IAB Tech Lab Advances Privacy Infrastructure with GPP Refresh and DDRF Version 2

IAB Tech Lab has rolled out two important enhancements to the industry’s privacy tooling: a new update to the Global Privacy Platform (GPP) and the release of Data Deletion Request Framework (DDRF) v2. Together, these changes aim to make consent signaling and data-rights fulfillment more consistent and auditable across the advertising supply chain. As we’ve covered previously about GPP and the changes that IAB makes that signals best practices in the privacy space.

What Changed in the GPP Update

• Broader state coverage: Additional U.S. state sections have been added so consent and opt-out signals reflect newly effective laws.
• Clearer downstream transparency: The update improves how vendors detect which GPP sections a CMP supports, reducing mismatches and silent failures.
• Cadenced releases: Moving to a predictable update rhythm helps engineering, privacy, and vendor teams plan rollouts without fire drills.

What’s New in DDRF v2

DDRF v2 standardizes how deletion requests move between publishers, platforms, and vendors. Key improvements include:

• Structured request objects: Tighter payload definitions reduce ambiguity and speed integration.
• Interoperable encoding: Consistent encoding removes edge cases that previously broke cross-vendor handoffs.
• Safeguards for sensitive flows: Guidance to mitigate leakage and ensure that deletion requests are honored end-to-end.

Why This Matters

Regulatory Alignment

With more jurisdictions enforcing consent, opt-out, and deletion rights, standards need to evolve in lockstep. The GPP refresh and DDRF v2 help translate legal requirements into machine-readable signals that systems can actually use.

Operational Reliability

Advertising stacks are multi-party by design. Clearer sections, signal discovery, and standardized deletion payloads reduce integration risk, speed audits, and cut down on costly bespoke workarounds.

Auditability and Trust

Enterprises, publishers, and vendors must prove compliance, not just claim it. Standardized signaling and request handling create durable evidence trails for regulators, partners, and insurers.

What Organizations Should Do Now

1. Map consent architecture: Confirm which GPP sections apply to your footprint and ensure your CMP publishes them correctly across web, app, and CTV.
2. Upgrade vendor integrations: Validate that downstream partners can read new GPP sections and honor opt-outs. Require written confirmation during renewals.
3. Standardize deletion workflows: Align internal and vendor processes to DDRF v2 so deletion requests route reliably and are verifiably completed.
4. Embed change cadence: Add GPP/DDRF release cycles to product and privacy roadmaps with designated owners and test plans.
5. Strengthen documentation: Maintain versioned specs, data-flow diagrams, and evidence of request fulfillment to support audits and insurance reviews.

Risk and Governance Considerations

Data Minimization

Pair GPP and DDRF adoption with minimization rules. Fewer destinations and shorter retention windows reduce the blast radius of errors and the cost of deletion.

Vendor Contracts

Update DPAs and commercial terms to require adherence to the latest GPP sections and DDRF v2, including timelines for honoring signals and requests, plus audit and deletion attestations.

Incident Response

Extend your playbooks to include signal misconfiguration (e.g., incorrect section handling) and failed deletion routing. Log and test these scenarios like any other control.

Tooling to Accelerate Adoption

If you need a turnkey way to operationalize consent, preference management, data mapping, and rights fulfillment aligned to modern standards, consider that you’re here right now reading this article on the Captain Compliance website the leader and fastest growing Data Privacy Protection Software company. We would love to help get your site compliant and protected if you’d like to opt for a demo of our privacy tools. Our platform’s consent controls, cookie governance, Automated DSAR/DSR workflows, and audit-ready logs can help you implement GPP updates and DDRF v2 with less custom engineering and clearer evidence for stakeholders.

IAB Tech Lab’s GPP refresh

The IAB Tech Lab’s GPP refresh and DDRF v2 represent a practical step from “policy on paper” to “compliance in code.” Organizations that adopt early will simplify vendor management, reduce legal exposure, and earn a trust dividend with partners and users.

“By expanding the Global Privacy Protocol to cover additional states and enhancing the core framework, we’re helping the industry plan with confidence,” said Anthony Katsur, CEO, IAB Tech Lab. “The bi-annual release cycle gives companies predictability while keeping transparency and user choice at the core.”

Starting in 2026, regular bi-annual updates will give companies the predictability they need to align product roadmaps with shifting regulatory timelines.

“The bi-annual release cycle is especially valuable for companies like ours,” said Andrea Wheeler, Senior Privacy Manager, Quantcast. “It gives us the predictability to align development roadmaps with regulatory timelines, while the added transparency ensures we can continue to uphold user trust as privacy requirements evolve.”

“We designed DDRF V2 to help reduce complexity and risk for the industry,” said Rowena Lam, Senior Director, Product, IAB Tech Lab. “By standardizing formats and processes, organizations can easily comply with regulatory requirements while protecting consumer data rights.”

“With this release, we are not only improving interoperability and transparency but also strengthening the security of the framework,” added Katsur. “These enhancements will help foster trust with consumers while reducing compliance risks across the ecosystem.”