TCF String Decoder & Consent Compliance Scanner
Paste any IAB TCF consent string and instantly reveal every purpose, vendor consent, legitimate interest, and special feature it encodes — then scan the live page for trackers that fire before consent is given.
// Decode Consent String
LIVEDecoded Output
Every segment of the consent string, broken down into human-readable form. Results update live as you decode.
Paste a TCF consent string above and click Decode String to see results here.
| Vendor ID | Consent | Legitimate Interest |
|---|
// Decoded JSON will appear here
Live Tracker & Consent Timing Scanner
Scans every script tag currently loaded on this page and reports whether it executed before or after a TCF consent signal was detected — a quick way to spot pre-consent firing trackers on your own site by opening this tool's source as a template.
Scripts Loaded
Detected Cookies
Built for Privacy Engineers & CMP Auditors
Every feature runs locally in your browser — no server round trips, no logging, no data retention.
Full TCF v2.2 / v2.3 Decode
Decodes core segment, disclosed vendors, allowed vendors, and publisher TC segments per the official IAB spec, including Use of precise geolocation refinements added in v2.3.
Vendor Lookup & Range Decoding
Automatically detects whether vendor consent and legitimate interest sections use bitfield or range encoding, and decodes either format into a searchable table.
Pre-Consent Tracker Scan
Lists every script element on the page with its load timing relative to consent, flagging anything that fires before a TCF signal — a common GDPR compliance gap.
Real-Time Input Validation
Validates base64url character sets, segment lengths, and version bits as you type, with instant error messages explaining exactly what's wrong.
Purpose & Special Feature Map
Maps all 10 standard purposes, special purposes, features, and special features to plain-language descriptions with consent and legitimate interest flags.
Export & Share Results
Copy the full decoded report to your clipboard or download it as a structured JSON file for audit trails, tickets, or compliance documentation.
How the TCF String Decoder Works
Four steps, all running inside your browser tab.
Paste the String
Copy the consent string from the euconsent-v2 cookie, a gdpr_consent URL parameter, or the __tcfapi response.
Decode Bit-by-Bit
The tool converts the base64url core segment into a binary string and reads each field per the official TCF v2 bit-packing layout.
Map to Plain Language
Purpose IDs, vendor IDs, and feature bits are mapped to their human-readable IAB definitions and consent/legitimate interest states.
Review & Export
Check the live tracker timeline for pre-consent firing scripts, then copy or download the full structured result for your records.
What Is a TCF String Decoder and Why It Matters for GDPR Compliance
A TCF string decoder reads the compact consent record produced by a Consent Management Platform (CMP) under the IAB Transparency & Consent Framework. Every time a visitor in the EU interacts with a cookie banner, the CMP writes their choices into a base64url-encoded string stored in the euconsent-v2 cookie or returned by the __tcfapi JavaScript function. This consent string decoder unpacks that record into the underlying TCF purposes, vendor consents, legitimate interests, and special features so developers, privacy engineers, and SEO auditors can verify what a site is actually telling ad partners.
Understanding what is a TCF consent string starts with the core segment: a header containing the consent timestamp, CMP ID, vendor list version, and a series of bit-fields representing the 10 standard IAB TCF purposes such as storing information on a device, personalised advertising, and measuring ad performance. The TCF 2.3 decoder logic in this tool also reads the newer special feature for precise geolocation refinements introduced in the v2.3 specification, while remaining fully backward compatible with TCF v2.2 strings — so you don't need separate tools for each version.
How to decode a TCF string manually involves converting the base64url segment to binary, then reading fixed-width and variable-width fields sequentially: version, created and last-updated timestamps, CMP ID and version, consent screen, language, vendor list version, policy version, and then the purpose consent and legitimate interest bitfields, followed by the vendor consent and legitimate interest sections which may use either a flat bitfield or a range-based encoding depending on the number of vendors. This decoder automates that entire process and renders it as readable tables.
Real-world TCF string examples typically begin with the letter "C" for version 2. A common use case is pasting a string captured from a staging environment or QA build to confirm that vendor consent flags match what the cookie banner UI displayed to the user — catching mismatches between declared and actual consent before they become regulatory issues. Combined with the tracker timeline scanner above, this page doubles as a lightweight consent compliance checker, helping teams spot scripts that fire before the TCF signal is even available, a frequent root cause of GDPR enforcement actions across the European Economic Area.
Whether you're a publisher verifying CMP configuration, an ad-tech vendor debugging integration, or an SEO consultant auditing a client's cookie consent setup, this free, ad-free, client-side IAB TCF decoder gives you the transparency layer that's usually hidden behind minified vendor scripts — instantly, accurately, and without sending a single byte of consent data to any third-party server.
Frequently Asked Questions
A TCF consent string is a compact, base64url-encoded record defined by the IAB Transparency & Consent Framework. It stores a website visitor's privacy choices, including which purposes, vendors, and special features have been allowed for processing personal data under GDPR.
TCF 2.3 extends TCF 2.2 by adding support for new device storage and access disclosures plus an additional special feature for precise geolocation refinements. The core segment structure, purposes list, and vendor consent bit-fields remain backward compatible, so this decoder reads both versions correctly.
Paste the consent string — usually found in the gdpr_consent query parameter, the __tcfapi response, or the euconsent-v2 cookie — into the input above and click Decode String. The tool reads the base64url core segment, unpacks each bit-field, and displays the version, CMP ID, purposes, vendor consents, and legitimate interests in plain language.
Open browser developer tools, go to Application or Storage, and look for a cookie named euconsent-v2. Alternatively, run window.__tcfapi('getTCData', 2, console.log) in the console while on the site, or inspect outgoing ad requests for a gdpr_consent parameter.
Yes. All decoding happens locally in your browser using JavaScript. No consent string, vendor list, or scan result is transmitted to or stored on any server, making the tool safe for auditing live production consent strings.
The vendor consent section is either a bitfield or a range encoding that marks, for each registered IAB vendor ID, whether the user has given consent for that vendor to process personal data for the declared purposes.
Audit Your Site's Full Compliance Stack
Pair this decoder with our complete compliance suite and free AI tooling directory.