IAB GPP: The new IAB TCF replacement

The IAB introduced its latest standard in September: IAB GPP. What is behind it, how it is used and why GPP will be the replacement for IAB TCF v3, we explain here.

IAB TCF v2 as a basis

In Europe, since 2018, the IAB TCF v1 standard has been the benchmark when it comes to communicating consent from website to other market participants (usually advertisers). Then in 2020, a new version was adopted with IAB TCF v2, which brought various improvements. Since then, however, a lot has happened and many new requirements have been added that were not implemented by TCF v2. Among others:

  • The TCF has been criticised in Belgium with regard to various factors. Technically, it therefore needs an update to meet the new requirements of the authorities.
  • Since TCF v2, on the one hand the use of the TCF has changed (we see many more cases of publisher restrictions), on the other hand many new vendors have been added to the GVL (“Global Vendor List”) of the IAB. Both of these factors mean that the consent string is growing and thus increasingly becoming a problem.

In addition to Europe, several other regions have now reached the point where there is a need for a uniform Consent Standard. After Europe and California, it will also be necessary to distribute corresponding signals for Canada, Virginia, Colorado, Utha and Connecticut from 01.01.2023. It can also be assumed that other regions will follow in the near future. However, the TCF is only designed for Europe (DSGVO) and simply copying it will not be sustainable for providers in the long term. Therefore, a new solution is needed that on the one hand addresses the problems of the TCF and on the other hand is flexible and broad enough to be implementable for many new regions.

Global Privacy Platform

The answer to the above problems is now GPP or Global Privacy Platform. GPP is primarily a technical specification and explicitly not a “policy”. In particular, it regulates how the “consent string” is constructed, which APIs are available and how CMPs, publishers and vendors interact with each other. Instead of prescribing a fixed order as with TCF, however, GPP only defines a “construction kit” of elements from which the regional specifications can then draw. So if a region wants to offer a new technical solution tomorrow, it can do so very easily on the basis of GPP – without having to write huge and extensive technical specifications of its own. All the region has to do is create a policy (the “rules”) and write a so-called manfist. The latter governs the technical structure of the information and automatically serves as the basis for all GPP functions.

Fibonacci for compression

One of the main problems of the IAB TCF v2 (Europe) is the growing size of the Consent Strings, also called TCString. If an “All Rejected” Consent String is typically only around 60 characters long, an “All Accepted” Consent String can easily be 300 or 500 characters long. If the website’s list of providers is very long or if publisher restrictions are added, a TCString can be several kilobytes (thousands of characters) long. Such long strings slow down the website loading speed, lead to memory problems and in some cases can even make websites inaccessible.

The solution to the problem is called Fibonacci. Around the year 1202, the Italian mathematician devised a mathematical sequence that could be used to describe numbers in a simple way. Transferred to today’s computer systems, the number sequences are ultimately used for compression: instead of many long bit strings in the IAB TCF v2, the GPP simply compresses number sequences with Fibonacci numbers into very short bit sequences. And the result is impressive: While the length of reject consent strings remains more or less the same, it shrinks by 70% in some cases, especially for long consent strings. An IAB TCF Consent String that was previously 1000 characters long could thus be represented with GPP with only about 300 characters.

IAB TCF Canada and US states as the first acid test

Canada will be the first region to use the new GPP standard. The IAB TCF Canada will be served exclusively via GPP: If a publisher or vendor wants to use the signals for the Canadian market, they must (only) implement GPP. Although the TCF Canada is largely a 1:1 copy of the IAB TCF v2 (Europe), it differs technically in the access route and the coding.

In addition to Canada, new data protection laws will also come into force or be implemented by the authorities in various US states on 1 January 2023. In addition to the IAB TCF Canada, the IAB will therefore probably issue further GPP specifications for Colorado, Utha or Virginia this month.

consentmanager and GPP

The consentmanager team has played a key role in the development of GPP. For example, consentmanager’s CEO, Jan Winkler, is the main developer behind the technical specification of GPP at the IAB and is thus at the forefront of the design and implementation of the new standard at the IAB. No other CMP has had such a strong influence on the new standard. This is a particular advantage for consentmanager clients: Since all technical specifications of the IAB had to be tested beforehand, consentmanager already has all the building blocks that will make up the GPP in the future. consentmanager will therefore be the first CMP to fully support the new standard. Customers who want to use GPP for Canada, Colorado, Utha, Virginia, Connecticut or Europe can already do so since our October update. This means that consentmanager customers are (once again) months ahead of all other providers and can thus secure a better market position.


Not sure if you need a CMP?

If you are unsure if your company needs a CMP or not, please get in touch with us – we will help you find the right solution for your company!

Get In Touch