What’s the IAB Tech Lab’s Global Privacy Platform (GPP) framework?

It’s not just GDPR and CCPA anymore. Data protection laws are emerging all over the world. With so many US state-level data protection laws soon going into effect and privacy laws in South America and Asia on the rise as well, a global standard could be extremely important to paving a sustainable path forward for driving transparency and user choice, all while honoring regional requirements. 

The Global Privacy Working Group of the IAB Tech Lab, a non-profit research and development consortium, has been working on a global technical standard to help the digital advertising industry meet the requirements of different jurisdictions: the Global Privacy Platform. (Not to be confused with the Global Privacy Control – that’s a browser-level opt-out standard for CCPA.) 

Let’s get into it.

What is the Global Privacy Platform (GPP)?

Developed by the IAB Tech Lab’s Global Privacy Working Group, the Global Privacy Platform is meant to streamline technical privacy standards into a singular schema and set of tools which can adapt to regulatory and commercial market demands across channels. The GPP was finalized on September 28, 2022 and is now ready for industry adoption.

How WILL THE GPP SUPPORT US STATE PRIVACY COMPLIANCE?

On October 13, 2022, the IAB Tech Lab introduced the Multi-State Privacy Agreement (MSPA), an updated contractual framework to accommodate the new state privacy laws in California, Colorado, Virginia, Connecticut, and Utah. The IAB Tech Lab also released technical specifications for privacy strings that can support privacy signals from the five states. For now, both remain in the draft stage, and will be available for public comment until October 27, 2022.

How is the GPP different from the IAB EUROPE’S TCF?  

The Transparency and Consent Framework (TCF) was developed by the IAB Europe as a set of technical standards for complying with the GDPR. But since then, regional data protection authorities (DPAs)  have specified requirements for GDPR compliance for their own jurisdictions that are not addressed under the TCF. 

Furthermore, working towards a Global Privacy Platform moves beyond GDPR compliance to set up the industry to more easily adapt to data protection regulations as they emerge around the world. The TCF and the concept of a consent string is just the starting point. The IAB Tech Lab’s recommendation to the industry is that companies who need to consider multiple jurisdictions consider adopting the GPP “as it will be the primary framework where future global user consent and preference signaling will be made available.”

The TCF’s TC String is currently supported by the GPP.

WHAT’s THE DIFFERENCE BETWEEN THE IAB CCPA COMPLIANCE FRAMEWORK AND THE GPP?

The IAB CCPA Compliance Framework relies on the US Privacy Specifications, which supported opt-outs as well as data deletion request handling. The US Privacy Specifications will not be adapted to support upcoming US state privacy laws going into effect in 2023. The IAB Tech Lab recommends that the industry move towards adoption of the GPP instead.

DOES THE GPP SUPPORT GLOBAL PRIVACY CONTROL (GPC)?

Yes, the GPP specifications include details on how existing privacy signals like the GPC are supported into the platform.  

WHEN WILL THE GPP SUPPORT JURISDICTIONS BEYOND THE US AND EUROPE?

The IAB Tech Lab plans to begin supporting strings for additional regions starting with Canada, via the IAB Canada’s TCF later this year.

What does it look like for a consent management platform (CMP)  to support THE GLOBAL PRIVACY PLATFORM?

In practice, CMPs that support the GPP would be able to identify the user’s jurisdiction(s), apply the relevant policy framework to show the correct legal bases and permissions, and generate a section in the GPP string specific to that jurisdiction. Because GPP strings will have sections to specify jurisdiction, downstream vendors that receive a GPP signal will also get an indication of the context in which user preferences were set.

How will the GPP deal with jurisdictional overlap?

Jurisdictional overlap is a natural consequence of the extra-territorial nature of most data protection laws. In situations where a user interaction falls under two jurisdictions— maybe they live in Europe but are visiting a website in another country— a GPP consent signal will be able to accommodate multiple sections to indicate multiple jurisdictions and their specific legal bases.

What’s the benefit of establishing global technical privacy standards?

For users, participation in the GPP across as many jurisdictions as possible will make it easier to predict how data protections are met and enforced. 

For businesses—but especially publishers, advertisers, and ad tech firms—a global technical standard can reduce the cost of maintaining and updating privacy controls for users. In particular, the ability for the GPP consent signal to accommodate different jurisdictions could make it a lot easier for the digital media ecosystem to keep up with technical requirements as they evolve.

Interested in learning more about the GPP and Sourcepoint? Contact us here.