There was an unexpected error authorizing you. Please try again.

IAB Tech Lab Releases for Public Comment Specifications for New Privacy Strings that Replace the US Privacy Framework and Help to Address Upcoming Privacy Laws in 5 States

On September 28, we released the Global Privacy Platform (GPP), a multi-jurisdictional protocol that enables communication of user consent and preference signals through the digital advertising chain. In the announcement we mention that new signals to support US state regulations were forthcoming and we’re happy to announce today that they are now in public comment until October 27.

IAB Tech Lab’s Global Privacy Working Group, in partnership with the IAB’s Legal Affairs Council have developed the privacy string specifications for five US states (California, Virginia, Colorado, Utah, and Connecticut) that are supported within the GPP. 

These new strings can be used independently, however are also designed to work  in combination with IAB’s Multi-State Privacy Agreement (MSPA), to help companies address the challenges of managing consent signals for multiple states.

It is important to note that the US Privacy Framework which has previously been used by companies to address the CCPA, will not be updated going forward and is set to be deprecated late 2023.

IAB Tech Lab encourages the industry to prepare to transition away from the US Privacy Framework and to shift towards using the GPP and US State Signals specifications- both of which are ready for adoption today. Visit the GPP product page for more information.

How are the state signals represented in GPP?

There are 6 new privacy strings that are now supported. That’s not a typo, there are the five state-specific privacy strings: California, Virginia, Utah, Colorado, Connecticut; and in addition to each states’ privacy string, we are also introducing the US National privacy string that incorporates the highest privacy requirements across all the states including Global Privacy Control (GPC) into a single string. It is available as an option that may be used in cases where the business cannot or does not wish to granularly identify the residency of the user.

Each state and the national approach have been assigned Section IDs and are represented as distinct sections within the GPP string. The data that must be passed in each string, the encoding details, and other details like how to pass a GPC signal may be found in each section’s specifications.

Do I have to be an MSPA signatory to use these new state signals?

No. It is important to note that while it’s strongly recommended, and beneficial, for a company to be a signatory to the MSPA,  it is not a prerequisite to use the new state-level signals. However, for signatories to the MSPA, it is required to use the new state signals and the GPP, for consent signaling. Learn more about the MSPA for a better understanding of what’s covered for signatories. 

What happened to the US Privacy Framework?

The US Privacy Framework, launched in 2020, consisted of specifications for a privacy string in support of California’s CCPA, an API that may be used for retrieval of the string, as well as the specification for passing of a deletion request. As privacy regulations have developed over the last few years, within the US as well globally, there was a clear desire to, put simply, make it easier for the industry to implement consent signaling. Thus, the concept of the GPP was developed. And, given the need for consent signaling for a myriad of states, it only made sense to develop these signals using the GPP architecture. The US Privacy Framework will not be updated to support these new state signals and will be deprecated later in the year in 2023.

Future of the US State Signals

These 6 new privacy strings are the first set of net new sections that the GPP supports. If and when we need to introduce privacy strings to support other states, the GPP is ready for it.

About the Author

Rowena Lam
Senior Director, Privacy & Data
IAB Tech Lab