Understanding IAB’s Global Privacy Platform (GPP)

In a world of technical acronyms, some of the hardest ones to understand come from the online world. In particular, the three legs of the online consent stool – GPP, GPC, and CMP – are easy to conflate. However, a clear understanding of how these three different, but interrelated, technologies work together can help an organization build a consent ecosystem with a minimum of complexity and non-compliance risk.  

GPP

If you are involved in marketing, especially in the United States, you have probably heard of the Interactive Advertising Bureau, or IAB. With the expressed mission of empowering “the media and marketing industries to thrive in the digital economy,”  the IAB offers the industry standards and guidelines, trainings, and opportunities to participate in committees and research.   

One IAB standard that has the potential to impact consent management across the global marketplace is the Global Privacy Platform (GPP). Technically, the GPP is a standardized framework that allows different entities across the digital world – sometimes in different geographies – to understand and pass on privacy preferences and consents across the ad tech world. It uses standardized, machine-readable strings to represent privacy policies and user consents and preferences so that organizations can understand and apply a data subject’s privacy requests.  In the IAB’s own words, the GPP “enables advertisers, publishers, and technology vendors in the digital advertising industry to adapt to regulatory demands across markets.” 

The problem the IAB designed the GPP to solve is one of complexity. In the ideal world, a data subject should be able opt out of targeted online advertising once, and the entire advertising ecosystem would understand and apply the preference or consent correctly. However, in the real world, digital advertising can involve hundreds, if not thousands, of organizations. If each of those organizations uses its own preference/consent technology without a standard way to interpret, code, and pass on data subject wishes, that data subject’s wishes stop with the initial company. At best, only those advertising entities that use the same consent technology can understand and apply permissions. The GPP, on the other hand, provides the framework necessary for multiple ad tech organizations using different privacy signals to understand and pass on privacy information.  

Currently, the GPP supports the IAB EU TCF, IAB Canada TCF, MSPA’s US national, and U.S. State-specific (Colorado, California, Connecticut, Virginia, and Utah) privacy strings. Future versions will support other jurisdictions.  

GPC

The GPP should not be confused with the GPC, or Global Privacy Control, as they solve slightly different problems with slightly different scope. While the GPP is a framework that allows consolidation of different ad tech-specific privacy signals, the GPC is an example of a single type of signal – a signal that signifies “do not sell or share” to visited websites and organizations. The overlap occurs where some jurisdictions describe “selling or sharing” in a way that third party advertising cookies fall under that definition.  

The GPC allows a user to set a “do not sell or share” request on a GPC-capable browser, and that browser will send that signal to each website the user visits from that point on. The website and website owner then must act, such as limiting third party advertising cookies, and even limiting back-office third party data sharing. In other words, the GPC allows individuals to set an opt out of selling/sharing preference once and expect that wish to spread with each online contact. Browsers support the GPC with either built-in functionality (such as Firefox) or through extensions (such as with Chrome).  

Created by collaboration among multiple organizations, the GPC has garnered some acceptance by some U.S. states. For example, California requires website owners to recognize GPC signals. The GPC also functions as a mechanism to opt out of sharing or processing under the European Union’s GDPR.  

The good news is that the GPP recognizes and accommodates GPC signals, so from that perspective the GPC and GPP do not conflict with one another. However, it is important to remember that while respecting GPC signals is a requirement in some jurisdictions, currently the GPP is a mechanism that facilitates compliance but is not required in itself.  

CMP 

That said, the GPP and GPC are two important tools for any robust, cross-jurisdictional Consent Management Platform (CMP). The role of a CMP is to present consent and preference interfaces, collect the relevant information from those interfaces and other sources, and pass on that consent and preference information to the right systems. Since the ad tech world is a critical and complex corner of the privacy consents universe, the GPP gives a CMP a tool that helps smooth out communication glitches related to digital advertising consents. The GPP allows a consent management platform to receive information in a standardized way and make sense of the directions, and pass on those directions to ad tech entities in a way those organizations can also understand them.  

Similarly, the GPC provides a way in which web visitors can express their permissions through their browser and have their permissions passed onto each website they visit with that browser. A CMP can not only collect and manage third party advertising cookie consents as expressed by the GPC, but also connect those signals to off-line third-party sharing practices, limiting those according to ‘do not sell or share’ rules as local legislation may require.  

In a way, a CMP is an orchestra conductor, collecting, interpreting, and passing on instructions. It receives and passes on specific inputs, such as GPC signals that represent ‘do not sell or share’ requests. A CMP also uses the GPP framework to help simplify what would otherwise be hundreds, if not thousands of different ad tech-specific opt out signals in different formats so that it can receive, interpret, and send on understandable information across the ad tech network. There are other coordination activities central to a robust CMP, and many other acronyms that apply, but understanding how a CMP interacts with GPC signals and the GPP framework can help reduce the mystery of two critical aspects of cross-jurisdictional and cross-modal consent management.