The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27.

The IAB Privacy’s Multi-State Privacy Agreement (MSPA) is intended to update the Limited Service Provider Agreement (LSPA), currently used to ensure compliance with the California Consumer Privacy Act (CCPA). The MSPA is intended to marketers, agencies, publishers, and ad tech companies ensure compliance with the CCPA (as amended by the California Privacy Rights Act (CPRA)), as well as the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA) and Virginia’s Consumer Data Protection Act (VCDPA), when engaging in digital advertising practices that are subject to opt-out under these laws because they involve the disclosure of digital media viewers’ personal information in order to facilitate the serving of digital ads specific to a consumer viewing connected TV, mobile or website content. Key to the approach is to create service provider relationships amongst various ad ecosystem parties and to provide a means of indicating when a viewer’s data may only be used for limited data processing and in a non-targeted manner.

According to the IAB, the MSPA includes provisions covering:

  • “Gap transactions,” such that it applies contractual terms for those “sales” of personal information where there is ordinarily no contract in place in the digital advertising distribution chain;
  • Measurement and frequency capping, including when undertaking such activities using service providers;
  • Contextual advertising and advertising on a publisher’s first party segments;
  • A “national” approach option to state privacy compliance that is set at the highest common denominator across the new state with privacy laws, as well as a state-by-state approach; and
  • Use of the IAB Tech Lab’s technical specification for US State Signals.

Current LSPA participants will automatically become MSPA participants unless they withdraw. The MSPA builds upon the LSPA to address additional consumer rights and opt-outs under new state privacy laws. One feature of the MSPA is to create a joint service provider relationship for participating measurement and frequency capping vendors with participating advertisers and publishers in an effort to avoid a “sale” of personal data when exchanged for contextual advertising measurement and frequency capping purposes.

The MSPA works in conjunction with the IAB Tech Lab’s US State Signals program, which will manage privacy signals from consumers in California, Colorado, Connecticut, Utah and Virginia. The US State Signals program is proposed to replace the US Privacy Framework, which to date has managed consent signals from California to comply with the CCPA.

Comments on the draft MSPA and US State Signals program are due October 27. For more information reach out to the authors or your relationship partner at the firm.