The Global Privacy Platform (GPP)
The Global Privacy Platform (GPP) is an IAB Tech Lab specification that transmits a user's consent and privacy choices across the digital advertising supply chain using a single, extensible container. Instead of separate strings per regulation, GPP bundles section-specific signals — for example US state strings and the EU TCF — into one encoded value. This page explains the container model.
One container, many sections
GPP defines a header plus a set of sections, each corresponding to a jurisdiction or framework — such as the IAB Europe Transparency and Consent Framework, the IAB US Privacy/national and state strings. A consent management platform encodes the relevant sections into a single GPP string, and downstream vendors decode just the section that applies to the user's location.
This replaces the older pattern of juggling separate, framework-specific strings, and is designed to extend as new jurisdictions add sections.
Reading GPP correctly
Because GPP is multi-section, a vendor must identify which section governs a given request and decode that one. Treating a GPP string as if it were a single legacy consent string leads to misreading the user's choices. The signals carried — opt-outs, consent flags, sensitive-data choices — still have to be respected by every party in the chain.
- Header lists which sections are present
- Sections map to frameworks (TCF, US state strings)
- Decode the section that matches the user's jurisdiction
How it appears in analytics and logs
A GPP string present in requests means consent signalling has moved to the multi-jurisdiction container; you must parse the relevant section, not the legacy single-purpose string.
Diagnostic use case
Understand how a single GPP string can carry different privacy signals per region, so consent state is read from the right section rather than assumed.
What WebmasterID can help detect
WebmasterID's privacy-first model minimises reliance on downstream ad-consent strings, but understanding GPP helps interpret upstream consent state when present.
Common mistakes
- Parsing GPP as a single legacy consent string.
- Reading the wrong section for the user's jurisdiction.
- Treating GPP as a lawful basis rather than a signal transport.
Privacy and accuracy notes
GPP is a transport for user choices, not a lawful basis in itself. This page is educational and not legal advice; the choices it carries must still be honoured.
Related pages
- The IAB TCF and the consent string
The IAB Europe Transparency & Consent Framework (TCF) is an industry standard for capturing and communicating users' consent choices across the advertising supply chain. A consent management platform encodes the user's choices into a standardised 'TC string' that downstream vendors read. It is widely used in ad tech and can touch analytics tied to it. This is an educational overview, not legal advice.
- Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
- Do Not Sell or Share my personal information
Under California's CCPA as amended by the CPRA, consumers can direct a business not to sell or share their personal information, where 'sharing' specifically covers disclosure for cross-context behavioural advertising. Businesses must offer a clear opt-out and honour opt-out signals. This page explains the right and how analytics and ad tags can fall within 'sharing'.
- Privacy-first analytics
Measurement that minimises reliance on ad-consent strings.
Sources and verification notes
- IAB Tech Lab — Global Privacy PlatformOfficial GPP specification and resources.
- IAB Tech Lab — GPP GitHub specificationTechnical spec and section definitions.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.