IAB GPP: The new IAB TCF replacement
The IAB presented its latest standard in September: IAB GPP. Here we explain what is behind it, how it is used and why GPP is becoming the replacement for IAB TCF v3.
IAB TCF v2 as a basis
In Europe, the IAB TCF v1 standard has been the measure of all things since 2018 when it comes to transmitting consent from websites to other market participants (usually advertisers). In 2020, a new version was released with IAB TCF v2, which brought various improvements. Since then, however, a lot has happened and many new requirements have been added that are not implemented in the TCF v2. This includes:
- The TCF is under criticism in Belgium in relation to various factors. Technically, an update is therefore required in order to be able to meet the new requirements of the authorities
- Since TCF v2, the use of the TCF has changed on the one hand (we see many more cases of publisher restrictions), on the other hand many new vendors have been included in the IAB’s GVL (“Global Vendor List”). Both ensure that the consent string grows and thus increasingly becomes a problem.
In addition to Europe, a number of other regions are now so far along that there is a need for a uniform consent standard. After Europe and California, it is also necessary to broadcast corresponding signals for Canada, Virginia, Colorado, Utah and Connecticut from January 1st, 2023. It can also be assumed that other regions will follow in the near future. However, the TCF is only designed for Europe (GDPR) and simply copying it each time will not be sustainable for providers in the long run. Therefore, a new solution is needed that addresses the problems of the TCF on the one hand and is flexible and broad enough to be implementable for many new regions on the other.
Global Privacy Platform
The answer to the above problems is now GPP or Global Privacy Platform. GPP, part of the IAB Tech Lab, is primarily a technical specification and not explicitly a “policy”. In particular, it regulates how the “Consent String” is structured, which APIs are available and how CMPs, publishers and vendors interact with each other. However, instead of specifying a fixed order as with the TCF, GPP only defines a “construction kit” of elements from which the regional specifications can then use. So if a region wants to offer a new technical solution tomorrow, it can do so very easily on the basis of GPP – without having to write huge and extensive technical specifications of its own. All the Region has to do is create a policy (the “Rules”) and write a Manfist. The latter regulates the technical structure of the information and automatically serves as the basis for all GPP functions.
Fibonacci to compression
One of the main problems of the IAB TCF v2 (Europe) is the growing size of the consent strings, also called TCString. While an “everything rejected” consent string is typically only around 60 characters long, an “everything accepted” consent string can be 300 or 500 characters long. If the provider list of the website is very long or there are publisher restrictions, a TCString can also be a few kilobytes (i.e. thousands of characters) long. Such long strings slow down web page loading speed, cause memory issues, and in some cases can even cause web pages to become inaccessible.
The solution to the problem is called Fibonacci. Around the year 1202, the Italian mathematician devised a mathematical sequence that could be used to simply describe numbers. Transferred to today’s computer systems, the number sequences are ultimately used for compression: instead of many long bit chains with the IAB TCF v2, the GPP simply compresses number sequences with Fibonacci numbers into very short bit sequences. And the result is impressive: While the length of reject consent strings remains more or less the same, it shrinks by 70% in some cases, especially in the case of long consent strings. An IAB TCF consent string that was previously 1000 characters long could be represented with GPP with only about 300 characters.
IAB TCF Canada and US states as the first test
Canada will be the first region to use the new GPP standard. The IAB TCF Canada is served exclusively via GPP: If a publisher or vendor wants to use the signals for the Canadian market, he (only) has to implement GPP. Although the TCF Canada is largely a 1:1 copy of the IAB TCF v2 (Europe), it differs technically in terms of the access route and the coding.
In addition to Canada, new data protection laws will also come into force or be implemented by the authorities in various US states on January 1st, 2023. In addition to the IAB TCF Canada, the IAB will probably publish further GPP specifications for Colorado, Utah or Virginia this month.
consent manager and GPP
The consentmanager team played a key role in the development of GPP. For example, the consentmanager CEO, Jan Winkler, is the main developer behind the technical specification of GPP at the IAB and is therefore responsible for the design and implementation of the new standard at the IAB. No other CMP has had such a strong impact on the new standard. This is a particular advantage for consentmanager customers: Since all technical specifications of the IAB had to be tested beforehand, consentmanager already has all the components that will make up the GPP in the future. consentmanager will therefore be the first CMP to fully support the new standard. Customers who want to use GPP for Canada, Colorado, Utah, Virginia, Connecticut or Europe can do so since our October update. consentmanager customers are (once again) months ahead of all other providers and can thus secure a better market position.