US states privacy laws guidance

Supporting the IAB's Global Privacy Platform

Helping publishers comply with U.S. privacy laws through a standardized framework

Note: Since July 2024, Ad Manager supports GPP US National string.

Ad Manager does not plan to build support for additional GPP strings at this time.

Google does not require publishers to sign the IAB Multi-State Privacy Agreement (MSPA) in order to work with Google. Ad Manager is certified under IAB Privacy’s Multi-State Privacy Agreement (MSPA) Certified Partner Program (CPP). MSPA Certified Partners are permitted to process MSPA Covered Transactions without signing the MSPA.

Use of GPP is not required by Google, and is just one of multiple methods that publishers can use to support their compliance with US state privacy laws.

Developed by the IAB’s Tech Lab, the Global Privacy Platform (GPP) is a standardized framework for storing and passing user privacy consent preferences. 

Ad Manager supports GPP v1.1 for publishers and consent management platforms (CMPs) that wish to use the framework for compliance with US privacy laws. The use of GPP or a consent management platform is not a requirement for US states with applicable privacy laws.

For ads served to users in the European Economic Area or the UK, Ad Manager will continue to use the IAB Europe TCF through the use of a certified Consent Management Platform. TCF strings sent through the GPP will not be accepted.

While IAB deprecated the US Privacy String in January 2024, in favor of GPP, Ad Manager will continue to read the US Privacy String in order to support both web and apps partners. It is recommended that publishers and CMPs move forward with GPP strings, instead of the US Privacy String, if they choose to use an IAB framework for US state privacy law compliance.

Note: GPP v1.0 is not supported and returns an error in publisher console GPP_ERROR_STRING_IS_DEPRECATED_SPEC

Global Privacy Platform specifications

Ad Manager only accepts the following strings within GPP: US NationalCalifornia, Virginia, Colorado, Connecticut

Ad Manager does not accept IAB Canada TCF, US Privacy String, US States Utah, or IAB EU TCF v2.2 as part of GPP support. 

Publishers should work with their CMP partners to ensure that IAB EU TC strings are generated based on the IAB EU TCF v.2.2 spec.

US National

Google will trigger restricted data processing (RDP) if any the following criteria are met:

  • User opted out of Sale of the Consumer's Personal Information.
  • User opted out of Sharing of the Consumer's Personal Information.
  • User opted out of Processing the Consumer's Personal Data for Targeted Advertising.

Google only reads the above fields of the US National string.

California

Google will trigger restricted data processing (RDP) if any the following criteria are met:

  • User opted out of Sale of the Consumer's Personal Information.
  • User opted out of Sharing of the Consumer's Personal Information.

Google only reads the above fields of the US States string for California.

Virginia, Connecticut, Colorado

Google will trigger restricted data processing (RDP) if any the following criteria are met:

  • User opted out of Sale of the Consumer's Personal Information.
  • User opted out of Processing the Consumer's Personal Data for Targeted Advertising.

Google only reads the above fields of the US States string for Virginia, Connecticut, Colorado.

Consent signals for Minors using the Global Privacy Platform

The IAB’s Global Privacy Platform offers the ability for you, or your CMP, to pass relevant consent signals in response to US state privacy laws requiring additional considerations for minor and/or child-directed inventory. We recommend that publishers continue to use our tools for tagging sites, apps, and requests for child directed treatment to facilitate compliance with COPPA and other relevant regulations (AdSense, AdMob, and Ad Manager).

US National

Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:

  • Consent or no consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.

Requests will trigger restricted data processing (RDP) if any the following criteria are met:

  • No consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16.

California

Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:

  • Consent or no consent to Sell the Personal Information of Consumers Less Than 16 years of Age
  • Consent or no consent to Share the Personal Information of Consumers Less Than 16 years of Age

Virginia, Colorado

Requests will be marked for child-directed treatment (TFCD) if the following criteria are met:

  • Consent or no consent to Process Sensitive Data from a Known Child

Connecticut

Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:

  • Consent or no consent to Consent to Process Sensitive Data from a Known Child
  • Requests will trigger restricted data processing (RDP) if any the following criteria are met:
  • No consent to Sell the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age
  • No consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age for Purposes of Targeted Advertising.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu