The TCF doesn’t really A(A)ID – Automatic Privacy Analysis and Legal Compliance of TCF-based Android Applications
Authors: Victor Morel (Chalmers University of Technology and University of Gothenburg), Cristiana Santos (Utrecht University), Pontus Carlsson (Chalmers University of Technology and University of Gothenburg), Joel Ahlinder (Chalmers University of Technology and University of Gothenburg), Romaric Duvignau (Chalmers University of Technology and University of Gothenburg)
Volume: 2026
Issue: 3
Pages: 6–31
DOI: https://doi.org/10.56553/popets-2026-0068
Abstract: The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. Its goal is to help organizations comply with the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD). This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile apps. No work has systematically studied the compliance implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Play Store, and assess whether these apps respect users’ consent banner choices. The TCF introduced minor changes in its new version (v.2.3) on March 1st, 2026, aimed at reducing ambiguity for vendors; these changes do not impact our results. We scraped and downloaded 4482 of the most popular Google Play Store apps on an emulated Android device. We automatically identified that 576 (12.85%) of the 4482 downloadable apps implemented the TCF, and we detected potential legal violations within this subset. By automatically interacting with consent banners, we observed that in 15 (2.6%) of these apps, users’ choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. We analyzed the apps’ traffic in two different stages, passive (post interaction with the banner) and active (during banner interaction and post user choices). Network analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data through the Google Advertising ID (AAID) without consent – the lawful basis for such processing. Furthermore, 55.3% of apps analyzed during the active stage share AAID before users interact with the apps’ consent banners, violating the prior consent requirement. We further expose concerns regarding Google as the dominant Consent Management Provider (CMP) in our dataset (89.76%), structurally accommodating potential legal violations. Our results suggest that mobile implementations of the TCF are prone to significant non-compliance practices, raising concerns about its effectiveness in helping organizations adhere to legal requirements.
Keywords: Android, online tracking, consent banner, online privacy, compliance, TCF v.2.2, legitimate interest, GDPR, ePrivacy Directive
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.