The Interactive Advertising Bureau (IAB) is a trade group that focuses on research and education about the importance of digital marketing. The IAB Technical Laboratory (IAB Tech Lab) is an arm of the IAB that develops technical solutions such as the IAB's Global Privacy Platform (GPP) to help businesses comply with privacy laws.
This article explains what the GPP is, whether businesses are legally required to implement it, what laws the GPP can help you comply with, and how businesses and users can implement the GPP.
- 1. What is the Global Privacy Platform?
- 2. Are Businesses Legally Required to Use the Global Privacy Platform?
- 3. What Laws Can the Global Privacy Platform (GPP) Help You Comply With?
- 4. Is the Global Privacy Platform (GPP) a Universal Opt Out Mechanism?
- 5. What is the Difference Between the Global Privacy Platform (GPP) and the Global Privacy Control (GPC)?
- 6. What is the Difference Between the Global Privacy Platform (GPP) and Consent Management Platforms (CMPs)?
- 7. What is the Difference Between the Global Privacy Platform (GPP) and Do-Not-Track (DNT) Requests?
- 8. How Can Businesses Implement the Global Privacy Platform (GPP)?
- 9. How Can Users Implement the Global Privacy Platform (GPP)?
- 10. Summary
What is the Global Privacy Platform?
The GPP is a protocol that allows consumers to convey privacy and consent choice signals from websites and apps to advertising technology (ad tech) providers.
You've likely noticed the ubiquitous cookie consent banners that websites use to comply with data protection laws. The GPP enables users to signal their privacy preferences without having to interact with these banners.
The GPP is the only privacy signaling mechanism for existing and upcoming state privacy laws, which makes it easier (and more cost-effective) for ad tech companies that do business in multiple states to comply with each state's privacy requirements.
The GPP is continuously expanding to support jurisdictions as they pass privacy laws. As of the time of this writing, the GPP supports the following privacy strings (strings of code that websites or apps use to manage privacy preferences):
- IAB Europe Transparency and Consent Framework (TCF)
- IAB Canada TCF
- The Multi-State Privacy Agreement's (MSPA) U.S. National string
- California privacy string
- Colorado privacy string
- Connecticut privacy string
- Utah privacy string
- Virginia privacy string
Are Businesses Legally Required to Use the Global Privacy Platform?
Businesses are not legally required to use the GPP. However, advertisers, publishers, and digital advertising vendors can make the GPP part of their overall privacy law compliance strategy.
Website owners can use Consent Management Platforms (CMPs) that support the GPP to comply with state and global laws that require businesses to honor opt-out mechanisms.
Opt-out mechanisms are online tools that allow users to decline participation in certain data processing (use) activities.
What Laws Can the Global Privacy Platform (GPP) Help You Comply With?
The GPP can help website owners comply with privacy laws that require websites to collect and honor users' consent choices concerning their personal data (information that can be used to identify an individual).
Some of the privacy laws the GPP can help businesses comply with include but aren't limited to the following:
- The European Union's (EU) Global Data Privacy Regulation (GDPR). The GDPR requires applicable organizations to satisfy one of six legal bases before using EU data subjects' (individuals to whom personal data belongs) personal data, one of which is obtaining their consent.
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires businesses to get consent from Canadian individuals before collecting, using, or disclosing their personal information under certain circumstances.
- The California Consumer Privacy (CCPA/CPRA). The CCPA/CPRA requires businesses to either provide California consumers with links to opt out of the sale or sharing of their personal information or respond to opt-out preference signals.
- The Colorado Privacy Act (CPA). The CPA requires businesses to allow consumers to opt out of the sale of their personal data or the use of their data for targeted advertising (marketing based on a user's online behavior) purposes via a universal opt-out mechanism (UOOM).
- The Connecticut Data Privacy Act (CTDPA). The CTDPA requires organizations to honor Connecticut consumers' UOOM requests.
Is the Global Privacy Platform (GPP) a Universal Opt Out Mechanism?
The GPP is not a UOOM (universal opt-out mechanism). A UOOM is a tool that enables users to opt out of the use of their personal data for certain data processing activities.
If a user chooses to opt out of data processing activities, the GPP stores that choice and conveys it to relevant ad tech providers. The GPP string is a way to link users' privacy preferences for all jurisdictions in one place.
The GPP does support the Global Privacy Control (GPC). The GPC is a specification that users can download and enable on their browsers. Once enabled, the GPC automatically signals users' choices concerning the sale or sharing of their personal information to any participating websites they visit.
Many laws require businesses to provide opt-out mechanisms for the sale or sharing of users' personal data, or the use of personal data for targeted advertising or profiling purposes. The GPP can help signal users' opt-out choices from multiple jurisdictions in a single string.
States that have laws that require (or will soon require) websites to provide an opt-out mechanism include:
- California: Businesses that have websites are currently required to honor UOOMs as a way of allowing users to be able to opt out of the sharing or selling or their personal data.
- Colorado: Colorado's Attorney General has created specific technical requirements for universal opt-out mechanisms. These mechanisms are to be implemented no later than July 1, 2024.
- Connecticut: Data controllers are required to honor universal opt-out mechanisms no later than January 1, 2025.
- Texas: All covered entities are required to honor consumer universal opt-out mechanisms no later than January 1, 2025.
- Montana: Covered businesses are required to recognize and respect global device settings where a user has indicated their wish to opt out of having their data processed, and must do so no later than January 1, 2025.
- Delaware: Users have the ability to designate their individual privacy choices by using a browser setting or extension, or a global device setting. Websites are required to respond no later than January 1, 2026.
- Oregon: Unless commercially infeasible, covered entities are required to recognize browser extension settings and global privacy device settings no later than January 1, 2026.
What is the Difference Between the Global Privacy Platform (GPP) and the Global Privacy Control (GPC)?
While both the GPP and the GPC communicate users' privacy choices, the main difference between the GPP and the GPC is that the GPP is a protocol designed specifically for the digital advertising industry, and the GPC is a UOOM that helps users limit the sale and sharing of their data.
The Global Privacy Control's website explains that enabling the GPC can save users from having to click on links to opt out of the sale or sharing of their personal information:
Privacy laws such as the CCPA/CPRA require websites to treat browser settings as a user request and to stop selling or sharing users' personal data in response to those requests.
However, the specific technology to be used to honor these requests isn't named in the laws themselves. As guidelines are released, specific compliance tools are likely to be suggested. Both the GPP and the GPC have been released as potential solutions.
What is the Difference Between the Global Privacy Platform (GPP) and Consent Management Platforms (CMPs)?
The GPP is a way to communicate users' privacy preferences to ad tech providers, while a CMP enables websites or apps to get users' consent before processing their personal data.
The goal of both the GPP and CMPs is to help businesses comply with privacy and data protection laws.
The GPP can help optimize a CMP for websites with users from multiple locations. A CMP that uses the GPP can identify where a user is located and what legal framework applies. It then creates a jurisdiction-specific GPP string to signal users' consent preferences to downstream vendors.
For instance, one of the main functions of a CMP is helping website owners create and display a Cookie Banner (Cookie Consent Notice) on websites.
A Cookie Banner or Cookie Consent Notice provides users with a way to communicate their consent choices concerning how their personal information is used and stored by cookies (small files that store users' online activities). A Cookie Banner typically includes the options for users to accept all or certain cookies, reject cookies, or adjust their cookie preferences.
A CMP that supports the GPP can create and display a Cookie Banner that can signal the users' jurisdictions to ad tech vendors so they know which privacy laws they need to comply with.
Fender's Cookie Banner explains its reasons for using cookies and includes an option for users to request their personal information not be sold:
What is the Difference Between the Global Privacy Platform (GPP) and Do-Not-Track (DNT) Requests?
Advertisers use tracking data (such as cookies) to create personalized ads that target users based on their online activity. A Do-Not-Track (DNT) request is a privacy preference setting that users can set on their browsers to communicate their privacy choices to participating websites.
DNT requests are used to inform websites that users don't want their online activities to be tracked, while the GPP can aid websites that use a CMP in collecting and conveying users' consent choices to relevant parties.
While there are no laws that require websites that use tracking data for advertising purposes to specifically honor DNT requests, some laws do require businesses to respond to opt-out browser settings in certain cases.
For instance, the CCPA/CPRA requires businesses to honor users' opt-out preference signals as an alternative to maintaining Do Not Share or Sell My Personal Information links on their websites.
Additionally, some users may choose to only visit sites that do respond to DNT requests.
However, as they are not legally required to comply with DNT requests, websites may choose not to make requested changes. The GPP has the potential to replace DNT technology, as it provides a streamlined way for websites to handle users' consent choices for multiple jurisdictions.
Google has a page that explains that it does not respond to DNT requests, but includes instructions for how users can change their DNT settings:
How Can Businesses Implement the Global Privacy Platform (GPP)?
Businesses can implement the GPP by either following the GPP's instructions on how to create a GPP string or using a CMP that integrates with the GPP.
The GPP posts its technical specifications on GitHub, but it's helpful to have a basic understanding of coding-or technical support staff-if you plan on implementing it on your own.
The GPP's Consent String Specification page explains how digital property owners or CMPs can create a GPP string:
The IAB recommends the GPP for publishers, advertisers, and ad tech products, as it is an adaptable tool that is designed to reduce the cost of privacy controls by supporting both existing and upcoming data protection legislation and integrating with CMPs and the GPC.
How Can Users Implement the Global Privacy Platform (GPP)?
Users can implement the GPP by using a UOOM browser or browser extension that is compatible with the GPP (such as the GPC).
The Global Privacy Control's website explains how users can enable the GPC signal on their browsers to opt out of the sale or sharing of their personal information:
The GPP helps businesses protect users' data and maintain transparency, and gives users more control over how their data is used for digital advertising purposes.
Summary
The GPP is a framework designed to help advertisers, publishers, and ad tech vendors comply with privacy laws. It helps website owners and CMPs collect and convey consent signals from multiple jurisdictions to all members of the digital ad supply chain.
Businesses are not legally required to implement the GPP, but some laws do require applicable businesses to honor any data processing opt out requests users send via UOOM signals. The GPP can help businesses comply with privacy laws by communicating those signals to relevant parties.
Implementing the GPP can help businesses comply with privacy laws that require websites to capture and communicate users' consent choices concerning certain data processing activities, such as the sale or sharing of their personal data, or the use of their personal information for targeted advertising or certain profiling purposes.
Businesses can implement the GPP by following its technical specifications on GitHub or using a CMP that integrates with the GPP.
Users can implement the GPP by enabling the GPC setting on their browsers.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
