Skip to content

Latest commit

 

History

History
323 lines (314 loc) · 15.1 KB

IAB Privacy’s National Privacy Technical Specification.md

File metadata and controls

323 lines (314 loc) · 15.1 KB
Raw

GPP Extension: IAB Privacy’s US National Privacy Technical Specification

About this document

The global standard GPP defines a way for local standards to "plug-in" into the existing mechanics defined by GPP and the GPP client side API. This document outlines the technical specification for using the GPP specifications with the IAB Privacy Multi-State Privacy Agreement legal requirements.

Version History 

Date Version Comments
December 2022 1.0 Version 1.0 released

US National Privacy Section

The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach for their processing of a consumer’s personal data.

Summary

Field Type Value Description
GPP SectionID 7 The US National Section is registered as Section ID 7 under the GPP. 
Client side API prefix usnat The US National Privacy section is registered with client side API prefix “usnat” in the GPP Client Side API.

Section encoding

Core Segment

The core segment must always be present. Where terms are capitalized in the ‘description’ field they are defined terms in applicable State Privacy Laws and the MSPA. It consists of the following fields:

Field name

GPP Field Type

Description
Version Int(6) The version of this section specification used to encode the string.
SharingNotice Int(2) Notice of the Sharing of the Consumer’s Personal Data with Third Parties. 

References:

  • Virginia Code 59.1-578(C)(4) – (5)
  • Colo. Rev. Stat. 6-1-1308(1)(1)(IV) – (V)
  • Utah Code 13-61-302(1)(1)(iv) – (v)
  • Conn. PA No. 22-15, Sec. 6(3)(4)-(5)
0 Not Applicable. The Business does not share Personal Data with Third Parties.

1 Yes, notice was provided

2 No, notice was not provided
SaleOptOutNotice Int(2) Notice of the Opportunity to Opt Out of the Sale of the Consumer’s Personal Data.

References: 

  • Cal. Civ. Code 1798.100(1)(1), (3), Cal. Civ. Code 1798.135(1), and/or Cal. Civ. Code 1798.135(2), and rules promulgated thereunder.
  • Virginia Code 59.1-578(D)
  • Colo. Rev. Stat 6-1-1308(1)(2) and Colo. Rev. Stat. 6-1-1306(1)(1)(III)
  • Utah Code 13-61-302(1)(2)(i)
  • Conn. PA No. 22-15, Sec. 6(4) and Conn. PA No. 22-15, Sec. 4(2)
0 Not Applicable. The Business does not Sell Personal Data.

1 Yes, notice was provided

2 No, notice was not provided
SharingOptOutNotice Int(2) Notice of the Opportunity to Opt Out of the Sharing of the Consumer’s Personal Data.

References: (i) Cal. Civ. Code 1798.100(1)(1), (3), (ii) Cal. Civ. Code 1798.135(1) and/or (iii) Cal. Civ. Code 1798.135(2) 

0 Not Applicable.The Business does not Share Personal Data.

1 Yes, notice was provided

2 No, notice was not provided
TargetedAdvertisingOptOutNotice Int(2) Notice of the Opportunity to Opt Out of Processing of the Consumer’s Personal Data for Targeted Advertising

References: 

  • Virginia Code 59.1-578(D)
  • Colo. Rev. Stat 6-1-1308(1)(2) and Colo. Rev. Stat. 6-1-1306(1)(1)(III)
  • Utah Code 13-61-302(1)(2)(ii)
  • Conn. PA No. 22-15, Sec. 6(4) and Conn. PA No. 22-15, Sec. 4(2)
0 Not Applicable.The Business does not Process Personal Data for Targeted Advertising.

1 Yes, notice was provided

2 No, notice was not provided
SensitiveDataProcessingOptOutNotice Int(2) Notice of the Opportunity to Opt Out of the Processing of the Consumer’s Sensitive Data

References: 

  • Utah Code 13-61-302(3)(1)
0 Not Applicable. The Business does not Process Sensitive Data.

1 Yes, notice was provided

2 No, notice was not provided
SensitiveDataLimitUseNotice Int(2) Notice of the Opportunity to Limit Use or Disclosure of the Consumer’s Sensitive Data

References: 

  • Cal. Civ. Code 1798.100(1)(2)-(3), (ii) Cal. Civ. Code 1798.135(1), and/or (iii) Cal. Civ. Code 1798.135(2) and rules promulgated thereunder
0 Not Applicable. The Business does not use or disclose Sensitive Data.

1 Yes, notice was provided

2 No, notice was not provided
SaleOptOut Int(2) Opt-Out of the Sale of the Consumer’s Personal Data

References:

  • Cal. Civ. Code 1798.135(1) and/or 1798.135(2)
  • Virginia Code 59.1-578(D)
  • Colo. Rev. Stat. 6-1-1306(1)(1)(III) or 6-1-1306(1)(1)(IV)
  • Utah Code 13-61-302(1)(2)(i)
  • Conn. PA No. 22-15, Sec. 4(5)(i) or (ii)
0 Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
SharingOptOut Int(2) Opt-Out of the Sharing of the Consumer’s Personal Data

References: 

  • Cal. Civ. Code 1798.120(1) using a method that adheres to Cal. Civ. Code 1798.135(1) and/or 1798.135(2)
0 Not Applicable. SharingOptOutNotice value was not applicable or no notice was provided.

1 Opted Out

2 Did Not Opt Out
TargetedAdvertisingOptOut Int(2) Opt-Out of Processing the Consumer’s Personal Data for Targeted Advertising

References:

  • Virginia Code 59.1-578(D)
  • Colo. Rev. Stat. 6-1-1306(1)(1)(III) or 6-1-1306(1)(1)(IV)
  • Utah Code 13-61-302(1)(2)(ii)
  • Conn. PA No. 22-15, Sec. 4(5)(i) or (ii)
0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
SensitiveDataProcessing N-Bitfield(2,12) Two bits for each Data Activity:0 Not Applicable. The Business does not Process the specific category of Sensitive Data.

1 No Consent

2 Consent 

Data Activities:

(1) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin. 

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(2) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Religious or Philosophical Beliefs. 

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(3) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Concerning a Consumer’s Health (including a Mental or Physical Health Condition or Diagnosis; Medical History; or Medical Treatment or Diagnosis by a Health Care Professional).

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(4) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Sex Life or Sexual Orientation.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(5) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Citizenship or Immigration Status.

References:

  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(6) Consent to Process the Consumer’s Sensitive Data Consisting of Genetic Data for the Purpose of Uniquely Identifying an Individual / Natural Person.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(7) Consent to Process the Consumer’s Sensitive Data Consisting of Biometric Data for the Purpose of Uniquely Identifying an Individual / Natural Person.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(8) Consent to Process the Consumer’s Sensitive Data Consisting of Precise Geolocation Data.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
  • Virginia Code 59.1-578(A)(5)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
(9) Consent to Process the Consumer’s Sensitive Data Consisting of a Consumer’s Social Security, Driver’s License, State Identification Card, or Passport Number.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
(10) Consent to Process the Consumer’s Sensitive Data Consisting of a Consumer’s Account Log-In, Financial Account, Debit Card, or Credit Card Number in Combination with Any Required Security or Access Code, Password, or Credentials Allowing Access to an Account.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
(11) Consent to Process the Consumer’s Sensitive Data Consisting of Union Membership.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
(12) Consent to Process the Consumer’s Sensitive Data Consisting of the contents of a Consumer’s Mail, Email, and Text Messages unless You Are the Intended Recipient of the Communication.

References:

  • Cal. Civ. Code 1798.100(a)(2), 1798.121(a), and 1798.135(a)
KnownChildSensitiveDataConsents N-Bitfield(2,2) Two bits for each Data Activity:0 Not Applicable. The Business does not have actual knowledge that it Processes Personal Data or Sensitive Data of a Consumer who is a known child.

1 No Consent

2 Consent 

(1) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16.

References:

  • Cal. Civ. Code Cal. Civ. Code 1798.120(c)
  • Conn. PA 22-15, Sec. 6(a)(4)
(2) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.

References:

  • Cal. Civ. Code Cal. Civ. Code 1798.120(c)
  • Virginia Code 59.1-578(A)(5)
  • Colo. Rev. Stat. 6-1-1308(7)
  • Utah Code 13-61-302(3)(a)
  • Conn. PA 22-15, Sec. 6(a)(4)
PersonalDataConsents Int(2) Consent to Collection, Use, Retention, Sale, and/or Sharing of the Consumer’s Personal Data that Is Unrelated to or Incompatible with the Purpose(s) for which the Consumer’s Personal Data Was Collected or Processed 

References:

  •  Cal. Civ. Code 1798.100(c) 
0 Not Applicable. The Business does not use, retain, Sell, or Share the Consumer’s Personal Data for advertising purposes that are unrelated to or incompatible with the purpose(s) for which the Consumer’s Personal Data was collected or processed.

1 No Consent

2 Consent 
MspaCoveredTransaction Int(2) Publisher or Advertiser, as applicable, is a signatory to the IAB Multistate Service Provider Agreement (MSPA), as may be amended from time to time, and declares that the transaction is a “Covered Transaction” as defined in the MSPA. 

1 Yes

2 No
MspaOptOutOptionMode Int(2) Publisher or Advertiser, as applicable, has enabled “Opt-Out Option Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.

0 Not Applicable.

1 Yes

2 No
MspaServiceProviderMode Int(2) Publisher or Advertiser, as applicable, has enabled “Service Provider Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.

0 Not Applicable

1 Yes

2 No

GPC Sub-section

GPC is signaled in user agent headers(Sec-GPC) and a simple javascript API (globalPrivacyControl). Entities creating GPP strings should check for whether GPC is set and pass along the value they find (from the headers or javascript API) in this sub-section.

Field Name GPP Field Type Description
SubsectionType Int(2)

0 Core

1 GPC
Gpc Boolean

0 false

1 true