What is IAB’s New Multi-State Privacy Agreement?
Published: January 17, 2023
In the forthcoming months, companies in the US will have to adapt to five new state-level privacy laws. This includes CCPA, the California Privacy Rights Act (CPRA, already in effect as of January 2023), and all the others going into effect in 2023; the Colorado Privacy Act (CoPA), the Connecticut Data Privacy Act (CDPA), the Utah Consumer Privacy Act (UCPA), and Virginia’s Consumer Data Protection Act (VCDPA).
Thankfully, the Interactive Advertising Bureau has devised a privacy compliance framework called the Multi-State Privacy Agreement (MSPA). The MSPA, in association with the Global Privacy Platform (GPP), has instituted a process that triggers contracts between companies collecting customers’ personal data and the companies that access the data across the programmatic AdTech supply chain.
Moving forward, these contracts that enable the sale and sharing of customers’ private information will be made mandatory by regional privacy laws.
There are disclosures of personal information that happen in the digital advertising supply chain where there are presently no contracts that exist at all, but there need to be contracts going forward. The patchwork of state regulations creates an increasingly complicated compliance landscape for the digital advertising industry. We believe the MSPA – the product of collaboration from stakeholders across the industry – is a crucial tool to solve this challenge.
EVP and General Counsel, IAB
Michael Hahn
In essence, the MSPA is an industry-wide contractual framework intended to aid companies, advertisers, publishers, and ad tech intermediaries in complying with five state privacy laws that will become effective in 2023. The MSPA is not a "model contract" or a template agreement. It is a set of privacy-protective terms that spring into place among a network of signatories and that follow the data as it flows through the digital ad supply chain.
Any business that makes personal information such as cookie ID, device ID or an IP address available to a partner may come under the purview of the law and require a contract that guides the sales or sharing of data. Activities such as cross-context behavioral advertising, ad measurement, frequency capping, pixel tracking, using an AdTech vendor for targeting/re-targeting, site analytics and conversion event tracking, etc. involve a transfer of customers’ personal data. All of these activities will now require a contractual privity that passes on customers' consent signals across all stakeholders in the ad ecosystem.
How will the MSPA help streamline privacy concerns?
The great thing about this framework is that it serves as a custodian of all privacy legislation that is soon going into effect in different regions of the US. It will assist companies in handling the ever-so-complex global privacy compliance landscape and managing the different consent signals across multiple jurisdictions.
Though it does not contain any commercial terms, it provides a baseline set of privacy terms. It can help advertisers cover all of their digital ad transactions under a contractual relationship. Especially when ad transactions include sales and the sharing of personal customer data, the CPRA requires contractual agreements and upfront disclosures to obtain customers’ consent. Customers have the right to opt out of cross-contextual behavioral ad targeting. And, if they do, their choices need to be honored and carried forward down the line.
The MSPA provides a standardized way to comply with different regional laws simultaneously and pass on the customer's consent signal from the advertiser to the ad publishing network. This is done using the GPP, or global privacy platform protocol, which transfers opt-in choice signals from sites and apps to ad tech providers. Soon, the GPP will support adding privacy strings for California, Virginia, Utah, Colorado, and Connecticut laws to share customer consent signals up and down the ad chain.
Only time will tell if the MSPA will prove beneficial for the ad ecosystem in the US. All we know is that this is the first-of-its-kind privacy agreement that seeks to unify all the new state privacy laws under one umbrella to seemingly simplify things.
Be the first one to comment.