GPP Update: Important Changes to Inform Your Data Privacy Roadmap

In August, the IAB Tech Lab released for public comment new sections in the Global Privacy Platform (GPP) to expand coverage for additional U.S. states that enacted comprehensive data privacy laws. This was soon followed by a public comment period for version 2.0 of the MSPA US National Section. With these updates now finalized, the industry is encouraged to implement these changes. 

Support for 6 More U.S. States 

The GPP has expanded coverage to include six additional states: Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee. Each of these states’ section specification utilizes data types that are also present in other states, and efforts have been made to keep the fields in harmony. For full details, take a look at each state’s section specification, and to view a complete list of all sections of the GPP, refer to the Section Information in the GitHub repository.

Updates to the MSPA US National Section

The MSPA has been amended to include additional states, and as a result, the MSPA US National Section has been updated accordingly. It’s important to note that there are breaking changes in the MSPA US National Section, which is why the section version has been incremented to 2.0.

The breaking changes exist in two fields of the string: 

  • SensitiveDataProcessing field introduces several new categories (13-16)
  • KnownChildConsents field introduces new age range 

To see the latest on the MSPA US National Section, see the section specification.

Upcoming Coverage Developments 

The GPP now includes coverage for 15 of states with comprehensive data privacy laws in the U.S. In the first half of 2025, this coverage will expand to include and an additional five states: Minnesota, Maryland, Indiana, Kentucky, and Rhode Island. For those who are counting, that’s a total of 19 states (or 20 depending on whether you count Florida’s Digital Bill of Rights), all of which are either already in effect or set to take effect within the next two years. Below, you’ll find a helpful table detailing the effective dates and GPP coverage status for each state.

State Privacy LawEffective DateGPP Section CoverageMSPA US National National Coverage
California:
California Consumer Privacy Act
Amended by California Privacy Rights Act
January 1, 2020
January 1, 2023
CoveredCovered
Colorado:
Colorado Privacy Act
July 1, 2023CoveredCovered
Connecticut:
Connecticut Data Privacy Act
July 1, 2023CoveredCovered
Delaware:
Delaware Personal Data Privacy Act
January 1, 2025CoveredCovered
Florida:*
Florida Digital Bill of Rights
July 1, 2024CoveredCovered
Indiana:
Indiana Consumer Data protection Act
January 1, 2026Anticipated 1H2025Covered
Iowa:
Iowa Consumer Data Protection Act
January 1, 2025CoveredCovered
Kentucky:
Kentucky Consumer Data Protection Act
January 1, 2026Anticipated 1H2025Covered
Maryland:
Maryland Online Data Privacy Act
October 1, 2025Anticipated 1H2025Covered
Minnesota:
Minnesota Consumer Data Privacy Act
July 31, 2025Anticipated 1H2025Covered
Montana:
Montana Consumer Data Privacy Act
October 1, 2024CoveredCovered
Nebraska:
Nebraska Data Privacy Act
January 1, 2025CoveredCovered
New Hampshire:
SB 255
January 1, 2025CoveredCovered
New Jersey:
SB 332
January 15, 2025CoveredCovered
Oregon:
Oregon Consumer Privacy Act
July 1, 2024CoveredCovered
Rhode Island:
Rhode Island Data Transparency and Privacy Protection Act
January 1, 2026Anticipated 1H2025Covered
Tennessee:
Tennessee Information Protection Act
July 1, 2025CoveredCovered
Texas: 
Texas Data Privacy and Security Act
July 1, 2024CoveredCovered
Utah:
Utah Consumer Privacy Act
December 31, 2023CoveredCovered
Virginia: Virginia Consumer Data Protection ActJanuary 1, 2023CoveredCovered
Information in above table accurate as of Nov 12, 2024

Rowena Lam headshot

Rowena Lam
Sr Director, Privacy & Data
IAB Tech Lab