IAB GDPR TCF v2.2 - Transition readiness (web and app)

With the adoption of the IAB GDPR TCF v2.2 specification, Sourcepoint has collated a timeline and checklist for your organization to ensure the successful migration of your properties' campaigns.

Transition timeline


Technical changes

In this section, we will cover any on-page technical requirements that may need to be performed in order to migrate your property to IAB GDPR 2.2.

Deprecation of getTCData command

Historically, the tcData object which contains encoded and unencoded values of the TC String, vendors, IAB purposes, etc... pertaining to an end-user's current browser session was accessed via the getTCData command. This command has since been deprecated in IAB GDPR TCF v2.2.

Under IAB GDPR TCF v2.2, add an addEventListener and utilize its callback function to access the tcData object.

Browser console Javascript
//Return tcData object
__tcfapi('addEventListener', 2, (tcdata, success) => { console.log(tcdata) })

Stub file (optional)

While not mandatory to migrate to IAB GDPR TCF v2.2, please be advised that the IAB has published a new version of its stub file for v2.2 that fixes some pre-existing bugs. Your organization may want to utilize this opportunity to update the stub file on your implementation.

The updated stub file can be retrieved from the Sourcepoint portal.

"use strict";function _typeof(t){return(_typeof="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(t){return typeof t}:function(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}!function(){var t=function(){var t,e,o=[],n=window,r=n;for(;r;){try{if(r.frames.__tcfapiLocator){t=r;break}}catch(t){}if(r===n.top)break;r=r.parent}t||(!function t(){var e=n.document,o=!!n.frames.__tcfapiLocator;if(!o)if(e.body){var r=e.createElement("iframe");r.style.cssText="display:none",r.name="__tcfapiLocator",e.body.appendChild(r)}else setTimeout(t,5);return!o}(),n.__tcfapi=function(){for(var t=arguments.length,n=new Array(t),r=0;r<t;r++)n[r]=arguments[r];if(!n.length)return o;"setGdprApplies"===n[0]?n.length>3&&2===parseInt(n[1],10)&&"boolean"==typeof n[3]&&(e=n[3],"function"==typeof n[2]&&n[2]("set",!0)):"ping"===n[0]?"function"==typeof n[2]&&n[2]({gdprApplies:e,cmpLoaded:!1,cmpStatus:"stub"}):o.push(n)},n.addEventListener("message",(function(t){var e="string"==typeof t.data,o={};if(e)try{o=JSON.parse(t.data)}catch(t){}else o=t.data;var n="object"===_typeof(o)&&null!==o?o.__tcfapiCall:null;n&&window.__tcfapi(n.command,n.version,(function(o,r){var a={__tcfapiReturn:{returnValue:o,success:r,callId:n.callId}};t&&t.source&&t.source.postMessage&&t.source.postMessage(e?JSON.stringify(a):a,"*")}),n.parameter)}),!1))};"undefined"!=typeof module?module.exports=t:t()}();

Web scripts

Question Answer
Do I need to upgrade or change my web scripts to accommodate IAB GDPR TCF v2.2? There is no need to upgrade or otherwise change your web scripts.

Apps Supportability

Question Answer
Do I need to upgrade or change my mobile SDK to accommodate IAB GDPR TCF v2.2?

IAB GDPR TCF v2.2 will be supported on mobile SDK v5, v6, and v7.

However, we strongly encourage clients who have not migrated to mobile SDK v7 yet to do so soon in order to benefit from the performance and resiliency of that version.

Campaign migration checklist

In this section, we have broken down the components/entities that need to be updated and reviewed within the Sourcepoint portal before relaunching a campaign on a property for IAB GDPR TCF v2.2:

  Note: The migration checklist is organized in sequential order. Most notably, your organization will need to complete the action items and successfully save your vendor lists so that it is updated to GDPR TCF v2.2 before updating your privacy managers, first layer messages, etc...

Vendor lists

  1. Legitimate interest is no longer an acceptable legal basis for purpose 3, 4, 5, and 6. Update the legal basis for any of these purposes if legitimate interest is used.
  2. Review and edit any vendors that have amended their legal bases from GVL 2 to GVL 3.
  3. Review vendors utilizing purpose 11 (Use limited data to select content), a new purpose in IAB GDPR TCF v2.2), and set allowed legal bases.
  4. Review illustrations (formerly legal descriptions) and add any supplementary illustrations (new) for each purpose. 

  Note: Sourcepoint has designed a method to support vendors who have not yet migrated to the Global Vendor List 3 (GVL 3) for the duration of Sourcepoint’s client transition period to IAB TCF v2.2.  That is, up until the 20th November 2023 deadline, if a vendor is on GVL 2 and not yet on GVL 3 we will continue to expose them as an IAB vendor in our APIs.

Privacy managers

  1. Review per-purpose vendor counts.
  2. Review the changes to names, descriptions and illustrations relating to purposes.
  3. Review the vendor section displaying new fields for data categories, legitimate interest disclosures, and per-purpose retention periods.
  4. Review the default copy and add translations (if necessary) to the following fields under the Vendor Content tab for the PrivacyManagerTCFv2, PMTCFv2Inline, or PMTCFv2InlineNeutral component:
    • Purpose Title
    • Purpose Table Header
    • Retention Table Header
    • Privacy Policy Legitimate Interest URL Title
    • Categories of Data Collected/Processed

First layer messages

  1. Add vendor list count widget to the description, picking whether to include the count of just IAB GVL vendors or all vendors. Click here for more information.
  2. Update pre-existing GDPR TCF first layer message account templates to include the vendor list count widget. Click here for more information. 
  3. If your organization does not utilize the stack widget on the first layer message, you must update the stack language in the free-form text to reflect the addition of purpose 11.

On-page/application privacy manager links

  1. All properties must display an easily accessible link to resurface the privacy manager on all pages of the website or which is easily accessible in the menu of the application. If the link is currently only accessible via the privacy policy you will be required to change your implementations.
  2. Ensure that the privacy manager includes the option to withdraw consent / reject all.


  1. A reconsent is not required for end-users that have set consent preferences prior to the November 20, 2023 deadline. These consent strings are valid for 1 year as long as the cookie expiry is set to 365 days.
  2. A reconsent is likely required if your organization utilizes either the legal basis change or vendor list additions consent gate scenario conditions.


  1. Review above changes and refresh campaign


Find additional information about IAB GDPR TCF v2.2 in the links below:

Follow IAB GDPR TCF v2.2 - Transition readiness

We strongly encourage all clients to follow this article in order to receive updates of how Sourcepoint is supporting your organization's transition from IAB GDPR TCF v2 to v2.2. 

We will regularly update this article with comments as our support for the transition evolves. By following this article, you will receive email notifications whenever these comments are posted.

  Note: Only users with approved and valid Sourcepoint credentials can subscribe to articles in our help center. If your organization uses an email alias to forward emails to a group of internal users, you will need to create a Sourcepoint user account for that email address and follow the steps below using those credentials. 

Click the + Follow button at the top of the page to follow the article.

Screenshot 2023-06-07 at 12.20.12 PM.png

Was this article helpful?
2 out of 2 found this helpful



  • Update to the transition timeline. 

  • Update to transition timeline:

    • Vendor to update GVL records to GVL v3 extended to July 31st
    • Deadline for all client campaigns to migrate to IAB GDPR TCF v2.2 extended to to November 20th
  • Update to campaign migration checklist regarding:

    • First layer message: Update pre-existing GDPR TCF first layer message account templates to include the vendor list count widget.
    • Add additional section regarding TCF v2.2 migration's impact on reconsents
  • Update vendor list migration checklist regarding:

    • Support for vendors on GVL 2 and not yet on GVL 3 during the transition process

    Add stub file (optional) section to technical changes. 

  • Update privacy manager checklist regarding:

    Review the default copy and add translations (if necessary) to the following fields under the Vendor Content tab for the PrivacyManagerTCFv2PMTCFv2Inline, or PMTCFv2InlineNeutral component:

    • Purpose Title
    • Purpose Table Header
    • Retention Table Header
    • Privacy Policy Legitimate Interest URL Title
    • Categories of Data Collected/Processed

Please sign in to leave a comment.