cookie Consent does not implement TCF, and it is not on the IAB CMP list.

That is a deliberate scope decision, not an oversight. TCF is built for programmatic ad inventory, and the plugin is built for WordPress sites that do not have any.

What it does instead is handle the part that applies to almost everyone: script blocking before consent, Consent Mode v2, a genuine reject option, consent withdrawal, and an accurate cookie policy.

If you run AdSense or Ad Manager in the EEA, you need a Google-certified TCF CMP. Cookiebot and Google’s own Privacy & messaging solution both qualify. Kansleri Cookie Consent does not, and I will not pretend otherwise.

Summary

  • TCF is an ad-tech protocol, not a compliance certificate
  • It matters if you sell ad inventory. It does nothing if you do not
  • v2.2 is obsolete. v2.3 has been mandatory since 28 February 2026
  • Not having TCF is not a GDPR problem. It is only a Google publisher-product problem

The TCF changes frequently. Verify current versions and deadlines against IAB Europe and Google’s documentation before acting on any of this.