As new regional data protection laws come into force, website owners and digital advertisers face a challenging task: They must manage and communicate their user preferences to the downstream digital advertisers without violating the different regional privacy laws.
IAB’s Global Privacy Platform (GPP) aims to enable websites, ad-tech providers, and advertisers to streamline the communication of user consent signals consistently so that they can adhere to regional data protection laws with differing consent requirements.
Keep reading to learn how the GPP works and how Didomi can help you implement it.
Global Privacy Platform (GPP): Context and timeline
When the GDPR came into force in 2018, it was the only major privacy regulation. Therefore, it was easier for the digital advertising industry to adhere to its standards.
However, new regional privacy laws such as California’s CCPA and CPRA, Virginia’s VCDPA, and other US States' privacy laws introduced new requirements for how users can give consent and how data can be consent and data collection requirements, making it harder for websites and advertisers to receive users’ consent preferences and communicate them to the advertisers and ad-tech vendors consistently and reliably.
For example, let’s assume that a California resident purchases goods from a German-based company’s website. Let’s also assume that this website collects its customers' purchase details and basic information, such as name and email, and shares this data with an ad-tech provider for audience analysis purposes.
Here’s the catch: California’s CPRA and the EU’s GDPR have conflicting rules regarding whether consent is needed to use data for audience analysis purposes. If this ad tech provider does not know which of these privacy laws apply to the data it obtains, it cannot act in compliance with the applicable privacy law. Two or more regional privacy laws may be relevant to the vendor.
There needs to be a standardized and coherent way to communicate the user’s consent signals and the applicable privacy laws to the advertisers and ad-tech providers in the digital ad supply chain.
This is why the Interactive Advertising Bureau (IAB) decided to design a new consent signal mechanism in an effort to standardize and improve the process for organizations:
“The GPP enables advertisers, publishers and technology vendors in the digital advertising industry to adapt to regulatory demands across markets. It reduces the cost of managing privacy compliance, and helps publishers mitigate privacy risks, by providing CMPs a single framework to encode and transmit consumer privacy preferences which they can leverage globally and across all platforms and channels.”
- IAB Tech Lab (Source: IAB Tech Lab)
Now, how does the platform work exactly?
What is the Global Privacy Platform (GPP), and how does it work?
The Global Privacy Platform (GPP) combines protocols and rules that enable websites and advertisers to merge users’ consent preferences from various jurisdictions into a standardized string. This standardized string enables ad-tech vendors, advertisers, and website owners to share the users’ preferences in a reliable, accurate, and consistent manner.
GPP currently supports privacy strings from IAB Europe’s TCF, IAB Canada TCF, the MSPA’s US National string, and US states-specific privacy strings for California, Virginia, Utah, Colorado, and Connecticut (source: IAB Tech Lab).
The Global Privacy Platform protocol reads the signals from these regional strings, combines them, and creates a new string called the GPP String.
The GPP String contains two key elements: A header and sections.
- The header provides information about what is included in the sections of a GPP string, such as jurisdictional frameworks. In other words, it functions like a table of contents for readers.
- The actual sections relate to applicable local data protection laws. For instance, a section for the EU would include information about the privacy disclosures made to a user, when the consent was provided, and what legal restrictions would apply.
Importantly, the platform accounts for each policy body to retain their governance over what should be encoded in each privacy string and can evolve to adapt as new regulations get introduced:
“The GPP string allows for communicating a user’s privacy preferences across jurisdictions. It concatenates user preferences for all jurisdictions into a single string. The privacy signals will not change for existing signals like USPrivacy and TCF; they will be a section in the GPP. For new signals, the GPP has a taxonomy that includes all known data purposes and data uses that can be combined to create manifests for any given jurisdiction. Policy bodies maintain governance over what must be included in a privacy string for a given jurisdiction, but a standard way to encode them makes it easier for the industry to adopt.”
- Rowena Lam, Director, Privacy Technology Programs at IAB Tech Lab (Source: IAB Tech Lab)
To learn more about the technical intricacies of GPP and the GPP string, head to the IAB Tech Lab website.
How GPP can help you comply with data privacy laws
The GPP can enable you to collect and share users’ consent preferences in compliance with each unique data privacy law.
More importantly, the global privacy platform helps you combine multiple consent preferences into a single format to communicate consumer choice signals to vendors in compliance with various data protection laws. This functionality is critical for legal compliance because each privacy law has different consent and disclosure requirements and legal bases.
Below is the list of the data privacy laws that the GPP can help you with:
EU GDPR
When the EU GDPR applies, you need to obtain consent from users in most instances. This consent must be informed, freely given, unambiguous, and specific.
The GPP supports the IAB’s consent framework for the EU, TCF v2.2. The GPP section for the EU corresponds to the TC String. You can transmit the consent details to downstream vendors, ensuring compliance with GDPR.
California CCPA and CPRA
If the CCPA and CPRA apply, users have the right to opt out of the sharing and sale of their personal data. GPP consent signals will enable you to communicate these details to your vendors.
Colorado Privacy Act (CPA)
The CPA allows Colorado residents to opt out of targeted advertising and sale of their personal information.
The Virginia Consumer Data Protection Act(VCDPA)
The VCDPA requires businesses to obtain consent before collecting sensitive information, such as race and ethnicity. Since the GPP string supports the IAB’s US privacy signal, you can determine when the CVDPA applies and incorporate this information into the GPP string.
What is the difference between the GPP and the EU Transparency and Consent Framework (TCF)?
How does the IAB’s global privacy platform framework relate to the IAB’s EU TCF framework?
The TCF is a set of tools and protocols that help publishers, such as websites and vendors in the digital ad supply chain, facilitate compliance with the EU GDPR’s consent and disclosure requirements by providing a standardized consent experience to users.
While the GPP and the TCF share a certain degree of similarity, there are significant differences between the two frameworks.
- Difference in scope: While the TCF focuses on EU GDPR and the E-Privacy Directive, the GPP helps publishers and vendors address multiple jurisdictions simultaneously by combining consent signals from multiple jurisdictions.
- Difference in focus: The GPP’s primary goal is to standardize the disparate consent signals to make the communication of consent signals more efficient and consistent. The TCF, on the contrary, aims to provide users with more granular choices in terms of the vendors, types of data, and the purposes of data collection and processing.
To summarize, the GPP is broader in scope than the TCF and is designed to address multiple privacy laws simultaneously.
{{learn-everything-you-need-to-know-about-the-tcf-v22}}
How to get started with the GPP
As we’ve seen throughout the article, the Global Privacy Platform (GPP) can be very valuable for Consent Management Platform (CMP) users for its ability to streamline compliance with privacy regulations across multiple jurisdictions.
As privacy laws continue to evolve and are introduced globally, organizations must navigate a complex web of rules regarding the collection, storage, and leverage of user consent, which GPP can help with.
Didomi users can already implement GPP via our web SDK, and we will introduce new features to simplify this process. Stay tuned and get in touch with our team to get started:
{{talk-to-an-expert}}
Frequently asked questions
What is the GPP?
The global privacy platform combines protocols and rules to enable websites and advertisers to merge users’ consent preferences from various jurisdictions into a standardized string.
Are we legally required to implement the GPP?
While implementing the IAB’s global privacy platform or any other consent framework, such as the TCF 2.2, is not a legal requirement, using the GPP can streamline your global privacy compliance efforts and help you adapt to the ever-changing landscape of global privacy laws.
What is the difference between the TCF and the GPP?
While the TCF focuses on the EU GDPR and the E-Privacy Directive, the GPP helps publishers and vendors address multiple jurisdictions simultaneously by combining consent signals from multiple jurisdictions.
What is the difference between a consent management platform and the GPP?
While consent management platforms include many functionalities and features, such as cookie banners, cookie scanners, and consent management tools, the GPP is a framework focused on standardizing disparate user privacy preference signals from different jurisdictions. For more information, check out our CMP.