Global Privacy Platform FAQ

The GPP enables advertisers, publishers, and technology vendors to adapt to regulatory requirements across markets. The framework enables companies to use a consent management platform (CMP), such as OneTrust, to capture and communicate consent signals throughout the digital ad supply chain. The creation of GPP consolidates the management of different consent signals from multiple global privacy jurisdictions and also supports the Global Privacy Control (GPC), a browser-level signal that enables individuals to opt out of the sale or sharing of information. The GPP currently supports the US Privacy and IAB Europe TCF consent strings.

IAB GPP attempts to create a unified approach for consent signaling for US stakeholders. The global privacy platform looks to streamline US consent by introducing state-specific strings and the Multi State Privacy Agreement (MSPA).

IAB GPP has been designed to give enhanced transparency and choice to consumers while providing better control to publishers. This is accomplished by incorporating the following:

Application of Sections

IAB GPP looks to unify consent signaling by creating incorporating subsections for different US privacy laws while also supporting existing frameworks such as IAB Europe TCF. The consent signal generated allows for publishers/vendors to identify which section will apply to them. You can learn more here.

Multi State Privacy Agreement

The MSPA creates a contractual framework intended to aid advertisers, publishers, agencies, and ad tech intermediaries in complying with five state privacy laws that are already effective in 2023. You can learn more here.

The IAB Multi-State Privacy Agreement (MSPA) is an industry contractual framework intended to aid advertisers, publishers, agencies, and ad tech intermediaries in complying with five state privacy laws that will become effective in 2023 (in California, Virginia, Colorado, Connecticut, Utah).

No, MSPA is not a requirement to use GPP. Publishers can confirm whether they would like to adhere to the MSPA. Please see documentation here for more detail.

You can find all of the documentation for IAB GPP here.

The IAB recommends companies transition away from the US Privacy Specifications and adopt GPP. GPP will be the only platform to accommodate upcoming and future privacy and consent management requirements in the US. There will be a grace period before this full transition.

Unlike the EU TCF framework, the new IAB US privacy strings do not have specific UI requirements for the banner and preference center. However, it is important to consider that some US states require notices to users.

Yes, IAB GPP relies on cookies to store consent data. The consent data is stored in the OTGPPConsent cookie.

Yes, the vendor must register with the IAB TCF because this signal is relayed by a vendor ID, which comes from the IAB Global Vendor List.

These vendors are not relayed in the GPP string. OneTrust can disclose these separately if desired and will leverage the base tracking control tools to manage these vendors.

The consent given on the first site will be taken from the OTGPPConsent third-party cookie.

If the string is not received, you will not be able to process the user's data.

The format is [Header]~[Discrete Section]. See IAB TCF GPP Consent String for further detail.

You can do this for enhanced transparency and consolidation. This may also be achieved through the standard cookie categories and controls.

OneTrust's official stance is for publishers to adopt GPP. Google plans to still support US Privacy strings after the deadline communicated by IAB. In light of this, we will not prevent users from writing the USP. Once Google fully supports GPP for Ad Manager, they will deprecate USP.