Platform for Global Privacy Compliance

A resource about the Global Privacy compliance — the unified standards for communicating user consent and data preferences across diverse global regulatory environments.

Start Your GPP Implementation

Global Privacy Laws & Protocols

IAB TCF v2.3 (Europe)

The IAB Europe Transparency & Consent Framework is the standard for managing user consent under GDPR and the ePrivacy Directive in the EEA and UK. TCF v2.3 enables publishers, advertisers, and vendors to communicate consent and legitimate interest signals.

  • Covers EEA, UK, and Switzerland
  • Required by Google for EEA/UK ad serving
  • Managed through certified CMPs

IAB Canada TCF

The IAB Canada Transparency & Consent Framework addresses compliance with Canadian privacy laws including PIPEDA and Quebec's Law 25. It provides a standardized approach for obtaining and communicating user consent in the Canadian market.

  • Covers PIPEDA and provincial laws
  • Quebec Law 25 consent requirements
  • Supported as a GPP section

GPP

The Global Privacy Protocol (GPP) is a framework that helps ecosystem participants support user choice and comply with consumer privacy regulations across diverse regulatory regimes. It harmonizes compliance for Europe, Canada, and the US state privacy landscape through a unified transport layer.

  • Unified consent signal across jurisdictions
  • Supports TCF, MSPA, and US state sections
  • Current API Version: GPP 1.1

US State Privacy Laws

A growing patchwork of state-level privacy regulations in the United States, each with unique requirements for consumer opt-outs, consent, and data processing.

  • CCPA/CPRA — California
  • VCDPA — Virginia
  • CPA — Colorado
  • CTDPA — Connecticut
  • FDBR — Florida
  • TDPSA — Texas
  • OCPA — Oregon
  • MTCDPA — Montana

GDPR (EU/EEA)

The General Data Protection Regulation is the comprehensive data protection law governing the collection and processing of personal data in the European Union and European Economic Area.

  • Lawful basis for data processing
  • Right to access, erasure, and portability
  • Cross-border data transfer rules

LGPD (Brazil)

Brazil's Lei Geral de Proteção de Dados is the country's comprehensive data protection law, modeled after the GDPR. It regulates the processing of personal data of individuals in Brazil.

  • Applies to data processed in Brazil
  • Requires a Data Protection Officer
  • Consent and legitimate interest bases

POPIA (South Africa)

The Protection of Personal Information Act governs the processing of personal information in South Africa, establishing conditions for lawful processing and data subject rights.

  • 8 conditions for lawful processing
  • Information Officer requirement
  • Cross-border transfer restrictions

APPI (Japan)

The Act on the Protection of Personal Information is Japan's primary data protection law, amended in 2022 to strengthen individual rights, cross-border transfer rules, and penalties for violations.

  • Consent required for third-party transfers
  • Stricter cross-border data transfer rules
  • Individual rights to access and deletion

PDPA (Thailand)

Thailand's Personal Data Protection Act provides a comprehensive framework for personal data protection, closely modeled after the GDPR with localized adaptations for the Thai market.

  • Consent-based and legitimate interest bases
  • Data Protection Officer requirement
  • Cross-border transfer safeguards

PIPL (China)

China's Personal Information Protection Law is one of the strictest data privacy laws globally, regulating the processing of personal information of individuals within China with significant extraterritorial reach.

  • Separate consent for sensitive data
  • Security assessment for cross-border transfers
  • Strict data localization requirements

DPDP (India)

India's Digital Personal Data Protection Act establishes a framework for processing digital personal data, balancing individual rights with lawful data use for India's rapidly growing digital economy.

  • Consent-based processing with notice
  • Data fiduciary and processor obligations
  • Restrictions on cross-border transfers

PDPD (Vietnam)

Vietnam's Personal Data Protection Decree provides comprehensive rules for the processing of personal data, requiring organizations to implement data protection measures and obtain consent from data subjects.

  • Consent required before data processing
  • Impact assessments for cross-border transfers
  • Data Protection Officer designation

PIPA (South Korea)

South Korea's Personal Information Protection Act is one of the most stringent data protection laws in Asia, governing the collection, use, and disclosure of personal information with strong enforcement.

  • Explicit consent for sensitive data
  • Mandatory data breach notification
  • Pseudonymization framework for data use

Privacy Act (Australia)

Australia's Privacy Act 1988 regulates the handling of personal information by government agencies and private sector organizations, built around the Australian Privacy Principles (APPs).

  • 13 Australian Privacy Principles (APPs)
  • Mandatory data breach notification scheme
  • Cross-border disclosure accountability

Privacy Act (New Zealand)

New Zealand's Privacy Act 2020 governs how agencies collect, store, use, and disclose personal information, structured around 13 Information Privacy Principles (IPPs).

  • 13 Information Privacy Principles
  • Mandatory breach notification
  • Cross-border data transfer safeguards

PDPA (Singapore)

Singapore's Personal Data Protection Act governs the collection, use, and disclosure of personal data by organizations, complemented by a Do Not Call (DNC) Registry for marketing communications.

  • Consent and notification obligations
  • Do Not Call Registry for marketing
  • Mandatory data breach notification

PDPL (Argentina)

Argentina's Personal Data Protection Law (Ley 25.326) was one of the first comprehensive data protection laws in Latin America. Argentina holds EU adequacy status, facilitating cross-border data transfers with Europe.

  • EU adequacy status for data transfers
  • Consent required for data processing
  • National data protection authority (AAIP)

FADP (Switzerland)

Switzerland's Federal Act on Data Protection (revFADP), revised in 2023, closely aligns with the GDPR to maintain EU adequacy and strengthen protections for individuals' personal data.

  • GDPR-aligned with EU adequacy status
  • Mandatory data breach notification
  • Privacy by design and impact assessments

DPA (Philippines)

The Philippines' Data Privacy Act of 2012 protects individual personal information in both government and private sector information and communications systems, enforced by the National Privacy Commission.

  • Consent-based processing framework
  • Mandatory registration of data processing systems
  • National Privacy Commission enforcement

GPP and US State Compliance (MSPA)

The United States presents a complex challenge with numerous states enacting their own comprehensive privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA). These laws often have unique requirements for consumer opt-outs, consent, and data processing notices.

The Multi-State Privacy Agreement (MSPA)

The MSPA was developed as a contractual framework for the industry, providing a path for signatories to meet the highest common denominator of state privacy requirements through a single "US National" signal.

However, whether you use the MSPA's US National section or individual US State Specific sections, GPP is the essential technical layer that carries and standardizes these signals.

Why GPP is Required for US Compliance:

  • Unified Transport: GPP acts as the central mechanism for encoding both the MSPA National string and all specific US state strings (sub-sections).
  • Interoperability: It ensures vendors receive and interpret these diverse signals correctly, regardless of which state law applies to the user.
  • Efficiency: Instead of maintaining separate APIs for each state or the MSPA, GPP provides one unified API for retrieving the applicable signals.

GPP Sections for US Privacy:

  • MSPA/US National Section: Used by MSPA signatories to signal compliance across multiple states simultaneously.
  • US State Specific Sections: Provides unique encoded strings for individual state laws (e.g., California, Virginia, Colorado) where specific nuances are required.
  • Single API Call: All these necessary signals are made available to vendors through a single GPP API call.

Google's GPP Support

Google Ad Manager and Adsense supports the Global Privacy Protocol for publishers and CMPs who choose to use this framework to comply with US state privacy laws. It is important to note that the use of GPP is not required by Google, but is recommended over the deprecated US Privacy String.

Core GPP Support Requirements

  • Future Version Support: Starting in September 2025, Google will support GPP National v2, and will continue to support v1.0.
  • MSPA Status: Ad Manager is a certified MSPA Certified Partner Program (CPP), meaning publishers are not required to sign the MSPA to work with Google.
  • EEA/UK TCF Exclusion: GPP strings are not accepted for ads served in the EEA or UK. Ad Manager continues to require the IAB Europe TCF v2.3 string via a certified CMP.
  • Supported GPP Sections: Ad Manager only accepts the following GPP sections: US National, California, Colorado, Connecticut, Florida, and Virginia.
  • Unsupported Sections: Ad Manager does not accept IAB Canada TCF, US Privacy String, US State Utah, or IAB EU TCF v2.3 as part of GPP support.

Restricted Data Processing (RDP) Logic

Google triggers Restricted Data Processing (RDP) based on specific fields within the GPP string, indicating user opt-outs.

RDP Triggers:

  • US National: Opt-out of Sale, Sharing, or Targeted Advertising.
  • California: Opt-out of Sale or Sharing.
  • CO, CT, VA, FL: Opt-out of Sale or Processing for Targeted Advertising. (Florida also includes opt-out of Sensitive Data Processing for ages 13-18.)

Minor Consent Signals (TFCD/RDP):

GPP signals for minors are read by Google, resulting in Child-Directed Treatment (TFCD) or RDP based on age and consent:

  • TFCD (Child-Directed): Triggered if minor consent fields (e.g., <13 or <16) are present for US National, CA, CO, CT, or FL.
  • RDP (Ages 13-17): Triggered if there is "No consent" to processing/sale for specified age ranges in US National, CT, or FL.

Ready to Comply with GPP?

To comply with and effectively implement the Global Privacy Protocol, leverage a dedicated Consent Management Platform (CMP) that handles the complexities for you.

GPP Implementation Guidelines

Publishers & Digital Property Owners

As a Publisher, your primary task is implementing a CMP to manage the user interface for consent. This includes choosing the applicable GPP sections based on your audience.

  • Determine Applicable Sections with legal counsel (jurisdictions).
  • Ensure Vendor and Partner Compatibility with GPP.
  • Focus on User Experience for consent presentation.
  • For Mobile App Developers, standardize GPP data storage locations and naming conventions so ad tags can access the GPP string seamlessly.

How Consent Management Platform (CMP) works

A CMP helps publishers and advertisers collect, manage, and communicate user consent choices. It handles the complexity of privacy compliance so you can focus on your business.

  • For Publishers: Display consent banners, collect user preferences, and pass compliant signals to ad partners.
  • For Advertisers: Receive verified consent signals to ensure data processing and ad targeting comply with user choices.
  • Automatically generate and encode privacy strings (GPP, TCF, US Privacy) for all applicable jurisdictions.
  • Manage consent across web, mobile apps, and connected TV from a single platform.

Advertisers

As an Advertiser, you must ensure your ad tech partners and internal systems correctly read and honor the GPP signals received to determine allowed data processing.

  • Ensure ad tech partners support GPP signal consumption.
  • Find the GPP String via CMP API, OpenRTB Regs object (server-side), or URL parameters (client-side).
  • Honor user opt-out signals for sale, sharing, and targeted advertising.
  • Validate signalStatus is ready before data processing.

Frequently Asked Questions

What's the difference between GPP, IAB TCF 2.3, and CCPA?

The GPP is built upon the foundation of existing frameworks like TCF 2.3 but serves as a broader, comprehensive solution, specifically addressing the complexity of the US market. It defines the unified transport layer for encoding and transmitting user privacy signals for IAB TCF (EEA/UK), as well as signals related to the Multi-State Privacy Agreement (MSPA) and specific US state laws (e.g., California, Virginia, Colorado). GPP is the single technical standard for multi-jurisdictional consent signaling.

What is the difference between a GPP ID, TCF Vendor ID, and an MSPA Signatory ID?

These all refer to the same unique identifier assigned to vendors participating in the various frameworks. This consistency ensures that implementers do not need to maintain separate IDs across multiple frameworks. However, vendors must still register for each specific framework (TCF, MSPA, etc.) they wish to participate in.

How is the GPP String structured?

The GPP String is a single, Base64-like encoded string that begins with a required Header Section. This header acts as a table of contents, identifying which regulatory sections (like US National or California) are included in the string. The header is followed by the individual section strings, all concatenated and separated by a tilde (~). This compact, unified format allows multiple privacy signals to be passed efficiently.

Can GPP replace my existing IAB Europe TCF implementation?

No. While the GPP is designed to carry the TCF signal as a "section", major ad platforms like Google Ad Manager do not accept the TCF signal via GPP for the EEA/UK. The GPP primarily addresses compliance complexity in the US and Canada. For the European Economic Area (EEA) and the UK, you must continue to use a certified CMP to implement the IAB Europe TCF 2.3 string directly.

What is the purpose of Fibonacci Encoding in GPP?

GPP strings, especially those containing multiple sections, can become quite long. Fibonacci Encoding is a mechanism used in the specification to reduce the final string length. This prevents errors and issues that can occur in various parts of the digital advertising supply chain (like URL parameters or header limits) when dealing with excessively long strings.