GPP String Decoder
Decode an IAB GPP consent string in your browser — header, gpp_sid, and every embedded section, expanded into readable fields. The string stays on your device.
The GPP String Decoder runs entirely in your browser. The consent string you paste — and everything it decodes to — stays on your device and is never sent to a CMP, ad server, or ArrayKit.
Open the TCF Consent String Decoder
About GPP String Decoder
The GPP String Decoder unpacks an IAB Global Privacy Platform consent string into something you can actually read. Paste the encoded value from a CMP, an OpenRTB bid request's regs.gpp field, or a stored cookie, and the tool decodes the header — the GPP version and the gpp_sid list — plus every embedded section, from TCF Europe v2 to US Privacy (uspv1) and US state signals such as usnat and usca. Each section is expanded into named fields like CmpId, purpose consents, sale opt-outs, and MSPA flags. It is built for ad-ops engineers, privacy teams, and QA who debug consent plumbing across programmatic supply. The whole decode runs on your device — the GPP string you paste is never sent to a CMP, ad server, or any endpoint.
Features
- Decodes the GPP header — the encoding version and the gpp_sid section id list
- Expands every embedded section: TCF Europe v2, TCF Canada, US Privacy (uspv1), usnat, usca and other US state sections
- Shows each section's fields by name — CmpId, purpose consents, opt-outs, and MSPA flags
- Readable and raw JSON views, with one-click copy for the whole decode or a single section
- Summarises boolean bit-vectors as the enabled indices so long TCF consent flags stay legible
- Handles multi-section strings and reports exactly where a malformed string fails to decode
- Loads a sample GPP string so you can see the decoded output shape instantly
- Runs entirely in your browser — the consent string never leaves your device
How to use the GPP String Decoder
- Copy a GPP string from your CMP, an OpenRTB regs.gpp field, or a stored __gpp value
- Paste it into the input box, or click Sample to load an example string
- Read the decoded header and each section's fields, or switch to the JSON view
- Copy the full decode or one section to attach to a bug report or ticket
Example
Input
DBABTC~1YNN
Output
header: { version: 1, gpp_sid: [6] }
uspv1: { Version: 1, Notice: "Y", OptOutSale: "N", LspaCovered: "N" }
A US Privacy (uspv1) string: notice given, no sale opt-out, not LSPA-covered.
Common errors & troubleshooting
- The decoder says the value 'does not look like a GPP string.' — GPP strings start with a base64url header segment (usually 'DB…'). A bare TCF string beginning with 'C' belongs in the TCF Consent String Decoder instead.
- 'The number of sections does not match the header' error. — You likely pasted only the header or dropped a '~' block. Copy the complete string — the header plus one '~'-separated section for every id in gpp_sid.
- A section shows fewer fields than you expected. — Optional TCF segments such as publisher restrictions or vendors-disclosed only appear when the string carries them; their absence is expected, not a decode failure.
- You only care about the US state signal, not TCF. — The gpp_sid list tells you which sections are present — read just the usnat or usca card and ignore the rest of the decode.
Frequently asked questions
- What is an IAB GPP string?
- The Global Privacy Platform (GPP) string is a single encoded value that packs multiple privacy signals — TCF Europe, US Privacy, and US state sections — behind one header. The header's gpp_sid list names which sections are inside.
- What is gpp_sid in a GPP string?
- gpp_sid is the array of section ids in the GPP header. Each id maps to a section — 2 is TCF EU v2, 6 is US Privacy, 7 is usnat, 8 is usca — telling a decoder which blocks follow the header.
- Which GPP sections can this decoder read?
- It decodes the header plus TCF Europe v2, TCF Canada v1, US Privacy (uspv1), the US national section (usnat), and the US state sections such as usca, usva, usco and the rest, expanding each into named fields.
- Can I paste a bare TCF or legacy US Privacy string here?
- This tool expects a full GPP string with a header. A standalone TCF string that starts with 'C', or a legacy US Privacy value, should go to the dedicated TCF or US Privacy decoders instead.
- Does decoding a GPP string tell me whether a vendor is allowed?
- No. The decoder shows what the string encodes — opt-outs, purpose consents, MSPA flags — but it does not judge whether a specific vendor may process data; that depends on your policy and each section's rules.
- Where do I find a GPP string to decode?
- Look in a CMP's stored value, the regs.gpp field of an OpenRTB bid request, the __gpp cookie or localStorage entry, or the gppString returned by the CMP API's getGPPData call.
Related tools
All ArrayKit tools