IAB Global Privacy Platform (GPP)
Overview
TrueVault's CMP implements the IAB Global Privacy Platform (GPP) specification. GPP provides a standardized way for CMPs to communicate user privacy signals to downstream vendors and ad-tech partners through a single, unified API.
The GPP API is exposed on every page where the TrueVault CMP script is installed, regardless of banner variant or configuration — including when no banner is displayed. This ensures that vendors can always query for privacy signals via the window.__gpp() function, even when the CMP is not actively showing a consent UI.
How it works
When the TrueVault CMP loads on a page:
- The GPP stub is initialized immediately, making the
window.__gpp()function available to callers. - The user's location is determined via geolocation.
- The applicable GPP section is set based on the user's US state (or the US National section as a fallback).
- Privacy signals from the user's consent choices (or defaults) are reflected into the GPP datastore.
- The GPP signal status is set to
ready, indicating that all values are final and available for querying.
If the CMP is disabled or not applicable for the current visitor, the GPP API still responds — it returns a disabled status so that callers can distinguish between "no CMP present" and "CMP present but not applicable."
Supported sections
The TrueVault CMP implements all current US state privacy sections defined by the GPP specification, including the US National section. As new US state sections are formalized by the IAB, we aim to add support for them shortly after they are published. See the IAB section list for the full list of defined sections.
The applicable section is determined automatically based on the visitor's location. For visitors in a US state with a dedicated section, that state's section is used. For visitors in other US states, the US National section is used as a fallback.
The TrueVault CMP does not currently implement the IAB Transparency and Consent Framework (TCF) sections (e.g., TCF EU v2, TCF Canada v1).
Querying the GPP API
The GPP API is available on the window object as window.__gpp(), following the IAB GPP spec.
Ping
Use the ping command to check the CMP status and discover supported sections:
window.__gpp('ping', (data, success) => {
console.log(data.cmpStatus); // 'loaded'
console.log(data.signalStatus); // 'ready'
console.log(data.supportedAPIs); // e.g., ['7:usnatv1', '8:uscav1', ...]
console.log(data.applicableSections); // e.g., [8] for a California visitor
});
The ping response also includes the encoded GPP string and applicable sections:
window.__gpp('ping', (data, success) => {
console.log(data.gppString); // Encoded GPP string
console.log(data.applicableSections); // e.g., [8] for a California visitor
});
The gppString value is a compact, base64-encoded representation of all privacy signals defined by the GPP spec. To inspect the decoded contents of a GPP string, you can use the IAB GPP Decoder.
Example values
The following example GPP strings show how the encoded values differ across banner variants for a California visitor. All examples use the USCA (section ID 8) section.
| Banner Variant | GPP String |
|---|---|
| Opt-In Banner | DBABBg~BUVVVVSA.QA |
| Opt-Out Banner | DBABBg~BUpVVVSA.QA |
| Informational Banner | DBABBg~BUpVVVSA.QA |
| No Banner | DBABBg~BUpVVVSA.QA |
Decoded field comparison
When decoded, the fields that could differ between banner variants depend on your organization's configuration. In this example, only SaleOptOut and SharingOptOut differ between the Opt-In banner and the other variants — all other fields are identical.
| Field | Opt-In Banner | Opt-Out / Informational / No Banner |
|---|---|---|
| Version | 1 | 1 |
| SaleOptOutNotice | 1 | 1 |
| SharingOptOutNotice | 1 | 1 |
| SensitiveDataLimitUseNotice | 0 | 0 |
| SaleOptOut | 1 | 2 |
| SharingOptOut | 1 | 2 |
| SensitiveDataProcessing | [1,1,1,1,1,1,1,1,1] | [1,1,1,1,1,1,1,1,1] |
| KnownChildSensitiveDataConsents | [1,1] | [1,1] |
| PersonalDataConsents | 0 | 0 |
| MspaCoveredTransaction | 2 | 2 |
| MspaOptOutOptionMode | 0 | 0 |
| MspaServiceProviderMode | 0 | 0 |
| Gpc | false | false |
These are the default values for each banner variant — before the visitor has interacted with the banner. In this example, the only fields that differ are SaleOptOut and SharingOptOut. With the Opt-In banner, the default is 1 (Opted Out) because the visitor has not yet opted in to the sale or sharing of their data. With the Opt-Out, Informational, and No Banner variants, the default is 2 (Did Not Opt Out) because the visitor has not yet exercised their opt-out right.
The specific fields that could differ between banner variants depend on your organization's privacy configuration — for example, whether your organization engages in the sale or sharing of personal data. The examples above are illustrative and may not match your configuration exactly.
Implemented signal fields
The GPP specification defines a large number of granular consent fields for each section. In practice, the TrueVault CMP — like most consent banners in the industry — manages consent at a higher level that is simpler for visitors to understand (e.g., opting out of the sale or sharing of personal data). Not every individual GPP field maps directly to a consent choice in the banner, so some fields may not be actively set by the CMP.
Field values reflect your organization's privacy configuration (e.g., whether your organization sells data or engages in targeted advertising) and the visitor's consent choices. Fields that do not apply to your organization's data practices are marked as not applicable.
For the full list of fields defined in each section, see the GPP section specifications.