Skip to content

Introduction to the IAB Global Privacy Platform (GPP): Why publishers need to pay attention

The Global Privacy Platform (GPP) enables publishers to signal consent and preference information obtained from users to third parties. This IAB initiative helps publishers evolve their compliance efforts and stay ahead of the rapidly evolving privacy landscape in a cost- and resource-friendly way.
Resources / Blog / Introduction to the IAB Global Privacy Platform (GPP): Why publishers need to pay attention
Published by Usercentrics
8 mins to read
Feb 11, 2025

The Interactive Advertising Bureau (IAB) launched the Global Privacy Platform (GPP) in 2022, a project of, and part of the portfolio of solutions from, the IAB Tech Lab’s Global Privacy Working Group. The GPP is the result of significant collaboration among industry stakeholders, including leading tech companies and tech experts around the world.

In line with aspects of the evolution of data privacy, the GPP enables streamlined transmission of signals from websites and apps to ad tech vendors and advertisers. This includes consent, preferences, permissions, and other relevant and often legally required information that affects data handling tools and processing. We look at how this tool can benefit publishers as data privacy compliance requirements expand and evolve, especially across digital marketing platforms.

What is the Global Privacy Platform (GPP)?

The GPP provides a framework for publishers that works similarly to the TCF or Google Consent Mode. Where Consent Mode signals consent information to Google services’ tags to control use of cookies and trackers, the GPP is a protocol that enables simple and automated communication of users’ consent and preference choices via a signal to third parties like ad tech vendors. 

The GPP enables advertisers, publishers, and technology vendors in the digital advertising industry to adapt to regulatory demands over time and across markets. It employs a GPP String, which encapsulates and encodes transparency details and consumer choices (like granular consent) as applicable to each region, helping enable compliance with privacy requirements by jurisdiction.

Do you know about Consent Mode v2? Should you care? If you’re a marketer — Yes. Our on-demand, all-in-one course packs in everything you need to know in bite-sized lessons.

Enroll for free

How does the GPP signal work?

Digital property owners, like companies running websites or apps, are responsible for generating, transmitting, and documenting the GPP String and the information it sends. This enables data integrity and contributes to compliance.

Usercentrics CMP generates and manages the GPP String in an HTTP-transferable and encoded format. Ad tech vendors receive user choice information for consent and preferences, and can decode the GPP String to determine compliance requirements and status for each user. 

The format’s flexibility enables granular regulatory coverage, e.g. state-specific strings for the US where data privacy laws are in effect. The GPP covers 15 states as of early 2025, and five more are expected to get coverage this year. Country and regional strings like for the US and EU are also supported, as are non-geographic signals like those from Global Privacy Control, which are browser-based, with recognition of them to date only required by some laws.

The GPP is designed to evolve as the data privacy and regulatory landscape does, not requiring significant redevelopment when requirements change. The IAB Tech Lab’s Global Privacy Working Group handles the ongoing work of the GPP’s technical specification.

Why do publishers and others in ad tech need the GPP?

The majority of the world’s population is now covered by at least one data privacy law. Some regions, like the European Union, have multiple laws that intersect in various ways. Additionally, these regulations affect major tech platforms, which are adopting more stringent requirements for their customers to enable privacy-compliant ecosystems. This has significant effects on digital advertising, as major players like Google and Facebook adapt their operations and requirements. 

Additionally, in the United States, there isn’t one federal law to comply with. To date the data privacy laws are state-level, so a company could have to comply with one or ten or more as the regulatory landscape continues to evolve. However, many of these US regulations are fairly similar, which does support the “US National” signaling approach. Companies need tools, like a consent management platform and the Global Privacy Platform, designed to evolve with changes and expansion in regulations.

The GPP is designed for flexibility and scalability. It supports all current privacy signals and will be able to support future ones as new laws are passed and existing ones evolve. The architecture is designed to grow with companies’ operations, enabling publishers to better respect users’ privacy choices and more effectively signal them to vendors and partners.

Does the GPP affect the TCF?

The GPP isn’t the IAB’s first framework for publishers and ad tech. The Transparency & Consent Framework (TCF) was launched in 2018, the same year the EU’s General Data Protection Regulation (GDPR) came into effect. As of 2024, the TCF is now at version 2.2.

The GPP is designed to better meet the needs of publishers that need to signal consent across multiple jurisdictions, as many companies doing business around the world — or across the United States — need to do.

The plan is to ensure that updates made to the TCF over time are also reflected in the GPP, giving companies the best tools to achieve and maintain compliance with their digital advertising operations. Eventually, the goal is for the Global Privacy Platform — as the name suggests — to be the single framework for consent and preference signaling.

In Europe and the UK, Google will continue to use the TCF and will not be accepting the GPP signal. Using Ad Manager will still require the use of a certified consent management platform integrated with the TCF. TCF strings sent through the GPP won’t be accepted.

What is the multi-state privacy agreement (MSPA) and how does the GPP affect it?

The Multi-State Privacy Agreement (MSPA) is an industry-centric contractual framework for companies doing business in the US, which covers 19 states as of early 2025. It’s meant to “aid advertisers, publishers, agencies, and ad tech intermediaries in complying with five state privacy laws.” The IAB Tech Lab is prioritizing updates to MSPA/US National before providing further state-specific strings, though that’s expected later in 2025. 

The MSPA evolved from the IAB’s Limited-Service Provider Agreement (LSPA), from 2020 and focused on CCPA/CPRA compliance initially. The evolution has focused on legal standards and protecting consumers’ privacy rights, and working with the GPP (including the specific privacy strings for each state). The MPSA is also designed for flexibility and scalability as US data privacy challenges become more complex.

The Global Privacy Platform currently supports various privacy signals around the world, both for their own frameworks and external ones. Some US state-level data privacy laws require recognizing a universal opt-out mechanism like Global Privacy Control, but not all of them.

  • EU TCF v2 signal (IAB Europe TCF)
  • CA TCF signal (IAB Canada TCF)
  • US National signal (IAB MSPA US National)

Support of a universal opt-out mechanism is increasingly required by international privacy laws. Learn what the GPC is, how it works, and how recognizing it helps you meet privacy requirements and build trust.

Learn more

GPP and international privacy laws

The Global Privacy Platform was designed to address the increasing complexity of data privacy regulation and requirements. Many companies do business across international jurisdictions and have many partners and vendors that they work with. This is only going to increase.

GPP and the GDPR

Europe has led the way in modern data privacy with the GDPR, TCF, and other relevant regulations and frameworks. It was the IAB Europe that brought the TCF to the market, and the GPP supports the EU TCF v2 signal. As noted, Google does not currently support the TCF via the GPP, so until industry adoption changes, this implementation isn’t recommended.

One of the main goals of the TCF was to help organizations meet GDPR compliance requirements, and the GPP is meant to extend this mandate.

  • Compliant consent handling: Using a CMP companies can collect valid consent from users and clearly signal the information to relevant entities like ad tech vendors. 
  • International data transfers: There are stringent requirements to protect personal data when transferring it to other countries. The GPP helps compliantly manage cross-border data transfers of consent information to vendors.
  • Secure and comprehensive documentation: In securely maintaining consent signaling records, the GPP helps uphold data subjects’ rights along with requirements for secure and comprehensive documentation of data processing in case of inquiry or complaint.

GPP and PIPEDA

In Canada data privacy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2000, and a lot has changed since then. There are a number of requirements in PIPEDA and Quebec’s Law 25 that the GPP helps with, and the Platform already does support the CA TCF signal. Here are some of the benefits.

  • Explicit consent: Like the GDPR, PIPEDA requires explicit user consent for various types of data processing. The GPP enables that consent to be activated among ad tech and other martech platforms.
  • Providing transparency: All data privacy laws require informing data subjects about how their data will be used, among other requirements. The GPP helps with this by supporting standardized privacy consent mechanisms which can be easily communicated. 
  • Data subject rights: Under PIPEDA, users have the rights to access their personal data and to revoke their consent. The GPP enables streamlined signaling to connected platforms if a data subject revokes consent for data processing. It also helps with tracking and providing consent data for data subject access requests (DSAR).

GPP and US privacy laws

The patchwork of data privacy laws and requirements in the US was a major factor in building out the Global Privacy Platform. As of the end of 2024, 21 data privacy laws have been passed by US state-level governments, which can introduce a lot of complexity into doing business. 

The IAB Tech Lab created the US Privacy Specifications, which have been used to support the CCPA Compliance Framework. However, a lot more laws have been passed since the CCPA came into effect. As of 2023, the US Privacy Specifications are not being updated, and have been replaced by state-specific privacy strings available via the GPP.

However, IAB MSPA US National also provides a national approach to privacy compliance with state-level laws by utilizing the highest standard. 

Additionally, the GPP is designed to evolve and scale with further data privacy regulatory requirements in the US, and to enable companies to manage consent and preferences with vendor relations in a streamlined way. This will also be relevant as more and more platforms evolve their data privacy requirements.

Find out what states have passed data privacy regulations and which laws are in effect. How will they affect your business?

Read more

How Usercentrics supports the Global Privacy Platform

Usercentrics currently supports the GPP and is working toward additional regulatory coverage. Direct support from the Consent Management Platform’s Admin Interface is also being developed, along with further enhancements. 

The Usercentrics CMP integrates with the GPP and generates the necessary GPP string to signal consent information.

Companies serving Google ads in the EU, EEA, or UK also continue to need a Google-certified CMP like Usercentrics CMP, which comes with the TCF v2.2 integrated, since, as noted, Google will continue to only support this format and is not accepting TCF strings sent through the GPP.

As complexity and requirements for data privacy continue to evolve, and as individuals become more invested in their privacy and choice, it’s never been more important to invest in reliable, scalable tools to obtain, manage, and signal valid consent — in every region where you do business. It’s becoming a key competitive advantage to grow trust and revenue.

As more and more digital platforms adapt to regulatory requirements as well, your company’s international advertising operations will increasingly depend on how well you’ve implemented consent and preference management with tools like Usercentrics CMP and the Global Privacy Platform. The era of Privacy-Led Marketing is here, and Usercentrics has the tools to help you embrace it and grow with confidence.

Frequently asked questions

What is the Global Privacy Platform (GPP)?

The GPP is a protocol to enable users’ consent and preference information to easily be signalled to third parties in an automated way. It uses a GPP String that encapsulates and encodes the consent or preference information as it’s applicable to specific regions. The GPP enables advertisers, publishers, and technology vendors in the digital advertising industry to meet and adapt to regulatory demands across markets and over time.

Is the Global Privacy Platform the same as Global Privacy Control?

Both measures are intended to help improve and expand data privacy, but they are not the same.

The Global Privacy Control (GPC) is a technical standard that is typically implemented in a web browser, either built-in or via a plugin. Users set their privacy preferences once and that information is signalled to websites that the user visits. Some privacy laws require respecting this signal.

The Global Privacy Platform (GPP) is a framework for managing global privacy compliance and transparency across regions and jurisdictions. It has tools and protocols meant to help businesses and governments to comply with privacy regulation requirements as they evolve over time. The GPP also provides a signal with consent and preference information, but it is not the same one as for the GPC.

Who created the Global Privacy Platform?

The Interactive Advertising Bureau (IAB) launched the GPP in 2022. It’s a project of — and part of the portfolio of solutions from — the IAB Tech Lab’s Project Rearc, which was launched in 2020.

Does using the Global Privacy Platform make my website privacy-compliant?

The GPP can help with your overall privacy compliance strategy, but will not on its own ensure your website is compliant with relevant regulations. Some tools and regulations require the communication of consent and preference information, but there are other aspects to privacy compliance with laws like the GDPR that need to be met.

GPP frameworks are designed to support legal compliance, but not officially approved by authorities in the EU or US, although the IAB does work closely with relevant authorities. Additionally, all technologies in use on websites that are not covered by GPP signals should still be correctly configured to respect users’ privacy choices.

Can I use the Global Privacy Platform to comply with multiple regulations?

Yes, the GPP is designed to streamline and automate ongoing privacy compliance across regulations and international jurisdictions. It provides a number of strings to support compliance requirements for several countries and states and their legal specifications.

Does Usercentrics support the Global Privacy Platform?

Usercentrics is working toward adding more regulatory coverage, but does not yet support the US National or state-specific signals. We are also developing direct support from the Consent Management Platform’s Admin Interface.

How do I start using the Global Privacy Platform?

You can start using the GPP via a script integration. Our documentation has step-by-step instructions. We are also working towards adding direct functionality to enable this in the CMP Admin Interface.

Feb 11, 2025
The New York SHIELD Act affects any business handling New York state residents' private information. With specific security requirements, breach notification deadlines, and new protected data categories from March 2025, businesses worldwide must understand their obligations.
Read more
Feb 3, 2025
Norway’s data privacy protections have become stricter and in line with EU standards, with regulatory updates for cookie use taking effect as part of the E-Com Act (Ekomloven). We explore what the new rules are, how companies can comply with them, and what penalties are for violations.
Read more
Visual representation of adpaa, showcasing innovative data protection solutions for enhanced security and privacy.
Jan 31, 2025
The American Data Privacy and Protection Act (ADPPA), if enacted, would have established the first comprehensive federal data privacy law in the US. Learn about privacy requirements, enforcement mechanisms, and special obligations for large data holders.
Read more