# Multi-State Privacy Agreement (MSPA)

**Overview of the IAB Multi-State Privacy Agreement (MSPA)**

The IAB Multi-State Privacy Agreement (MSPA) helps advertisers, publishers, agencies, and ad tech intermediaries comply with privacy laws in California, Virginia, Colorado, Connecticut, and Utah, effective from 2023. The MSPA establishes privacy-protective terms among signatories, ensuring compliance as data flows through the digital ad ecosystem.

As an MSPA Signatory, you must configure the **mode**, **approach options**, and the **US National String**.

**Service Provider Mode vs. Opt-Out Option Mode**

#### Service Provider Mode

In Service Provider Mode, you must meet the following (non-exhaustive) requirements:

#### California (CPRA)

* **Choice Mechanisms**: Display opt-out options for "Share" and/or "Sale" on the homepage, data collection pages, app settings, and in the privacy policy.
* **Global Opt-Out**: Honor global opt-out requests and disclose this compliance in the privacy policy.
* **Consent for Other Purposes**: Obtain user consent before using personal data for unrelated purposes, as required by CPRA guidelines.

#### Other States

* **Choice Mechanisms**: Provide opt-out options for "Targeted Advertising" and/or "Sale" on key pages and in the privacy policy.
* **Global Opt-Out**: Comply with global opt-out requirements starting July 1, 2024 (Colorado), and January 1, 2025 (Connecticut). Update the privacy policy accordingly.

#### US National Consumers

* **Choice Mechanisms**: Offer opt-out options consistent with state laws as outlined above.

For the complete list of requirements, see the [IAB Multi-State Privacy Agreement (MSPA)](https://www.iabprivacy.com/#).

#### Opt-Out Option Mode

In Opt-Out Option Mode, you must meet the following (non-exhaustive) requirements:

#### California (CPRA)

* **Consumer Notice**: Provide notice per California Civil Code § 1798.100(a), detailing the types of personal information collected.
* **Additional Notice Obligations**: Fulfill all notice requirements, ensuring compliance with scope and delivery. Limit data collection to the scope described in the notice.

#### Other States

* **Consumer Notice**: Ensure compliance with state-specific privacy laws, such as those in Colorado, Virginia, and Utah.

#### US National Consumers

* **National Approach**: Provide notices that meet the requirements of each state’s privacy laws, treating U.S. national consumers as residents of applicable states.

When Opt-Out Option Mode is enabled, additional fields in the GPP String become relevant based on purpose mappings (e.g., `SaleOptOut`). If a notice is displayed, fields like `SaleOptOutNotice` are set to `1` (Yes, notice provided) in the GPP string; if no notice is displayed, they are set to `2` (No, notice not provided).

**State vs. US National Approach**

As an MSPA Signatory, you can choose between a **State Approach** or a **US National Approach**:

* **State Approach**: Uses state-specific strings when available and supported by GPP; defaults to the US National String otherwise.
* **US National Approach**: Uses the US National String across all U.S. states.

When using the State Approach, newly supported states will include the US National String by default after the next notice deployment.

#### Configuring the String

To define a per-state approach:

1. Go to **Didomi Console → Consent Notices**.
2. Open your consent notice.
3. Navigate to the **Integrations** section under the **Customization** tab.
4. Select the **Advertising** tab.
5. Click **Configure String**.
6. Select the state to configure.
7. Choose the approach:
   * **Generate national string across the United States**: Creates a US National String for this state.
   * **Generate national string only if the state string is not supported**: Generates a state-specific string for this state.

{% hint style="info" %}
Define the string per state, especially if external systems rely on integrations.<br>
{% endhint %}

<figure><img src="https://support.didomi.io/hs-fs/hubfs/string-approach-gpp.gif?width=600&#x26;height=338&#x26;name=string-approach-gpp.gif" alt=""><figcaption></figcaption></figure>

**US National String**

The US National String provides a unified string across the United States.

#### US National String Fields

#### Based on User Status

* **SharingNotice**
* **SaleOptOutNotice**
* **SharingOptOutNotice**
* **TargetedAdvertisingOptOutNotice**
* **SensitiveDataProcessingOptOutNotice**
* **SensitiveDataLimitUseNotice**
* **SaleOptOut**
* **SharingOptOut**
* **TargetedAdvertisingOptOut**
* **SensitiveDataProcessing** (1–12): Covers racial/ethnic origin, religious/philosophical beliefs, health, sexual orientation, citizenship, genetic data, biometric data, precise geolocation, social security numbers, financial account credentials, union membership, and specific communications data.
* **KnownChildSensitiveDataConsents**
* **PersonalDataConsents**

#### Other Fields

* **Version**: Indicates string encoding version (managed by Didomi).

For step-by-step guidance, see [Configure GPP fields based on user consent](/consent-management-platform-cmp/frameworks-regulations/iab-global-privacy-protocol-gpp/configure-iab-gpp-fields-based-on-user-consent.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.didomi.io/consent-management-platform-cmp/frameworks-regulations/iab-global-privacy-protocol-gpp/multi-state-privacy-agreement-mspa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.