IAB GPP Framework
      Back to home
      1. Help Center
      2. Consent notice creation
      3. IAB GPP Framework

      GPP and the IAB Multi-State Privacy Agreement (MSPA)

      Overview of the IAB Multi-State Privacy Agreement (MSPA)

      The IAB Multi-State Privacy Agreement (MSPA) helps advertisers, publishers, agencies, and ad tech intermediaries comply with privacy laws in California, Virginia, Colorado, Connecticut, and Utah, effective from 2023. The MSPA establishes privacy-protective terms among signatories, ensuring compliance as data flows through the digital ad ecosystem.

      As an MSPA Signatory, you must configure the mode, approach options, and the US National String.

      Service Provider Mode vs. Opt-Out Option Mode

      Service Provider Mode

      In Service Provider Mode, you must meet the following (non-exhaustive) requirements:

      California (CPRA)

      • Choice Mechanisms: Display opt-out options for "Share" and/or "Sale" on the homepage, data collection pages, app settings, and in the privacy policy.
      • Global Opt-Out: Honor global opt-out requests and disclose this compliance in the privacy policy.
      • Consent for Other Purposes: Obtain user consent before using personal data for unrelated purposes, as required by CPRA guidelines.

      Other States

      • Choice Mechanisms: Provide opt-out options for "Targeted Advertising" and/or "Sale" on key pages and in the privacy policy.
      • Global Opt-Out: Comply with global opt-out requirements starting July 1, 2024 (Colorado), and January 1, 2025 (Connecticut). Update the privacy policy accordingly.

      US National Consumers

      • Choice Mechanisms: Offer opt-out options consistent with state laws as outlined above.

      For the complete list of requirements, see the IAB Multi-State Privacy Agreement (MSPA).

      Opt-Out Option Mode

      In Opt-Out Option Mode, you must meet the following (non-exhaustive) requirements:

      California (CPRA)

      • Consumer Notice: Provide notice per California Civil Code § 1798.100(a), detailing the types of personal information collected.
      • Additional Notice Obligations: Fulfill all notice requirements, ensuring compliance with scope and delivery. Limit data collection to the scope described in the notice.

      Other States

      • Consumer Notice: Ensure compliance with state-specific privacy laws, such as those in Colorado, Virginia, and Utah.

      US National Consumers

      • National Approach: Provide notices that meet the requirements of each state’s privacy laws, treating U.S. national consumers as residents of applicable states.

      When Opt-Out Option Mode is enabled, additional fields in the GPP String become relevant based on purpose mappings (e.g., SaleOptOut). If a notice is displayed, fields like SaleOptOutNotice are set to 1 (Yes, notice provided) in the GPP string; if no notice is displayed, they are set to 2 (No, notice not provided).

      State vs. US National Approach

      As an MSPA Signatory, you can choose between a State Approach or a US National Approach:

      • State Approach: Uses state-specific strings when available and supported by GPP; defaults to the US National String otherwise.
      • US National Approach: Uses the US National String across all U.S. states.

      When using the State Approach, newly supported states will include the US National String by default after the next notice deployment.

      Configuring the String

      To define a per-state approach:

      1. Go to Didomi Console → Consent Notices.
      2. Open your consent notice.
      3. Navigate to the Integrations section under the Customization tab.
      4. Select the Advertising tab.
      5. Click Configure String.
      6. Select the state to configure.
      7. Choose the approach:
        • Generate national string across the United States: Creates a US National String for this state.
        • Generate national string only if the state string is not supported: Generates a state-specific string for this state.

      Define the string per state, especially if external systems rely on integrations.


      string-approach-gpp

      US National String

      The US National String provides a unified string across the United States.

      US National String Fields

      Based on User Status

      • SharingNotice
      • SaleOptOutNotice
      • SharingOptOutNotice
      • TargetedAdvertisingOptOutNotice
      • SensitiveDataProcessingOptOutNotice
      • SensitiveDataLimitUseNotice
      • SaleOptOut
      • SharingOptOut
      • TargetedAdvertisingOptOut
      • SensitiveDataProcessing (1–12): Covers racial/ethnic origin, religious/philosophical beliefs, health, sexual orientation, citizenship, genetic data, biometric data, precise geolocation, social security numbers, financial account credentials, union membership, and specific communications data.
      • KnownChildSensitiveDataConsents
      • PersonalDataConsents

      Other Fields

      • Version: Indicates string encoding version (managed by Didomi).

      For step-by-step guidance, see Configure GPP fields based on user consent.