Secure Privacy
Consent Management Policies & User Consent

What Is the Global Privacy Platform (GPP)? How to Enable IAB GPP in Secure Privacy for Multi-Jurisdiction Consent

The IAB Global Privacy Platform (GPP) unifies consent signals from GDPR TCF v2.2, CCPA/CPRA, and US state privacy laws into a single standardized GPP String. This guide explains how GPP works, which jurisdictions it covers, and how to enable IAB GPP in Secure Privacy — including TCF vendor selection and US Privacy string configuration for California, Virginia, Colorado, Utah, and Connecticut.

SPT
Secure Privacy Team
3 min read ()

The Global Privacy Platform (GPP) is a standardized framework developed by the IAB to unify user consent signals across multiple privacy regulations and jurisdictions into a single, interoperable consent string. This guide explains what GPP is, which frameworks it supports, and how to enable it in Secure Privacy to simplify consent management across the EU, US states, and beyond.

Who Is This For?

  • Compliance officers managing consent requirements across multiple jurisdictions simultaneously

  • Developers implementing standardized privacy protocols for advertising and vendor consent

  • Marketing teams operating in global markets who need consolidated consent signal management

What Is the Global Privacy Platform (GPP)?

GPP is a protocol that consolidates consent signals from different regional privacy frameworks into a single standardized output known as the GPP String. Supported frameworks include:

  • IAB Europe's Transparency and Consent Framework (TCF v2.2)

  • IAB Canada TCF

  • MSPA US National privacy string

  • US state privacy laws — California (CCPA/CPRA), Virginia (VCDPA), Utah (UCPA), Colorado (CPA), and Connecticut (CTDPA)

How the GPP String Works

The GPP framework reads and merges consent signals from each enabled regional framework into a single GPP String. That string contains two components:

  • Header: Describes which jurisdictional frameworks are included in the string

  • Sections: Holds the jurisdiction-specific privacy and consent details for each included framework

This structure allows publishers, advertisers, and vendors to read a single consent signal rather than parsing multiple framework-specific strings separately.

Benefits of Implementing GPP

  • Simplifies global privacy compliance by consolidating multiple consent frameworks into one signal

  • Improves communication efficiency between websites, advertisers, and ad tech vendors

  • Built to adapt to evolving privacy regulations — new frameworks can be added without rebuilding your consent infrastructure

  • Reduces compliance costs for organizations operating across multiple jurisdictions

GPP and Privacy Law Coverage

GPP supports compliance with both EU and US privacy regulations:

  • EU GDPR: Supported via IAB's TCF v2.2 framework

  • US state privacy laws: California (CCPA/CPRA), Virginia (VCDPA), Utah (UCPA), Colorado (CPA), and Connecticut (CTDPA)

Secure Privacy supports the following US privacy strings within the GPP framework:

  • usca — California

  • usva — Virginia

  • usco — Colorado

  • usut — Utah

  • usct — Connecticut

How to Enable GPP in Secure Privacy

  1. Log in to your Secure Privacy account.

  2. Navigate to your domain's settings.

  3. Locate the Framework dropdown and select IAB GPP.

Secure Privacy domain settings showing the Framework dropdown with IAB GPP selected and TCF vendor selection panel

  1. Select the TCF Vendors you want to support — these are the ad tech vendors whose consent signals will be included in your GPP String.

  2. Choose the relevant notices and opt-out categories to comply with US Privacy Strings and provide visitors with appropriate control over their data.

Secure Privacy GPP Framework settings showing US Privacy notice categories and opt-out selection options for state-level privacy string configuration

Note: US Privacy notices are not provided by Secure Privacy. You are responsible for creating and maintaining the required notices on your own domains in accordance with applicable state privacy laws.

Frequently Asked Questions

Which TCF vendors should I include in my GPP configuration?

The vendors you include should reflect the third-party advertising and analytics services active on your website. Review the IAB TCF vendor list and cross-reference it with the services detected in your Secure Privacy Scan Report. Only include vendors whose consent is relevant to your website's data processing activities — including unnecessary vendors increases complexity without compliance benefit.

Why are my US Privacy notices not applying correctly?

Confirm that the correct notice and opt-out categories have been selected in your Secure Privacy GPP settings. Also verify that the US Privacy strings relevant to your audience — such as usca for California visitors — are enabled. Remember that the content of US Privacy notices must be created and hosted by you, not Secure Privacy — check that your notice URLs are correctly configured and accessible.

Does enabling GPP replace my existing GDPR TCF configuration?

No. Enabling GPP adds an additional consent signaling layer — consolidating TCF v2.2 and US state framework signals into a single GPP String. Your existing TCF configuration is carried through the GPP framework under the TCF section of the string. Review your vendor selections after enabling GPP to ensure they still reflect your intended configuration.

See Also

Need more help?

Our privacy experts are here to guide you through complex regulations and find the right solution.

Contact Support

Related Articles

View all

Extra Consents Settings: Managing Cookie Consent Overage in Your Secure Privacy Plan

10 min read

Self-Service Privacy Rights Portal: Submit GDPR & CCPA Data Requests and Link from Your Cookie Banner

11 min read

How to Create a Privacy Policy in Secure Privacy – Generator Fields, Options, and GDPR Requirements Explained

6 min read

How to Change the Data Retention Period for a Legal Template in Secure Privacy

4 min read