Note: AdSense and Privacy & messaging now support the GPP US National string for ad serving.
AdSense does not plan to build support for additional GPP strings at this time.
Google does not require publishers to sign the IAB Multi-State Privacy Agreement (MSPA) in order to work with Google. AdSense is certified under IAB Privacy’s Multi-State Privacy Agreement (MSPA) Certified Partner Program (CPP). MSPA Certified Partners are permitted to process MSPA Covered Transactions without signing the MSPA.
Use of GPP is not required by Google, and is just one of multiple methods that publishers can use to support their compliance with US state privacy laws.Developed by the IAB’s Tech Lab, the Global Privacy Platform (GPP) is a standardized framework for storing and passing user privacy consent preferences.
AdSense supports GPP for publishers and consent management platforms (CMPs) that wish to use the framework for compliance with US privacy laws. The use of GPP or a consent management platform is not a requirement for US states with applicable privacy laws.
For ads served to users in the European Economic Area or the UK, AdSense will continue to use the IAB Europe TCF through the use of a certified Consent Management Platform. TCF strings sent through the GPP will not be accepted.
While IAB deprecated the US Privacy String in January 2024, in favor of GPP, AdSense will continue to read the US Privacy String in order to support web partners. It is recommended that publishers and CMPs move forward with GPP strings, instead of the US Privacy String, if they choose to use an IAB framework for US state privacy law compliance.
Global Privacy Platform specifications
AdSense only accepts the following strings within GPP: US National, California, Virginia, Colorado, Connecticut.
AdSense does not accept IAB Canada TCF, US Privacy String, US States Utah, or IAB EU TCF v2.2 as part of GPP support.
Publishers should work with their CMP partners to ensure that IAB EU TC strings are generated based on the IAB EU TCF v2.0 spec.
US National
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Sharing of the Consumer's Personal Information.
- User opted out of Processing the Consumer's Personal Data for Targeted Advertising.
Google only reads the above fields of the US National string.
California
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Sharing of the Consumer's Personal Information.
Google only reads the above fields of the US States string for California.
Virginia, Connecticut, Colorado
Google will trigger restricted data processing (RDP) if any the following criteria are met:
- User opted out of Sale of the Consumer's Personal Information.
- User opted out of Processing the Consumer's Personal Data for Targeted Advertising.
Google only reads the above fields of the US States string for Virginia, Connecticut, Colorado.
Consent signals for Minors using the Global Privacy Platform
The IAB’s Global Privacy Platform offers the ability for you, or your CMP, to pass relevant consent signals in response to US state privacy laws requiring additional considerations for minor and/or child-directed inventory. We recommend that publishers continue to use our tools for tagging sites, apps, and requests for child directed treatment to facilitate compliance with COPPA and other relevant regulations (AdSense, AdMob, and Ad Manager).
US National
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.
Requests will trigger restricted data processing (RDP) if any the following criteria are met:
- No consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16.
California
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Sell the Personal Information of Consumers Less Than 16 years of Age
- Consent or no consent to Share the Personal Information of Consumers Less Than 16 years of Age
Virginia, Colorado
Requests will be marked for child-directed treatment (TFCD) if the following criteria are met:
- Consent or no consent to Process Sensitive Data from a Known Child
Connecticut
Requests will be marked for child-directed treatment (TFCD) if any of the following criteria are met:
- Consent or no consent to Consent to Process Sensitive Data from a Known Child
- Requests will trigger restricted data processing (RDP) if any the following criteria are met:
- No consent to Sell the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age
- No consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age for Purposes of Targeted Advertising.