The global standard GPP defines a way for local standards to "plug-in" into the existing mechanics defined by GPP and the GPP client side API. This document outlines the technical specification for using the GPP specifications with the IAB Privacy Multi-State Privacy Agreement legal requirements.
Date | Version | Comments |
December 2022 | 1.0 | Version 1.0 released |
The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach for their processing of a consumer’s personal data.
Field Type | Value | Description |
GPP SectionID | 7 | The US National Section is registered as Section ID 7 under the GPP. |
Client side API prefix | usnat | The US National Privacy section is registered with client side API prefix “usnat” in the GPP Client Side API. |
The core segment must always be present. Where terms are capitalized in the ‘description’ field they are defined terms in applicable State Privacy Laws and the MSPA. It consists of the following fields:
Field name |
GPP Field Type |
Description |
---|---|---|
Version | Int(6) | The version of this section specification used to encode the string. |
SharingNotice | Int(2) | Notice of the Sharing of the Consumer’s Personal Data with Third Parties. References:
0 Not Applicable. The Business does not share Personal Data with Third Parties.
|
SaleOptOutNotice | Int(2) | Notice of the Opportunity to Opt Out of the Sale of the Consumer’s Personal Data. References:
0 Not Applicable. The Business does not Sell Personal Data.
|
SharingOptOutNotice | Int(2) | Notice of the Opportunity to Opt Out of the Sharing of the Consumer’s Personal Data. References: (i) Cal. Civ. Code 1798.100(1)(1), (3), (ii) Cal. Civ. Code 1798.135(1) and/or (iii) Cal. Civ. Code 1798.135(2)
|
TargetedAdvertisingOptOutNotice | Int(2) | Notice of the Opportunity to Opt Out of Processing of the Consumer’s Personal Data for Targeted Advertising References:
0 Not Applicable.The Business does not Process Personal Data for Targeted Advertising.
|
SensitiveDataProcessingOptOutNotice | Int(2) | Notice of the Opportunity to Opt Out of the Processing of the Consumer’s Sensitive Data References:
0 Not Applicable. The Business does not Process Sensitive Data.
|
SensitiveDataLimitUseNotice | Int(2) | Notice of the Opportunity to Limit Use or Disclosure of the Consumer’s Sensitive Data References:
0 Not Applicable. The Business does not use or disclose Sensitive Data.
|
SaleOptOut | Int(2) | Opt-Out of the Sale of the Consumer’s Personal Data References:
0 Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided
|
SharingOptOut | Int(2) | Opt-Out of the Sharing of the Consumer’s Personal Data References:
0 Not Applicable. SharingOptOutNotice value was not applicable or no notice was provided.
|
TargetedAdvertisingOptOut | Int(2) | Opt-Out of Processing the Consumer’s Personal Data for Targeted Advertising References:
0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided
|
SensitiveDataProcessing | N-Bitfield(2,12) | Two bits for each Data Activity:0 Not Applicable. The Business does not Process the specific category of Sensitive Data.
Data Activities: (1) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin. References:
References:
References:
References:
References:
References:
References:
References:
References:
References:
References:
References:
|
KnownChildSensitiveDataConsents | N-Bitfield(2,2) | Two bits for each Data Activity:0 Not Applicable. The Business does not have actual knowledge that it Processes Personal Data or Sensitive Data of a Consumer who is a known child.
(1) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16. References:
References:
|
PersonalDataConsents | Int(2) | Consent to Collection, Use, Retention, Sale, and/or Sharing of the Consumer’s Personal Data that Is Unrelated to or Incompatible with the Purpose(s) for which the Consumer’s Personal Data Was Collected or Processed References:
0 Not Applicable. The Business does not use, retain, Sell, or Share the Consumer’s Personal Data for advertising purposes that are unrelated to or incompatible with the purpose(s) for which the Consumer’s Personal Data was collected or processed.
|
MspaCoveredTransaction | Int(2) | Publisher or Advertiser, as applicable, is a signatory to the IAB Multistate Service Provider Agreement (MSPA), as may be amended from time to time, and declares that the transaction is a “Covered Transaction” as defined in the MSPA.
|
MspaOptOutOptionMode | Int(2) | Publisher or Advertiser, as applicable, has enabled “Opt-Out Option Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.
|
MspaServiceProviderMode | Int(2) | Publisher or Advertiser, as applicable, has enabled “Service Provider Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.
|
GPC is signaled in user agent headers(Sec-GPC)
and a simple javascript API (globalPrivacyControl)
. Entities creating GPP strings should check for whether GPC is set and pass along the value they find (from the headers or javascript API) in this sub-section.
Field Name | GPP Field Type | Description |
---|---|---|
SubsectionType | Int(2) |
|
Gpc | Boolean |
|