IAB Tech Lab opens comment period for privacy framework updates

IAB Tech Lab opened a public comment period on proposed updates to the Global Privacy Protocol and Data Deletion Request Framework on an unspecified date in fall 2025. The comment period runs until December 1, 2025, allowing industry stakeholders to review technical specifications for two privacy frameworks that support data management across the digital advertising ecosystem.

The organization released updates addressing newly enacted U.S. state privacy laws and structural improvements designed for long-term scalability. According to the announcement, feedback can be submitted to support@iabtechlab.com or through GitHub during the open comment period.

Four new state sections expand coverage

The Global Privacy Protocol update adds sections for Maryland, Indiana, Kentucky, and Rhode Island. These four states enacted comprehensive privacy laws that take effect in 2025 and 2026. The new sections introduce a re-architected string structure with several technical modifications.

Section headers now function as a table of contents within each state string. The headers define the order and inclusion of subsections, providing visibility into which subsections are present. This structure prevents ambiguity when optional subsections are introduced, mirroring the general GPP string structure already in use.

Fields likely to change as privacy requirements evolve have been moved from the Core subsection into dedicated subsections. The GPP already includes subsection concepts, such as the GPC subsection found in other U.S. state sections. In this update, Sensitive Personal Information Consent fields previously located in the Core subsection now occupy their own isolated subsection.

This modular approach allows implementers to continue parsing essential fields. Sale, share, and targeted advertising opt-outs remain accessible even when section versions increment to accommodate updates in areas like SPI Consents. The separation minimizes disruptions as privacy regulations develop.

IAB Tech Lab has steadily expanded GPP coverage throughout 2024 and 2025, responding to the growing number of state privacy laws. Six additional U.S. states were added to the platform in August 2024, including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee.

Two options proposed for section transparency

The update addresses a technical gap in how downstream vendors identify which GPP sections a CMP supports and has determined applicable for a given user. Currently, no standardized server-side method exists for vendors to determine whether a CMP supports a section, doesn't support it, or hasn't made any jurisdictional assessment.

This ambiguity affects how vendors interpret signals. Without clarity, systems may over-apply or under-apply privacy rules. Tech Lab proposed a new mechanism to communicate supported sections alongside applicable sections, extending the existing client-side CMP API to downstream and server-side use cases.

Option A proposes encoding supported sections directly within the GPP string header. The header would include SupportedSections, listing section IDs the CMP supports as directed by the first party, and SectionApplies, indicating sections determined to apply for the given transaction. This method mirrors how the TCF currently communicates gdprApplies, creating parity between frameworks.

The approach offers benefits including simplicity, compact encoding within the GPP string, easier parsing using existing infrastructure, and consistent signaling for both supported and applicable sections. However, drawbacks include required GPP string updates whenever a CMP adds or removes supported sections, potential data minimization concerns, and additional overhead if signed strings are introduced as a future feature.

Option B introduces a new signal outside the GPP string through additional URL parameters, macros, and OpenRTB fields. New fields would include URL parameter &gpp_ssns, macro ${GPP_SSNS}, OpenRTB field regs.gpp_ssns, and App key IABGPP_GppSsns. These additions would complement existing parameters such as &gpp and &gpp_sid.

This alternative reduces GPP string size and update frequency while enabling easier adoption for systems that already parse URL parameters or OpenRTB objects. Potential drawbacks include coordinated updates across multiple implementation layers with longer adoption cycles, such as macros in creatives, and risk that the signal could be omitted unintentionally.

Tech Lab invited industry feedback on both options to determine the most effective path forward.

Data deletion framework receives security enhancements

The Data Deletion Request Framework specification received proposed updates providing greater clarity around token formats, strengthened key rotation practices, and improved extensibility for implementers. The changes enhance interoperability, security, and long-term maintainability across the data deletion request ecosystem.

The framework employs JSON Web Tokens to ensure verifiable transmission of data through cryptographic signatures. Three distinct JWTs serve specific purposes: an identity JWT, a request JWT, and an acknowledgment JWT.

The update refined the structure and usage of key JWTs. The former idJWT has been renamed to orJWT, reflecting its purpose as a token generated by the originating requester. The idJWT.sub claim has been removed to address privacy considerations and improve clarity.

The rqJWT.sub format changed to avoid embedding a JSON object within the sub claim. Three new dedicated claims were introduced: identifierValue, identifierType, and identifierFormat. These adjustments align with JWT best practices while reducing parsing complexity and promoting data minimization.

Several significant updates improve cryptographic hygiene and rotation practices. The publicKey field in dsrdelete.json has been replaced with a required jwksUri field. This aligns the framework with established OAuth and OpenID Connect conventions, where a JWKS endpoint hosts the relevant key set.

The alg parameter, indicating algorithm, and kid parameter, indicating key ID, are now required for each JWK. These requirements ensure stronger validation and eliminate algorithm ambiguity risks.

A new required pollFrequency field appears in both dsrdelete.json and the hosted jwks.json file. The field, expressed in seconds, standardizes how frequently participants should refresh cached keys and metadata. The specification now recommends maintaining a cache of partner keys and refreshing whenever a key ID mismatch occurs. Example JSON files demonstrate multi-key sets supporting phased key rotations.

Result codes expanded for better feedback

The result code system expanded to provide clearer feedback on request outcomes and error handling. Separate result codes and strings are now defined for the rqJWT and orJWT, improving troubleshooting granularity. The acJWT tokens are reserved for communicating the substantive result of a deletion request.

New result codes cover scenarios including invalid tokens, malformed structures, timestamp errors, and unsupported identifier types or formats. This separation enhances diagnostic clarity and ensures consistent handling of deletion request responses across implementations.

Several optional parameters were added to support greater flexibility and scalability. The optionalParameters field allows implementers to add custom, non-standard fields to dsrdelete.json, enhancing extensibility. The dsrdeleteJsonUri enables organizations with multiple domains to designate a single domain as the canonical host for the full configuration file. The publishedJwksUri encourages public hosting of JWKS endpoints to facilitate secure key rotation practices.

Context for the marketing community

The updates arrive as the digital advertising industry navigates an increasingly complex privacy landscape. With 14 U.S. state privacy laws enforceable at the start of 2025 and six more expected throughout the year, standardized frameworks provide technical infrastructure for compliance.

The Global Privacy Platform serves as a transport layer that communicates user consent and preference signaling throughout the digital supply chain. The system supports existing consent formats while maintaining flexibility for new markets with unique needs. Google AdSense added support for Global Privacy Protocol National v2 strings in October 2025, demonstrating adoption by major platforms.

IAB Tech Lab finalized its Accountability Platform specification in November 2024, establishing a standardized framework for validating user preference signals across the digital advertising ecosystem. The platform monitors the accurate transmission of GPP strings and TCF strings throughout the digital supply chain.

The organization's technical specifications development follows input from over 800 member companies through working groups focused on privacy implementation. IAB Tech Lab released comprehensive ID-Less Solutions Guidance in November 2024, providing frameworks for maintaining advertising effectiveness without relying on traditional user identifiers.

The Data Deletion Request Framework addresses requirements included in GDPR, U.S. state privacy laws, and additional privacy legislation such as Quebec Law 25. The framework establishes a standardized mechanism for transmitting data deletion request signals throughout the digital advertising chain.

Rowena Lam, Sr Director of Privacy & Data at IAB Tech Lab, authored the announcement. Additional resources for the updates are available through the IAB Tech Lab repository on GitHub.

The Global Privacy Platform has undergone continuous expansion since its introduction. IAB Tech Lab previously unveiled GPP Extensions in May 2024 to address state-specific privacy laws in the United States. The Extensions enable transmission of consent signals specific to individual state privacy law requirements.

Technical specifications for the new U.S. states coverage and the proposed string format are available through GitHub. Separate documentation exists for supported sections Option A and Option B proposals. The Data Deletion Request Framework specification updates are also accessible through the repository.

The public comment period represents an opportunity for industry stakeholders to contribute feedback before final implementation. IAB Tech Lab's approach involves collaborative development through working groups and public comment periods, allowing participants to review and improve technical specifications before release.

Timeline

• February 2017: IAB Europe launched the collaborative effort to create the TCF
• August 1, 2024: Six U.S. states added to Global Privacy Platform
• May 2024: IAB Tech Lab unveiled GPP Extensions for state-specific privacy laws
• September 2024: IAB Tech Lab launched Privacy Taxonomy for public comment
• October 2024: IAB Tech Lab released Attribution Data Matching Protocol for public comment
• November 5, 2024: IAB Tech Lab finalized Accountability Platform specification
• November 21, 2024: IAB Tech Lab released ID-Less Solutions Guidance document
• January 29, 2025: IAB Tech Lab announced 2025 product roadmap with 31 planned specifications
• February 2025: IAB Tech Lab finalized GPP Implementation Guidelines
• April 19, 2025: IAB Tech Lab opened TCF v2.3 technical specifications for public comment
• July 17, 2025: IAB Tech Lab published final ID-Less Solutions Guidance Version 1.0
• October 6, 2025: Google AdSense announced support for GPP National v2 strings
• Fall 2025: IAB Tech Lab opened public comment period for Global Privacy Protocol and Data Deletion Request Framework updates
• December 1, 2025: Public comment period closes for GPP and DDRF updates

The Five Ws

Who: IAB Tech Lab, a non-profit consortium that develops foundational technology and standards for the digital media ecosystem, announced the updates. Rowena Lam, Sr Director of Privacy & Data at IAB Tech Lab, authored the announcement. The organization's Global Privacy Working Group members provide contributions to the repository, with technical governance provided by the IAB Tech Lab Privacy & Rearc Commit Group.

What: IAB Tech Lab released proposed updates to two technical specifications: the Global Privacy Protocol and the Data Deletion Request Framework. The GPP updates expand coverage to Maryland, Indiana, Kentucky, and Rhode Island, introduce section headers and subsection restructuring, and propose two options for communicating supported sections to downstream vendors. The DDRF updates rename the idJWT to orJWT, restructure the rqJWT.sub format with new dedicated claims, replace publicKey with jwksUri, require alg and kid parameters, introduce pollFrequency for key rotation, expand result codes, and add optional parameters for extensibility.

When: The public comment period opened in fall 2025 and remains open until December 1, 2025. The four new U.S. state privacy laws take effect in 2025 and 2026. Feedback can be submitted throughout the comment period.

Where: The updates apply to technical specifications used throughout the digital advertising ecosystem. The frameworks operate globally but the GPP updates specifically address U.S. state privacy laws for Maryland, Indiana, Kentucky, and Rhode Island. Technical documentation is available through the IAB Tech Lab GitHub repository. Industry stakeholders can submit feedback to support@iabtechlab.com or via GitHub.

Why: The updates continue IAB Tech Lab's commitment to providing scalable, interoperable solutions that support privacy, transparency, and accountability across the digital advertising ecosystem. The GPP changes respond to newly enacted U.S. state privacy laws and introduce structural improvements for long-term flexibility. The DDRF updates enhance clarity around token formats, strengthen key management and security guidance, and expand implementation options. The industry faces 14 enforceable U.S. state privacy laws at the start of 2025 with six more expected throughout the year, requiring standardized technical frameworks for compliance. The ambiguity in current systems around vendor disclosure and section support creates risks of over-applying or under-applying privacy rules, which these updates address.