Blog

What’s the IAB Tech Lab’s Global Privacy Platform (GPP) framework?

Sourcepoint
October 13, 2022
urban landscape

It’s not just GDPR and CCPA anymore. Data protection laws are emerging all over the world. With so many US state-level data protection laws soon going into effect and privacy laws in South America and Asia on the rise as well, a global standard could be extremely important to paving a sustainable path forward for driving transparency and user choice, all while honoring regional requirements. 

The Global Privacy Working Group of the IAB Tech Lab, a non-profit research and development consortium, has been working on a global technical standard to help the digital advertising industry meet the requirements of different jurisdictions: the Global Privacy Platform. (Not to be confused with the Global Privacy Control – that’s a browser-level opt-out standard for CCPA.) 

Let’s get into it.

What is the Global Privacy Platform (GPP)?

Developed by the IAB Tech Lab’s Global Privacy Working Group, the Global Privacy Platform is meant to streamline technical privacy standards into a singular schema and set of tools which can adapt to regulatory and commercial market demands across channels. The GPP was finalized on September 28, 2022 and is now ready for industry adoption.

How WILL THE GPP SUPPORT US STATE PRIVACY COMPLIANCE?

On October 13, 2022, the IAB Tech Lab introduced the Multi-State Privacy Agreement (MSPA), an updated contractual framework to accommodate the new state privacy laws in California, Colorado, Virginia, Connecticut, and Utah. The IAB Tech Lab also released technical specifications for privacy strings that can support privacy signals from the five states. For now, both remain in the draft stage, and will be available for public comment until October 27, 2022.

How is the GPP different from the IAB EUROPE’S TCF?  

The Transparency and Consent Framework (TCF) was developed by the IAB Europe as a set of technical standards for complying with the GDPR. But since then, regional data protection authorities (DPAs)  have specified requirements for GDPR compliance for their own jurisdictions that are not addressed under the TCF. 

Furthermore, working towards a Global Privacy Platform moves beyond GDPR compliance to set up the industry to more easily adapt to data protection regulations as they emerge around the world. The TCF and the concept of a consent string is just the starting point. The IAB Tech Lab’s recommendation to the industry is that companies who need to consider multiple jurisdictions consider adopting the GPP “as it will be the primary framework where future global user consent and preference signaling will be made available.”

The TCF’s TC String is currently supported by the GPP.

WHAT’s THE DIFFERENCE BETWEEN THE IAB CCPA COMPLIANCE FRAMEWORK AND THE GPP?

The IAB CCPA Compliance Framework relies on the US Privacy Specifications, which supported opt-outs as well as data deletion request handling. The US Privacy Specifications will not be adapted to support upcoming US state privacy laws going into effect in 2023. The IAB Tech Lab recommends that the industry move towards adoption of the GPP instead.

DOES THE GPP SUPPORT GLOBAL PRIVACY CONTROL (GPC)?

Yes, the GPP specifications include details on how existing privacy signals like the GPC are supported into the platform.  

WHEN WILL THE GPP SUPPORT JURISDICTIONS BEYOND THE US AND EUROPE?

The IAB Tech Lab plans to begin supporting strings for additional regions starting with Canada, via the IAB Canada’s TCF later this year.

In practice, CMPs that support the GPP would be able to identify the user’s jurisdiction(s), apply the relevant policy framework to show the correct legal bases and permissions, and generate a section in the GPP string specific to that jurisdiction. Because GPP strings will have sections to specify jurisdiction, downstream vendors that receive a GPP signal will also get an indication of the context in which user preferences were set.

How will the GPP deal with jurisdictional overlap?

Jurisdictional overlap is a natural consequence of the extra-territorial nature of most data protection laws. In situations where a user interaction falls under two jurisdictions— maybe they live in Europe but are visiting a website in another country— a GPP consent signal will be able to accommodate multiple sections to indicate multiple jurisdictions and their specific legal bases.

What’s the benefit of establishing global technical privacy standards?

For users, participation in the GPP across as many jurisdictions as possible will make it easier to predict how data protections are met and enforced. 

For businesses—but especially publishers, advertisers, and ad tech firms—a global technical standard can reduce the cost of maintaining and updating privacy controls for users. In particular, the ability for the GPP consent signal to accommodate different jurisdictions could make it a lot easier for the digital media ecosystem to keep up with technical requirements as they evolve.


Interested in learning more about the GPP and Sourcepoint? Contact us here.

Latest Blog Posts

FTC rulemaking and CPRA comment periods close

November 28, 2022

Comments from the News/Media Alliance requested that any FTC...

Google settles in multi-state location tracking suit

November 21, 2022

Google settled a multistate privacy lawsuit with 40 state Attorneys General based...

Colorado Posts Public Comments to CPA Draft Rules

November 14, 2022

The Data Protection and Digital Information Bill, which was...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]