What Is the IAB’s Global Privacy Platform (IAB GPP)?

Anokhy Desai CIPP/US, CIPT, CIPM

written by Anokhy Desai CIPP/US, CIPT, CIPM April 23, 2024

What-Is-the-IAB-Global-Privacy-Platform-GPP-01

The Interactive Advertising Bureau (IAB) releases frameworks and solutions to help businesses perform digital advertising while respecting data privacy and complying with privacy laws.

A consortium of the IAB called the IAB Technical Laboratory (IAB Tech Lab) released the Global Privacy Platform (GPP) as a single framework for websites to honor universal opt-out mechanisms (UOOMs), as required by several different privacy laws.

Below, I discuss the GPP, the laws that require recognition of UOOMs, and what website owners might need to implement the GPP.

Table of Contents
  1. What Is the IAB’s Global Privacy Platform (GPP)?
  2. Are Businesses Required to Honor the IAB’s Global Privacy Platform?
  3. U.S. Data Privacy Laws and GPP
  4. How To Implement the GPP on Your Website
  5. Summary

What Is the IAB’s Global Privacy Platform (GPP)?

Launched by the International Advertising Bureau (IAB) Tech Lab, Global Privacy Platform allows users to signal their privacy preference through an opt-out mechanism automatically and helps websites comply with new and existing data privacy laws.

A user can set up GPP to opt out of the sale of data for targeted advertising purposes as soon as they land on a page without seeing and interacting with a cookie consent banner.

The current GPP version supports the following privacy strings:

  • IAB EU TCF
  • IAB Canada TCF
  • MSPA’s U.S. National string
  • U.S. state-specific privacy strings for California, Colorado, Connecticut, Virginia, and Utah

The IAB Tech Lab plans to expand the scope of GPP to support other legal jurisdictions as necessary.

Is GPP a Universal Opt-out Mechanism?

Technically, the IAB Tech Lab’s GPP is not exactly a universal opt-out mechanism or UOOM.

“Universal opt-out mechanism” is a catch-all term for browser flags or extensions that automatically communicate users’ consent preferences to websites while they use the internet.

They specifically allow users to opt out of selling or sharing their data, a right granted to individuals covered by certain U.S. state-level privacy laws, such as the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA).

However, the GPP logs a user’s desire to opt out of targeted advertising and is limited to the ad tech providers who are IAB members.

That said, the GPP does support known UOOMs like the Global Privacy Control (GPC).

Global Privacy Platform vs. Global Privacy Control (GPC)

The GPP is similar to Global Privacy Control (GPC) in that both signal privacy preferences, but the GPP does not act as a “do not sell” flag.

Additionally, both were created and maintained by different organizations.

The different frameworks exist because several newer privacy laws, most of which come from U.S. states, were recently passed.

These laws include provisions requiring websites to honor technical browser settings as a verifiable user request to follow through on their right to opt out of selling or sharing their personal information.

But the laws don’t precisely say what those technical specifications must be.

Instead, data protection authorities are scheduled to release guidelines and name specific technologies covered by the different laws.

In the meantime, we’re seeing the development and release of frameworks like IAB Tech Lab’s GPP and the GPC as possible compliance solutions.

As mentioned above, the CCPA, as amended by the California Privacy Rights Act (CPRA), officially requires covered entities to honor GPC signals, as stated in the Attorney General’s CCPA FAQs.

Global Privacy Platform vs. Consent Management Platforms (CMP)

The Global Privacy Platform differs from consent management platforms (CMP), but the two technologies work together to help websites achieve legal compliance with privacy laws.

A CMP helps obtain, track, and manage user consent preferences and usually includes:

The GPP integrates with  CMPs, so when users have the GPP set up on their browser, those websites automatically read and honor their consent signals without ever presenting them with a pop-up banner.

It acts as a verifiable consumer request, so users don’t need to worry about submitting DSARs or contacting your privacy team to opt out of the selling or sharing of their data.

GPP vs. Do-Not-Track (DNT) Requests

The GPP enables companies to use a CMP to capture consent signals like Do-Not-Track requests and accounts for newer, more recent laws.

Initially, DNT was a plugin created to allow users to inform websites that they don’t want to be tracked for advertising or analytics purposes.

It was developed when the California Online Privacy Protection Act (CalOPPA) was amended in 2013 to include provisions requiring entities to clearly state how they respond to DNT requests in their privacy policies.

Technology and privacy laws have rapidly evolved since 2013, and many people speculate that UOOMs like the GPC and GPP are replacing older DNT technology.

Are Businesses Required to Honor the IAB’s Global Privacy Platform?

Currently, businesses aren’t required to honor the IAB Tech Lab’s GPP.

However, if you are subject to applicable data privacy laws, it would be beneficial to consider CMPs that already support the GPP framework, as it provides several strings linking user preferences across jurisdictions.

In the U.S., several newer state-level privacy laws feature provisions requiring businesses to consider UOOM signals as a verifiable consumer request to opt out of certain types of data processing. As a result, we’re seeing different organizations develop this technology to help consumers follow through on their rights.

However, it leaves businesses with several questions about which specific UOOMs their websites must honor and how complex the setup might be.

The IAB Tech Lab released the U.S. National String within the GPP to address some of these concerns. It also allows GPP users to honor consent signals from other UOOMs, including the GPC, and meet the legal opt-out requirements outlined by all current U.S. laws.

U.S. Data Privacy Laws and GPP

The IAB Tech Lab released GPP to help businesses comply with data privacy laws. Below are the legal requirements outlined by these pieces of legislation.

How To Implement the GPP on Your Website

Businesses can implement the GPP by using one of these methods:

The IAB recommends that any business subject to relevant U.S. privacy laws integrate the GPP framework to help adapt to the opt-out provisions before they become enforceable.

How Users Can Implement the GPP on Their Browsers

For the GPP to read users’ opt-out preferences, they must use a compatible UOOM browser or browser extension.

For example, the GPP will read and comply with user-set consent signals, like the GPC, to opt out of selling their data.

Summary

If your website is subject to following privacy laws that include guidelines for honoring user browser signals as a verified request to opt out of certain types of data processing, consider looking into the IAB Tech Lab’s GPP.

The IAB Tech Lab is an independent, non-profit consortium of the IAB. Its scalable technical standards, like the GPP, are built to help businesses comply with privacy requirements in a cost-effective, efficient manner.

The GPP represents an attempt to normalize the technical specifications websites must implement to comply with existing and future privacy laws.

Anokhy Desai CIPP/US, CIPT, CIPM
More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

Related Articles

Explore more resources