AdSense adds support for Global Privacy Protocol National v2

Google AdSense announced support for Global Privacy Protocol (GPP) National v2 strings on October 6, 2025. The platform will continue to support GPP National v1 strings alongside the new version, providing publishers flexibility in their privacy compliance approaches.

The update enables AdSense to process privacy signals encoded in the GPP National v2 format, which the IAB Tech Lab developed to address compliance requirements across multiple U.S. state privacy laws. Publishers using consent management platforms can now transmit user privacy preferences through either version of the national string specification.

AdSense certification under IAB Privacy's Multi-State Privacy Agreement (MSPA) Certified Partner Program means the platform can process MSPA Covered Transactions without publishers needing to sign the MSPA. Publishers maintain the option to use GPP without being contractually required to do so by Google.

The GPP framework represents a technical solution to a complex regulatory challenge. As digital advertising operates across state boundaries, publishers and ad technology vendors face requirements from California's Consumer Privacy Rights Act, Virginia's Consumer Data Protection Act, Colorado's Privacy Act, Connecticut's Data Privacy Act, Utah's Consumer Privacy Act, and Florida's Digital Bill of Rights. Each law contains distinct requirements for consent collection, data sale opt-outs, and targeted advertising restrictions.

The Global Privacy Protocol enables advertisers, publishers and technology vendors to adapt to regulatory demands across markets by providing a standardized mechanism to transmit privacy, consent, and consumer choice signals from sites and apps to ad tech providers. The protocol currently supports privacy strings from IAB Europe's Transparency and Consent Framework, IAB Canada's TCF, the MSPA's US National string, and multiple US state-specific strings.

The GPP Implementation Guidelines were finalized in February 2025 by the Global Privacy Working Group. These guidelines provide technical specifications for how consent management platforms should encode user preferences and how receiving parties should interpret those signals.

The technical architecture of GPP strings consists of headers and sections. Headers provide metadata about which jurisdictional frameworks are present in the string, functioning as a table of contents. Sections contain the actual privacy preferences and legal restrictions applicable to specific regions. This modular design allows a single string to communicate preferences across multiple jurisdictions simultaneously.

For AdSense specifically, the platform reads particular fields from the US National string to determine when to trigger restricted data processing. Google triggers restricted data processing if users opt out of sale of personal information, opt out of sharing personal information, or opt out of processing personal data for targeted advertising. The platform reads only these specific fields from the US National string.

State-specific strings have additional requirements. For California, Google triggers restricted data processing when users opt out of sale or sharing of personal information. For Colorado, Connecticut, and Virginia, restricted data processing applies when users opt out of sale or targeted advertising. Florida follows the same pattern as Colorado, Connecticut, and Virginia.

The platform also processes consent signals related to minors through the GPP framework. For the US National string, requests are marked for child-directed treatment when there is consent or no consent to process personal information or sensitive information for consumers younger than 13 years of age. Different age thresholds apply for restricted data processing, with specific requirements for consumers between 13 and 16 years, and 16 to 17 years depending on the state.

For California, requests are marked for child-directed treatment when there is consent or no consent to sell or share personal information of consumers less than 16 years of age. Colorado and Virginia mark requests for child-directed treatment when processing sensitive data from a known child. Connecticut has provisions for both child-directed treatment and restricted data processing based on age thresholds.

Florida's requirements include marking requests for child-directed treatment when processing personal or sensitive data for consumers younger than 13 years of age. Restricted data processing applies when there is no consent to process sensitive data of consumers at least 13 but younger than 16, or consumers at least 16 but younger than 18.

Publishers are not required to implement GPP to work with AdSense. Use of GPP is not required by Google, and is just one of multiple methods that publishers can use to support their compliance with US state privacy laws. The framework serves as an optional technical tool for those who choose to standardize their privacy signal transmission.

For ads served to users in the European Economic Area or the UK, AdSense will continue to use the IAB Europe TCF through certified Consent Management Platforms. TCF strings sent through the GPP will not be accepted. This separation maintains distinct compliance pathways for EU and US privacy regulations.

The platform maintains backward compatibility with the US Privacy String, despite IAB's deprecation of that specification in January 2024. While IAB deprecated the US Privacy String in favor of GPP, AdSense will continue to read the US Privacy String to support web partners. Publishers and CMPs are recommended to move forward with GPP strings instead of the US Privacy String if they choose to use an IAB framework for US state privacy law compliance.

A technical constraint exists for older GPP versions. GPP v1.0 is not supported and returns an error in publisher console GPP_ERROR_STRING_IS_DEPRECATED_SPEC. Publishers must ensure their consent management platforms generate strings using supported specification versions.

AdSense only accepts US National, California, Colorado, Connecticut, Florida, and Virginia strings within GPP. The platform does not accept IAB Canada TCF, US Privacy String, US State Utah, or IAB EU TCF v2.2 as part of GPP support. This selectivity reflects the specific privacy laws AdSense has engineered its systems to accommodate.

The GPP represents one component of IAB Tech Lab's broader privacy technology portfolio. The organization has developed multiple privacy-preserving protocols addressing various aspects of advertising technology adaptation to privacy requirements. Six additional U.S. states were added to the Global Privacy Platform in August 2024, including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee.

The marketing community faces an increasingly complex privacy compliance landscape. With 14 U.S. state privacy laws enforceable at the start of 2025, and six more expected throughout the year, standardized frameworks like GPP provide technical infrastructure for managing multiple regulatory requirements simultaneously. The alternative would require publishers to implement separate consent mechanisms for each jurisdiction, creating significant technical debt and operational complexity.

IAB Tech Lab's Accountability Platform, finalized in November 2024, establishes verification frameworks to monitor privacy signal compliance throughout digital advertising supply chains. This addresses concerns about whether privacy signals like GPP strings are accurately transmitted from publishers through intermediaries to final ad platforms.

Publishers using Google's consent management solution face specific limitations. Google's consent management solution does not support the ability to collect KnownChildSensitiveDataConsents fields. Publishers using Google's consent management solution for US state regulations should review information in the US state regulations messages overview help center article.

The timing of this announcement aligns with September 2025 as the implementation month. Starting in September 2025, Google will support GPP National v2 while continuing to support GPP National v1. This dual support period allows publishers and consent management platforms time to update their implementations without service disruption.

The GPP specification continues to expand beyond the states currently supported by AdSense. The US National section currently covers California, Colorado, Connecticut, Virginia, and Utah, but does not yet include Florida, Montana, Oregon, Texas, or the six states added in August 2024. This creates a temporary gap where some state privacy laws lack representation in the national string, requiring publishers to assess compliance strategies carefully.

For publishers implementing GPP, the technical requirements involve coordination with consent management platforms. These platforms must generate properly formatted GPP strings, encode user preferences according to state-specific requirements, and transmit those strings through the advertising supply chain. AdSense reads these strings and applies the appropriate data processing restrictions based on the encoded preferences.

The architecture allows for future extensibility. As new state privacy laws take effect, additional sections can be added to the GPP specification without requiring fundamental changes to how platforms like AdSense process the strings. This design principle provides a foundation for long-term privacy compliance in a regulatory environment that continues to expand and evolve.

Privacy technology developments in 2025 extend beyond GPP. IAB Tech Lab released comprehensive ID-Less Solutions guidance in July 2025, addressing advertising approaches that do not rely on traditional user identifiers. The Publisher Advertiser Identity Reconciliation (PAIR) protocol enables secure audience matching using cryptographic techniques. The Transparency and Consent Framework version 2.3 addresses vendor disclosure requirements for GDPR compliance.

These parallel initiatives reflect an industry-wide shift toward privacy-preserving advertising technologies. Publishers must now navigate multiple frameworks simultaneously: GPP for U.S. state laws, TCF for European regulations, and various platform-specific solutions for other jurisdictions. The complexity creates operational challenges but also establishes clearer boundaries for data usage and processing.

For advertisers purchasing inventory through AdSense, the GPP support means their campaigns automatically respect user privacy preferences encoded in the strings. When restricted data processing applies, advertising capabilities become limited. Targeting becomes less precise, attribution more challenging, and audience building constrained. These tradeoffs represent the technical implementation of privacy rights granted by state laws.

The consent management platform ecosystem plays a crucial role in GPP adoption. These platforms must stay current with specification updates, correctly encode user preferences, and integrate with publisher consent user interfaces. The IAB Tech Lab's certification programs aim to verify that consent management platforms properly implement privacy frameworks, providing publishers assurance about the technical accuracy of their compliance tools.

AdSense's approach of maintaining both GPP National v1 and v2 support provides stability during the transition period. Publishers can upgrade their consent management platforms on schedules that align with their technical resources and testing requirements. This gradual migration path reduces the risk of compliance gaps or service disruptions.

The development of GPP National v2 incorporated feedback from the initial v1 implementation. Technical refinements address edge cases, clarify ambiguous requirements, and improve interoperability between different consent management platforms and receiving parties. These incremental improvements reflect the iterative nature of privacy technology development as the industry gains operational experience with new frameworks.

Publishers should verify their consent management platform's support for GPP National v2 and test the integration with AdSense. The platform's error handling for deprecated GPP v1.0 strings demonstrates the importance of maintaining current specifications. Publishers using outdated string formats risk losing ad monetization capabilities as platforms enforce version requirements.

The broader context includes declining availability of third-party cookies, increasing restrictions on device fingerprinting, and growing consumer awareness of privacy rights. GPP provides one mechanism for publishers to demonstrate privacy compliance, but it exists within a larger transformation of how digital advertising operates. Publishers must balance compliance requirements, user experience considerations, and revenue optimization in an environment where traditional targeting methods face increasing constraints.

Timeline

• February 2025: IAB Tech Lab finalizes GPP Implementation Guidelines
• April 19, 2025: IAB Tech Lab opens TCF v2.3 for public comment
• July 16, 2025: IAB Tech Lab releases PAIR protocol version 1.1
• July 17, 2025: IAB Tech Lab publishes ID-Less Solutions Guidance
• August 1, 2024: Six U.S. states added to Global Privacy Platform
• September 2025: Google AdSense begins supporting GPP National v2
• October 6, 2025: Google announces AdSense support for GPP National v2
• November 5, 2024: IAB Tech Lab finalizes Accountability Platform specification
• January 26, 2025: IAB Tech Lab releases PAIR protocol first official version

Summary

Who: Google AdSense, IAB Tech Lab, publishers, consent management platforms, and advertisers participating in the digital advertising ecosystem.

What: AdSense added support for Global Privacy Protocol National v2 strings while maintaining compatibility with v1. The GPP framework enables standardized transmission of user privacy preferences across multiple U.S. state privacy laws. AdSense is certified under the MSPA Certified Partner Program and processes specific fields from GPP strings to determine when to apply restricted data processing.

When: The announcement was made on October 6, 2025, with implementation beginning in September 2025. The GPP Implementation Guidelines were finalized in February 2025.

Where: The update applies to AdSense globally, specifically addressing U.S. state privacy law compliance. AdSense accepts US National, California, Colorado, Connecticut, Florida, and Virginia strings within GPP. European Economic Area and UK implementations continue using IAB Europe's TCF separately.

Why: The update addresses the complex regulatory landscape of U.S. state privacy laws, which have distinct and sometimes conflicting requirements for consent, data sales, and targeted advertising. GPP provides a standardized technical mechanism for communicating user privacy preferences across jurisdictions, reducing compliance complexity for publishers while respecting consumer privacy rights granted by state laws.