The global standard GPP defines a way for local standards to "plug-in" into the existing mechanics defined by GPP and the GPP client side API. This document outlines the technical specification for using the Iowa section of the GPP specifications in accordance with the IAB Privacy Multi-State Privacy Agreement legal requirements, applicable to both Signatories and non-Signatories of the MSPA.
| Date | Version | Comments |
| July 2024 | 1.0 | Version 1.0 released |
The Iowa Privacy String consists of the following components. Users of the spec should employ the Iowa Privacy String only if they have determined the Iowa Act Relating to Consumer Data Protection, Iowa Code § 715D.1 et seq., applies to their processing of a consumer’s personal data.
| Type | Value | Description |
| GPP Section ID | 18 | The Iowa Section is registered as Section ID 18 under the GPP. |
| Client side API prefix | usia | The Iowa Privacy Section is registered with client side API prefix “usia” in the GPP Client Side API. |
Note on the JS representation of the section: the field name should be in UpperCamelCase, with exactly the same spelling as the names in column "Field name". Follow this table to map the GPP field types to JavaScript native data types. Please refer to the PingReturn's parsedSections object for an example.
The core sub-section must always be present. Where terms are capitalized in the ‘description’ field they are defined in the Iowa Act Relating to Consumer Data Protection, Iowa Code § 715D.1. It consists of the following fields:
|
Field name |
GPP Field Type |
Description |
|---|---|---|
| Version | Int(6) | The version of this section specification used to encode the string. |
| ProcessingNotice | Int(2) |
Notice of the Processing of Personal Data.0 = Not Applicable,
the Controller does not Process Personal Data1 = Yes, notice was provided2 = No, notice was not provided |
| SaleOptOutNotice | Int(2) |
Notice of the Opportunity to Opt Out of the Sale of the Consumer’s Personal Data 0 = Not Applicable,
the
Controller does not Sell Personal Data
1 = Yes, notice was provided
2 = No, notice was not provided
|
| TargetedAdvertisingOptOutNotice | Int(2) |
Notice of the Opportunity to Opt Out of Processing of the Consumer’s Personal Data for Targeted Advertising0 = Not Applicable, the Controller does not Process Personal Data for Targeted Advertising
1 = Yes, notice was provided
2 = No, notice was not provided
|
| SensitiveDataOptOutNotice | Int(2) |
Notice of the Opportunity to Opt Out of the Processing of the Consumer’s Sensitive Data
0 = Not Applicable, the Controller does not Process Sensitive Data
1 = Yes, notice was provided
2 = No, notice was not provided
|
| SaleOptOut | Int(2) |
Opt-Out of the Sale of the Consumer’s Personal Data0 = Not Applicable, SaleOptOutNotice value was not applicable or no notice was provided1 = Opted Out2 = Did Not Opt Out |
| TargetedAdvertisingOptOut | Int(2) |
Opt-Out of Processing the Consumer’s Personal Data for Targeted Advertising0 = Not Applicable, TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided1 = Opted Out2 = Did Not Opt Out |
| SensitiveDataProcessing | N-Bitfield(2,8) | Two bits for each Data Activity:0 = Not Applicable, the Controller does not Process the specific category of Sensitive Data1 = Opted Out2 = Did Not Opt Out (1). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.
(2). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.
(3). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Personal Data Revealing a Mental or Physical Health Diagnosis.
(4). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Personal Data Revealing Sexual Orientation.
(5). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Personal Data Revealing Citizenship or Citizenship Status.
(6). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Genetic Data that May Be Processed for the Purpose of Uniquely Identifying an Individual.
(7). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Biometric Data that May Be Processed for the Purpose of Uniquely Identifying an Individual.
(8). Opt-Out of the Processing of the Consumer’s Sensitive Data Consisting of Precise Geolocation Data.
|
| KnownChildSensitiveDataConsents | Int(2) | Consent to Process Sensitive Data from a Known Child0 = Not Applicable, the Controller does not
Process Sensitive Data of a known Child1 = No Consent2 = Consent |
| MspaCoveredTransaction | Int(2) |
Publisher or Advertiser, as applicable, is a signatory to the IAB Multi-State Privacy Agreement (MSPA), as may be amended from time to time, and declares that the transaction is a “Covered Transaction” as defined in the MSPA. 1 = Yes2 = No |
| MspaOptOutOptionMode | Int(2) |
Publisher or Advertiser, as applicable, has enabled “Opt-Out Option Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.0 = Not Applicable1 = Yes2 = No |
| MspaServiceProviderMode | Int(2) |
Publisher or Advertiser, as applicable, has enabled “Service Provider Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.0 = Not Applicable1 = Yes2 = No |
GPC is signaled in user agent headers (Sec-GPC) and a simple javascript API (globalPrivacyControl) . Entities creating GPP strings should check for whether GPC is set and pass along the value they find (from the headers or javascript API) in this sub-section.
| Field Name | GPP Field Type | Description |
| SubsectionType | Int(2) | 0 = Core1 = GPC |
| Gpc | Boolean | 0 = false1 = true |