What Is the Global Privacy Platform (GPP) API v1.1?

In the ever-changing global privacy regulation landscape, companies are navigating an increasingly complex environment. 

Data privacy regulations like Europe’s GDPR, California’s CCPA, and now the amended CPRA disrupted businesses as they grappled with the challenge of ensuring compliance. 

To better help the industry comply with the notice and choice obligations required under said new laws, IAB Tech Lab collaborates with industry stakeholders and local trade bodies to support the development of frameworks like IAB Europe’s Transparency and Consent Framework (TCF) and the IAB’s US Privacy Framework. 

However, building distinct technology solutions for every jurisdiction was not sustainable. In September 2022, the IAB Tech Lab first launched the Global Privacy Platform (GPP) and recently closed public comment for the next version of the API.

Understanding the Global Privacy Platform (GPP)

As an industry, we must ensure that we provide the appropriate transparency and choice as required by law. More importantly, we need to consistently communicate user consent and choice preferences, ensuring that all parties can comprehend them properly.

 By doing so, we can handle users’ data in a manner that aligns with their preferences. GPP aims to solve the challenge of creating a common language for everyone in the ecosystem. This solution was developed over several years involving stakeholders from across the ecosystem, including publishers, advertisers, and ad tech vendors.

The key components of the GPP that should be understood are the privacy string and the available string transport mechanisms. These mechanisms include a field in the Regs object in openRTB, parameters and macros for URL-based services, and a standard API. It is the API portion of the GPP that the IAB Tech Lab is updating, but more on that later.

The GPP string can carry privacy signals for any supported jurisdiction. It currently supports privacy signals for Europe’s GDPR, Canada, and five states in the US that have privacy laws (California, Virginia, Utah, Colorado, and Connecticut). Notably, the GPP is extensible and goes beyond just supporting jurisdiction and also allows support for other industry signals, such as the Global Privacy Control (GPC).

Exploring GPP API v1.1

Delving into the specifics of the update, it’s important to understand what remains unchanged. The GPP string, a core component of the protocol, will stay as is. There are also no updates to how the GPP string is passed in openRTB and using the defined macros and parameters. Let’s dig into the changes in the GPP API.

The primary changes to the API were born from industry feedback that it needed to better support callers of the API who operate within an iframe on a web page. Version 1.1 of the API includes callback support for all commands. This allows vendors who work within an iframe to use all the available commands that the API supports rather than just a subset.

In addition to adding callback support, version 1.1 of the API includes updates to status codes. While this may sound insignificant, on the surface, it is vital for callers of the API. There are additional explanations for several of the existing status codes. Still, the most important of the updates is the addition of a new event called signalStatus with potential values of “ready” or “not ready.” This new event adds a lot of clarity to when a GPP string, the representation of the user’s consent and choice preferences, is ready to be used. This will reduce the potential for confusion or misrepresentation.

 To reduce the number of calls needed to extract the appropriate information, version 1.1 of the API includes several optimizations to the objects returned by the API. These optimizations also help with reducing the complexity of vendor scripts.

Details are available here for those looking to dive deeper into the specifics of the updates included in version 1.1.

Implications of the Update on GPP Implementers

All stakeholders, including publishers, advertisers, and consent management platforms (CMPs), along with any vendors utilizing the API for GPP string retrieval, are urged to support the new version of the API which was finalized earlier this month. The enhancements are designed to better infer the privacy signals and enrich interactions with the API. For those vendors that aren’t interacting with the API and instead rely on fetching GPP strings via openRTB or URL macros, there’s no need for any changes. You are unaffected by this update.

As privacy regulation continues to evolve, so will the Global Privacy Platform. The GPP is ready to adapt and evolve to meet the needs of a global privacy landscape that shows no signs of standing still.