Codigo Alpha

Muito mais que artigos: São verdadeiros e-books jurídicos gratuitos para o mundo. Nossa missão é levar conhecimento global para você entender a lei com clareza. 🇧🇷 PT | 🇺🇸 EN | 🇪🇸 ES | 🇩🇪 DE

Codigo Alpha

Muito mais que artigos: São verdadeiros e-books jurídicos gratuitos para o mundo. Nossa missão é levar conhecimento global para você entender a lei com clareza. 🇧🇷 PT | 🇺🇸 EN | 🇪🇸 ES | 🇩🇪 DE

Digital & Privacy Law

IAB U.S. Privacy String Technical Signaling Standards

Código Alpha

The U.S. Privacy String functions as the critical digital handshake that tells downstream vendors whether to restrict data processing or allow standard monetization.

In the complex ecosystem of real-time bidding and programmatic advertising, compliance with US privacy laws—specifically the California Consumer Privacy Act (CCPA) and its expansion under the CPRA—does not happen through handshake agreements or PDF contracts attached to emails. It happens in milliseconds through metadata. The mechanism for this transmission is the IAB Tech Lab U.S. Privacy String, a technical standard that translates a consumer’s legal status into a readable signal for every vendor in the ad chain.

The friction typically arises when this signal is either improperly generated by the publisher’s Consent Management Platform (CMP) or ignored by the receiving ad tech vendor. When a user explicitly opts out of the “sale” of their personal information, that preference must propagate instantly to exchanges, demand-side platforms (DSPs), and data aggregators. If the signal fails—or if the string is malformed—the publisher risks statutory penalties for unauthorized data sharing, while the vendor risks processing restricted data without a valid service provider defense.

This analysis unpacks the architecture of the U.S. Privacy String, detailing how its four-character format dictates vendor behavior. We will examine the specific technical obligations it triggers, the transition to the Global Privacy Platform (GPP), and the audit workflows necessary to ensure that what you claim in your privacy policy matches what you broadcast in the bid stream.

Critical checkpoints for signal validity:

  • Character Integrity: A valid string must contain exactly four distinct characters (e.g., “1YNN”); any deviation often results in the downstream vendor rejecting the bid request entirely.
  • LSPA Applicability: The fourth character determines if the transaction is governed by the Limited Service Provider Agreement, effectively converting a standard vendor into a restricted data processor.
  • GPC Interaction: The string must dynamically update if a browser-based Global Privacy Control signal is detected, overriding manual settings.
  • Bid Stream Placement: The string must be present in the `regs.ext.us_privacy` field of the OpenRTB object to be legally effective during the auction.

See more in this category: Digital & Privacy Law

In this article:

Last updated: October 24, 2025.

Quick definition: The IAB U.S. Privacy String is a technical specification used to communicate consumer privacy preferences regarding the sale of data (CCPA) to advertising vendors via a concise character string.

Who it applies to: Publishers (websites/apps), Advertisers, CMPs, Ad Exchanges, and any downstream vendor participating in the programmatic bid stream involving U.S. users.

Time, cost, and documents:

  • Implementation: 1–2 weeks for CMP configuration and API integration.
  • Monitoring: Continuous audit of bid logs (daily/weekly).
  • Documents: Privacy Policy, Limited Service Provider Agreement (LSPA) registration.

Key takeaways that usually decide disputes:

  • Notice Accuracy: Did the user actually see the notice indicated by the string?
  • Opt-Out Execution: Did the vendor restrict processing immediately upon receiving “Y” in the third position?
  • Persistence: Did the signal travel with the data or was it stripped by an intermediary?

Quick guide to the U.S. Privacy String

The U.S. Privacy String is essentially a compact code that travels with the user’s data. Its primary purpose is to inform vendors whether they are allowed to “buy” the data (use it for profiling and targeting) or if they must act as a “Service Provider” (process it only for limited business purposes like frequency capping or measurement). Understanding its components is non-negotiable for compliance teams.

  • The “1YNN” Standard: This is a common valid string. It stands for: Version 1, Notice Given (Yes), Opt-Out (No), LSPA Applicable (No).
  • The Opt-Out Trigger: The third character is the most legally significant. A “Y” (Yes) here commands all downstream vendors to stop selling the data.
  • The “Service Provider” Mode: When the Opt-Out is “Y”, vendors signatory to the IAB agreement must treat the data as restricted, disabling their own data enrichment pipelines.
  • The “LSPA” Bit: The fourth character signals whether the publisher expects the vendor to rely on the IAB’s Limited Service Provider Agreement legal framework to handle the data transfer compliantly.
  • Geographic Scope: While born from CCPA (California), the string is often applied broadly to U.S. traffic or specifically targeted to states with similar privacy regimes depending on CMP settings.

Understanding the String components in practice

The U.S. Privacy String is not a random collection of letters; it is a positional format where every character slot represents a specific legal declaration by the publisher. Misinterpreting a single slot can lead to systematic compliance failures across millions of ad impressions. The string is typically accessed via the JavaScript API `__uspapi(‘getUSPData’, …)`.

The first character always indicates the Specification Version. Currently, this is almost always “1”. If a vendor sees a different number that they do not support, the standard dictates they should not process the string, which poses a risk of defaulting to a non-compliant state. This stability is crucial for legacy systems that process high-frequency bids.

The second character represents Explicit Notice. It answers the question: “Did the publisher provide the user with explicit notice and the opportunity to opt-out?” A “Y” (Yes) here is the baseline expectation for any compliant publisher. An “N” (No) effectively flags the data as toxic or non-compliant for sale purposes, as selling data without notice is a direct violation of CCPA/CPRA.

Decoding the “Opt-Out” (3rd Character) hierarchy:

  • “Y” (Yes): The user HAS opted out. The vendor MUST NOT sell the data. Processing is restricted to “Service Provider” exceptions (auditing, security, debugging).
  • “N” (No): The user has NOT opted out. The vendor may treat the data as a “sale” and use it for cross-context behavioral advertising, provided no other signals (like GPC) conflict.
  • “-” (Not Applicable): Used when the user is not in a jurisdiction requiring this choice (e.g., a user in Ohio, depending on policy). Vendors typically treat this as “business as usual.”
  • Conflict Rule: If the GPC signal is “True” (1), the CMP must override the user’s manual choice in the string to “Y” automatically.

Legal and practical angles that change the outcome

The fourth character, indicating LSPA Applicability, is often the most misunderstood. It signals whether the transaction falls under the IAB’s Limited Service Provider Agreement. If set to “Y”, the publisher is asserting that the downstream vendor must adhere to specific contractual terms that limit data use. If the vendor has not signed the LSPA or cannot comply with those terms, they should theoretically decline the bid request to avoid breach of contract.

Practically, many publishers set this to “Y” universally for California traffic to create a contractual safety net. However, if a vendor ignores this flag and adds the user’s data to a permanent identity graph, the “Service Provider” defense falls apart. The string essentially serves as a binding instruction: “Process this data ONLY if you agree to these limitations.”

Workable paths parties actually use to resolve this

When disputes arise regarding data leakage or unauthorized sales, the forensic audit trail often begins with the bid logs. Parties resolve these issues by comparing the timestamped U.S. Privacy String sent in the bid request against the vendor’s processing logs. If the string was “1YYY” (Opt-out: Yes), but the vendor added the user to a retargeting audience, the liability shifts clearly to the vendor.

Conversely, if the publisher failed to update the string after a user clicked “Do Not Sell,” transmitting “1YNY” (Opt-out: No) instead, the liability remains with the publisher. Resolution typically involves a technical audit of the Consent Management Platform (CMP) and a “cure” process where the vendor purges the data collected during the window of technical failure.

Practical application of the Privacy String workflow

For publishers and technical teams, the implementation of the U.S. Privacy String is a rigorous process of mapping legal requirements to API responses. It is not enough to simply install a CMP script; the script must accurately reflect the user’s state in real-time.

  1. Configure the CMP for Jurisdiction: Ensure the CMP is set to detect users in California (and other applicable states) and trigger the “Do Not Sell/Share” interface.
  2. Map User Interactions to String Values: Verify that clicking “Reject” or “Do Not Sell” instantly changes the third character of the string from “N” to “Y” in the local storage or cookie.
  3. Enable GPC Listeners: Configure the system to listen for the `navigator.globalPrivacyControl` signal. If detected, it must force the string generation to reflect an opt-out (“Y”) regardless of user interaction with the banner.
  4. Inject into the Bid Stream: Ensure the ad server (e.g., Google Ad Manager) is picking up the string and populating the `regs.ext.us_privacy` field in the OpenRTB bid request.
  5. Monitor Vendor Responses: Periodically audit whether vendors are bidding on “Y” flagged inventory. A high volume of bids on opt-out traffic might indicate vendors are ignoring the signal.
  6. Transition to GPP (Optional/Next Step): Begin mapping these same preferences to the Global Privacy Platform (GPP) string, which allows for multi-state handling beyond just the “1YNN” format.

Technical details and relevant updates

The technical backbone of the U.S. Privacy String is the IAB CCPA Compliance Framework. While simple in structure, its delivery mechanisms are strict. The string is stored in a cookie named `usprivacy` (case-sensitive in some implementations, though specs vary) or accessed via the `__uspapi` function. The API command `getUSPData` returns an object containing the string and the success status.

A critical update in the privacy landscape is the move toward the Global Privacy Platform (GPP). The U.S. Privacy String is essentially a “legacy” format specific to CCPA. As other states (Virginia, Colorado, Connecticut) came online, the IAB introduced GPP to handle multiple jurisdictions in a single string. However, the `us_privacy` string remains widely supported and necessary for backward compatibility with many DSPs that have not yet fully upgraded to GPP.

  • The “Notice” Character (2nd Position): If this is “N”, it implies the publisher did not show a privacy notice. Most DSPs will blacklist traffic with “1NN-” because buying data from a user who wasn’t notified is a high-risk compliance violation.
  • Data Deletion vs. Restriction: The string signals “Restriction of Sale.” It does not automatically trigger “Deletion.” Deletion is a separate consumer request workflow (DSAR) that is not handled through the bid stream string.
  • Pre-bid Validation: Smart ad servers validate the string before sending the bid request. If the string contains invalid characters (e.g., “1Y?Y”), the ad server may strip the string or drop the request to prevent errors.

Statistics and scenario reads

These scenarios reflect the operational realities of privacy string adoption and the monitoring patterns used by compliance teams to detect failures. They are not legal judgments but observed trends in the ad tech ecosystem.

The distribution of string values provides a health check on the ecosystem. A healthy publisher should see a mix of “N” (Opt-in) and “Y” (Opt-out). A publisher showing 100% “N” suggests a broken opt-out mechanism or failure to respect GPC.

Typical distribution of String Values (California Traffic):

1YNN / 1YNY (Opt-in) 65%
1YYY (Opt-out) 25%
Invalid/Missing 10%

Impact of GPC Implementation:

  • Opt-Out Rate: 15% → 30%. Detecting the browser signal automatically doubles the effective opt-out rate on many sites.
  • CPM (Cost Per Mille): $2.50 → $1.10. Inventory flagged with “Y” (Restricted) typically yields lower revenue as advertisers cannot use behavioral targeting.
  • Fill Rate: 90% → 85%. Some DSPs configure their bidders to simply ignore requests with a “Y” signal rather than bidding on context alone.

Monitorable Metrics for String Health:

  • Signal Mismatch (%): The delta between CMP logs and Ad Server logs. Should be < 1%.
  • Invalid String Rate: Strings with incorrect length or characters. Any spike indicates a CMP configuration error.
  • LSPA Consistency: Frequency of “Y” in the 4th position matching the “Y” in the 3rd position (common configuration).

Practical examples of Signal interpretation

Scenario A: The Compliant Restriction

A user visits a news portal in California. They have the Global Privacy Control enabled in their browser. The CMP detects this and generates the string 1YYY.

1: Version 1.
Y: Notice was given.
Y: Opt-Out is active (driven by GPC).
Y: LSPA applies.

The Ad Exchange receives this. Instead of broadcasting the user’s ID to 50 bidders, it strips the ID and sends a “contextual only” bid request. The user sees a generic ad for a car, not the specific shoes they looked at yesterday.

Scenario B: The “Toxic” Data Transfer

A publisher’s CMP is misconfigured and generates 1N-- for all users.

1: Version 1.
N: Notice NOT given.
-: Opt-out inapplicable.
-: LSPA inapplicable.

A major DSP receives this bid request. Their compliance algorithm flags the “N” in the second position. Because the publisher explicitly admitted to not giving notice, the DSP blocks the bid entirely to avoid liability. The publisher loses revenue, and the user’s privacy status remains ambiguous and legally risky.

Common mistakes in String implementation

Hardcoding the String: Some developers hardcode 1YNN to “ensure revenue,” ignoring user choices. This is “willful non-compliance” and carries the highest tier of statutory penalties.

Ignoring GPC Overrides: Failing to code the CMP to prioritize the browser’s GPC signal over the user’s previous manual interaction (e.g., if they clicked “Accept” a month ago but now use GPC).

Misunderstanding the “-” Character: Using the dash for “No” instead of “Not Applicable.” A dash in the Opt-Out column for a California user is technically invalid; it should be Y or N.

Failure to Update in Session: Generating the string only on page load. If a user clicks “Do Not Sell” halfway through a session, the string must update dynamically for subsequent ad calls on that same page.

FAQ about the U.S. Privacy String

Does the U.S. Privacy String apply to GDPR jurisdictions?

No, the U.S. Privacy String (`us_privacy`) is specifically designed for the U.S. legal framework, primarily CCPA. The GDPR uses the Transparency and Consent Framework (TCF) string, which is much more complex and handles opt-ins for specific purposes and vendors.

Attempting to use the U.S. string for EU traffic will fail, as European vendors look for the TCF string. These are separate standards often managed by the same CMP but functioning independently based on the user’s IP address.

What happens if the string is missing from the bid request?

If the string is missing, risk-averse vendors (DSPs and Exchanges) may treat the inventory as non-compliant or assume the user has opted out to be safe. This often results in lower bid density and reduced revenue for the publisher.

Some vendors may proceed with bidding if they detect the user is outside of California (based on IP), but relying on vendor-side geolocation is risky. The best practice is to always send a string, even if it is “1—” to indicate the framework doesn’t apply to that user.

Can we just set the LSPA character to “N” to avoid contracts?

Technically yes, you can set the fourth character to “N”. However, doing so means you are telling the vendor that the transaction is not covered by the IAB’s Limited Service Provider Agreement. If the user has opted out (“Y” in 3rd position), the vendor must still restrict processing under the law.

The LSPA provides a standardized contractual layer that simplifies this restriction. Without it (“N”), the vendor might stop bidding entirely because they don’t have a bespoke service provider contract with you to cover the restricted data processing.

Does a “Y” in the Opt-Out field mean we delete the data?

No. The U.S. Privacy String signals a “Do Not Sell/Share” request, not a “Delete” request. It restricts the future use and transfer of the data for advertising profiles. It does not require you to wipe the data from your internal database.

A deletion request is a distinct legal right (Right to Delete) that usually comes through a dedicated form or portal. The privacy string is a real-time signal for the ad tech chain, not a database administration command.

How does the Global Privacy Platform (GPP) affect this string?

The GPP is the successor to the U.S. Privacy String. It is a more flexible container that can hold strings for multiple states (California, Virginia, Colorado, etc.) simultaneously. The industry is in a transition period.

Currently, most publishers should support both. They should emit the GPP string for modern vendors and the legacy `us_privacy` string for older integrations that haven’t updated. Eventually, `us_privacy` will be deprecated.

Who is responsible for generating the string?

The Publisher (the website or app owner) is responsible for generating the string, typically via their Consent Management Platform (CMP). The publisher is the “First Party” interacting with the consumer and capturing their preference.

Downstream vendors (SSPs, DSPs) are responsible for reading the string and adhering to its instructions. They do not generate it; they consume it. If a publisher generates a false string, the publisher is liable for the initial misrepresentation.

What does the string “1—” mean?

The string “1—” typically means “Version 1, Not Applicable.” It indicates that the user is not in a jurisdiction covered by the CCPA/CPRA (e.g., a user in New York or Texas, assuming no other state laws apply yet).

Vendors receiving this string generally treat the data as unrestricted, as no specific privacy signal has been asserted. It is a way of saying “We checked, and no rules apply here.”

Is the string case-sensitive?

According to the IAB specifications, the values (Y, N) are uppercase. The API functions and cookie names, however, can be sensitive depending on the implementation. The standard cookie name is `usprivacy`.

Developers should always stick to the official spec (uppercase Y/N) to avoid parsing errors. Sending a lowercase “y” might cause a strict validator to reject the string or default to “N”, leading to compliance failure.

Can we cache the string value?

You can cache the string for the duration of the user’s session, but it must be able to update if the user changes their mind. If a user opens the privacy settings and toggles “Opt-Out,” the cached value must be invalidated immediately.

Persisting the string across sessions (via a persistent cookie) is standard, but you must ensure that if the CMP logic or laws change, the value is re-evaluated upon the next visit.

What is the risk of having a “Notice” value of “N”?

An “N” in the second position means you did not give the user notice of their rights. Under CCPA, you cannot sell data collected without notice. Therefore, a string like “1NYN” is effectively a “Do Not Sell” command to any compliant vendor.

Buying data flagged with “Notice: No” is extremely risky for vendors. Most will block such requests automatically to protect themselves from “actual knowledge” of a violation.

Does the string work for mobile apps?

Yes, the framework applies to mobile apps. Instead of a cookie, the string is stored in `NSUserDefaults` (iOS) or `SharedPreferences` (Android) using the key `IABUSPrivacy_String`. The values and logic are identical.

Mobile SDKs (Software Development Kits) from ad networks look for this specific key in the local storage to determine if they can initialize targeted ads or must run in restricted mode.

Do we need the string if we don’t sell data?

If you truly do not sell or share data (no third-party analytics, no ad networks, no retargeting), you might not need to participate in the IAB framework. However, many “non-selling” activities (like using certain analytics tools) can be interpreted as “sharing” under CPRA.

Using the string with a value of “1YNN” (Opt-in) or “1YYY” (Opt-out) provides a standardized way to communicate your status to any partners you do have, reducing the friction of explaining your compliance posture manually.

References and next steps

  • Audit your CMP: Verify that the generated string matches the user’s actual selection in the UI.
  • Check the LSPA bit: Ensure the 4th character accurately reflects your participation in the IAB Limited Service Provider Agreement.
  • Monitor the Bid Stream: Use browser developer tools or ad inspector plugins to see if the `us_privacy` string is present in outgoing ad requests.
  • Plan for GPP: Start mapping your transition to the Global Privacy Platform string to cover new state laws (VA, CO, CT, UT).

Related Reading:

Normative and case-law basis

The U.S. Privacy String is a voluntary technical standard developed by the IAB Tech Lab to facilitate compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). While the law does not explicitly mandate this specific string, it mandates the mechanism it provides: a clear, distinct method for consumers to opt-out of the sale and sharing of their personal information.

Regulatory guidance from the California Attorney General emphasizes that user opt-out preferences must be respected across all downstream disclosures. The Sephora settlement (2022) reinforced that failure to process signals like the Global Privacy Control (GPC) constitutes a violation. The U.S. Privacy String is the industry-standard vehicle for transporting that GPC signal into the programmatic advertising environment.

For technical specifications, refer to the IAB Tech Lab. For legal definitions of “Sale” and “Sharing,” consult the California Office of the Attorney General.

Final considerations

The U.S. Privacy String is more than a technical artifact; it is the currency of trust in the modern ad exchange. As privacy laws proliferate across the United States, the reliance on standardized metadata to manage legal rights will only increase. Moving forward, the ability to generate, transmit, and respect these signals will determine which publishers can monetize effectively and which vendors remain viable partners.

Success in this area requires a “compliance by design” approach. It is not enough to have a privacy policy on a static page; your infrastructure must speak the language of compliance fluently. Regular audits of your signal transmission—verifying that a “No” from a user truly becomes a “Stop” for the vendor—are the only defense against the increasing automated enforcement by regulators.

Key point 1: The third character (“Y” or “N”) is the operational on/off switch for data sales.

Key point 2: GPC signals must override manual string settings to “Y” automatically.

Key point 3: Invalid strings (“1—” in CA) can cause vendors to block revenue to avoid liability.

  • Validate your `us_privacy` string using browser developer tools.
  • Ensure downstream partners are signatory to the LSPA if you use the “Y” flag.
  • Prepare for the migration to the GPP standard for multi-state compliance.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *