Tech Lab’s US State Privacy Signals Introduced as Part of the Global Privacy Platform to Support State-Level Consent Signaling

New York – October 13, 2022 – As part of a continued effort to ensure that digital advertising participants keep consumer privacy at the forefront and comply with regulations, IAB and IAB Tech Lab have come together to update their privacy protocols and industry-level agreements to support marketers, agencies, publishers, and ad tech companies.

IAB Privacy’s Multi-State Privacy Agreement (MSPA) provides an updated contractual framework to ensure privacy compliance across five new state privacy laws. It works in conjunction with IAB Tech Lab’s US State Signals initiative, which was released today as part of the Global Privacy Platform (GPP). The MSPA and US State Signals specifications are available for public comment until October 27.

The MSPA is an evolution of the Limited Service Provider Agreement (LSPA) put in place in 2020 to ensure compliance with the California Consumer Privacy Act (CCPA). The updated MSPA helps ensure compliance with CCPA, the California Privacy Rights Act (CPRA, which goes into effect January 2023) and supports privacy legislation going into effect in 2023, including the Colorado Privacy Act (CoPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA), and Virginia’s Consumer Data Protection Act (VCDPA).

This MSPA agreement, in combination with IAB Tech Lab’s Global Privacy Platform (GPP), including its state level signaling, will help member companies address the increasingly complex challenges of global privacy and manage the different consent signals from multiple jurisdictions.

The MSPA includes provisions covering:

• “Gap transactions,” such that it applies contractual terms for those “sales” of personal information where there is ordinarily no contract in place in the digital advertising distribution chain
• Measurement and frequency capping, including when undertaking such activities using service providers
• Contextual advertising and advertising on a publisher’s first party segments
• A “national” approach option to state privacy compliance that is set at the highest common denominator across the new state with privacy laws
• Use of the IAB Tech Lab’s technical specification for US State Signals in the GPP

“The patchwork of state regulations creates an increasingly complicated compliance landscape for the digital advertising industry,” said Michael Hahn, EVP, General Counsel, IAB and IAB Tech Lab. “The IAB Legal Affairs Council has been focused on meeting this challenge for the past year, and we believe the MSPA – the product of collaboration from stakeholders across the industry – is a crucial tool to solve this challenge.”

Hahn further explains that “We have found a way to solve for key advertising use cases that put consumers first, hews closely to the letter of the law, and, like the IAB Limited Service Provider Agreement, will be leveraged by small and large participants alike to meet their obligations.”

IAB’s MSPA and IAB Tech Lab’s US State Signals initiatives help the digital advertising industry to comply with varying privacy regulations across the U.S. The announcements of these initiatives follow the IAB Tech Lab’s recent launch of the GPP, which is a protocol designed to enable companies to manage user consent signals and privacy to be managed at a global scale.

“IAB Tech Lab’s Global Privacy Platform provides the technology toolkit the industry needs so publishers and advertisers can work with their vendors to manage privacy and consent management compliance on a global scale. The GPP also helps to mitigate risk by increasing consumer transparency and control signals that publishers and advertisers receive,” said Anthony Katsur, CEO, IAB Tech Lab. “We believe adopting both the Multi-State Privacy Agreement and the Global Privacy Platform will be a huge step forward for the industry. Privacy matters and so does compliance. We need to get both right.”

To review the proposed standards and provide feedback, please go to www.iabprivacy.com/mspa.html for the MSPA and send your comments to info@iabprivacy.com; and go to iabtechlab.com/us-state-signals for comments on the US State Signals.

About IAB

The Interactive Advertising Bureau empowers the media and marketing industries to thrive in the digital economy. Its membership comprises more than 700 leading media companies, brands, agencies, and the technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members and promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

About IAB Technology Laboratory

Established in 2014, the IAB Technology Laboratory (Tech Lab) is a non-profit consortium that engages a member community globally to develop foundational technology and standards that enable growth and trust in the digital media ecosystem. Comprised of digital publishers, ad technology firms, agencies, marketers, and other member companies, IAB Tech Lab focuses on solutions for brand safety and ad fraud; identity, data, and consumer privacy; ad experiences and measurement; and programmatic effectiveness. Its work includes the OpenRTB real-time bidding protocol, ads.txt anti-fraud specification, Open Measurement SDK for viewability and verification, VAST video specification, and Project Rearc initiative for privacy-centric addressability. Board members/companies are listed at https://iabtechlab.com/about-the-iab-tech-lab/tech-lab-leadership/. For more information, please visit https://iabtechlab.com.

IAB and IAB Tech Lab Media Contacts
Brittany Tibaldi / Michael Vaughan
347-487-6794 / 813-210-1706
btibaldi@kcsa.com / mvaughan@kcsa.com

The post IAB and IAB Tech Lab Come Together to Help Companies Comply With New Privacy Laws and Place Consumer Privacy at the Forefront appeared first on IAB.

NEW YORK — November 16, 2021 – In 2023, the California Consumer Privacy Rights Act (CPRA) will go into effect. To help companies serving the Connected TV (CTV) and over-the-top (OTT) digital advertising supply chain prepare to comply with the legislation, today IAB’s Project CCPA Crosswalk Working Group released “Project Crosswalk: Addressing CCPA Compliance within the CTV/OTT Marketplace.”

The white paper examines stakeholders within the CTV/OTT marketplace, how participants disclose and process personal information, how they view themselves when applying the California Consumer Privacy Act (CCPA) definitions and corresponding compliance obligations, whether and what friction points exist when addressing CCPA compliance, and potential solutions deserving further exploration. The report will be used as a basis to develop recommendations for how CPRA opt-outs might work under the new law.

“The CTV landscape is incredibly fragmented with different CTV providers using different identifiers and definitions of who is a business, service provider, and third party,” said Michael Hahn, SVP & General Counsel, IAB and IAB Tech Lab. “This report provides an overview of the landscape. From here, we are starting to scope out solutions to ensure that CTV and OTT companies are compliant when CPRA becomes law.”

The report found that:

• Approximately 75% of survey respondents state that they “sell” personal information within the CTV/OTT ecosystem, there is a lack of consensus on who should provide the “Do Not Sell My Personal Information” link, and where and how to offer such an option. This is the biggest stand-out challenge when operationalizing CCPA compliance in the CTV/OTT environment.
• CTV/OTT targeting often happens at the household level via IP address but can also include other proprietary user IDs. Publishers and advertisers will use this data, often in combination with viewing data, to segment and then target users on their devices.
• Most platforms, device providers, advertisers, and content providers view themselves as a “business” under the CCPA. However, the ad tech intermediaries, such as Demand-Side Platforms (DSPs), Supply-Side Platforms (SSPs), and ad servers, were evenly divided in describing their roles as a “business, “service provider,” or “third-party.” Measurement companies mainly take the position that they are a “service provider” under the CCPA.

The Project CCPA Crosswalk Working Group was created by the IAB Legal Affairs Council and focuses on:

• Identifying current CCPA practices in the CTV/OTT marketplace
• Identifying data flows that are relevant to CCPA analysis
• Developing a common framework for addressing CCPA classifications
• Determining next steps in order to prepare scalable CPRA/CCPA compliance solutions to address data sales and service provider disclosures

Today, IAB’s CCPA Consent Framework and Limited Service Provider Agreement have been widely adopted and leveraged by hundreds of companies to comply with the CCPA. The IAB Legal Affairs working group is working to develop a recommendation for CPRA.

The “Project Crosswalk: Addressing CCPA Compliance within the CTV/OTT Marketplace” Report, which is sponsored by OneTrust, can be downloaded here.

About IAB

The Interactive Advertising Bureau empowers the media and marketing industries to thrive in the digital economy. Its membership comprises more than 650 leading media companies, brands, and the technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members and promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

IAB Media Contacts
Kate Tumino / Brittany Tibaldi
212-896-1252 / 347-487-6794
ktumino@kcsa.com/ btibaldi@kcsa.com

The post IAB Unveils Assessment of State of Compliance for CTV and OTT to Prepare for Looming CPRA Regulation appeared first on IAB.

Today, IAB is releasing a white paper that explores key topics that will determine if GPCs succeed in reflecting consumer preferences in an efficient manner that balances business, consumer, and regulator interests.  Our white paper reviews the legal basis for GPCs in California law, discusses operational considerations for GPCs related to identity verification, consent, and preference management, and explores the built-in safeguards included in the CPRA to protect both consumers’ interests and competition in the design and implementation of GPCs. We also discuss pertinent considerations for design of technical standards to implement GPCs consistent with IAB Tech Lab’s work on the opt out of sale preference signal.

Our white paper comes at a significant time of transition in California privacy law. In 2019, the California Attorney General issued rules under the CCPA requiring that companies comply with GPC signals. Recently, the California AG has signaled its intent to continue actively enforcing these rules. However, the CPRA takes a markedly different approach to GPCs, focusing on competition, fairness, and choice in adoption of GPCs, and providing the new California Privacy Protection Agency (CPPA) broad rulemaking authority to set fair rules of the road for implementation of GPCs. IAB’s white paper informs the discussion during this period of transition between these differing approaches to GPCs.

Successful implementation of GPCs will require a thoughtful approach to the upcoming rulemaking process with feedback from industry, regulators, and consumers. IAB is committed to convening and facilitating discussions on GPCs as this issue becomes increasingly important to provide a common technical solution for complying with new privacy laws enacted at the state level.

Download the Global Privacy Controls White Paper

The post Global Privacy Controls (GPCs): New White Paper Explores CPRA Rulemaking Considerations appeared first on IAB.

What is IAB doing? IAB first engaged on this issue at the beginning of the year, when former AG Xavier Becerra simply tweeted approval for a GPC, a confusing move well outside any formal policy channels. With AG Bonta unfortunately continuing this trend and creating further confusion among users and within the digital ecosystem, IAB sent a letter to him noting our support for consumer choice in uses of data but asking him to withdraw the FAQs and defer to the new California privacy agency being set up explicitly to effectuate these new privacy laws. With the idea of GPCs becoming more prominent in state laws (eg in Colorado’s new law and in Florida’s nearly-passed state law), we will continue to engage in these regulatory processes and, in collaboration with Tech Lab, guide policymakers toward sensible, responsible frameworks.

View Full Letter to California AG

Download

The post IAB Asks California Attorney General to Retract Unauthorized Privacy Mandate appeared first on IAB.

We seek to demystify this classification conundrum by explaining that your organization is a “third party” whenever it receives personal information from another organization (unless your organization is receiving it in a “service provider” or similar capacity, as discussed in this article).

Read the Full Article on IAPP.org

The post CCPA, CPRA’s Hidden ‘Third Party Business’ Classification appeared first on IAB.

• The Advertising Industry is Playing an Important Role in the Fight Against COVID-19
  Advertising supports dissemination of vital news and public health information as well as servicing millions who are reliant upon low cost and free services to maintain communications with family, friends, and day-to-day business operations. Never before in history has the open flow of data been more critical.
• Data Can Facilitate Powerful Responses to Contain the Virus
  Data can help government agencies, hospitals, and other critical organizations better manage the dramatic increase in demand that they are currently experiencing. For example, businesses are making available artificial intelligence and natural language processing services to assist workers in fielding the large volume of calls, emails, and inquiries that they are receiving and efficiently prioritize the most urgent requests and information. And social media websites that have an understanding of social connections across different geographies can find aggregate trends to help researchers gain better insights about when and where the coronavirus might spread more quickly.
• IAB Members Have Long Supported Strong Consumer Privacy Protections
  The IAB and its members have been at the forefront of promoting responsible data practices, and consumer trust is vital to our member companies’ ability to operate successfully in the marketplace. The success of a business is premised on having personalized relationships with millions of consumers at scale, and that is best achieved only when companies responsibly use the information gathered from consumers.
  • This commitment to consumer trust, and recognition that data is essential for business success, is best exemplified through IAB’s integral role in the creation of the self-regulatory systems administrated by the DAA. The DAA is an industry body convened more than a decade ago to create a self-regulatory code for all companies that collect or use data for interest-based advertising online, based on practices recommended by the FTC in its 2009 report on online behavioral advertising.
• The Existing U.S. Privacy Framework Should Be Updated
  While self-regulation has been a useful mechanism to encourage responsible data use, federal leadership is now needed to ensure that robust consumer privacy protections apply consistently throughout the country. The time is right for the creation of a new paradigm for data privacy in the United States.
  • To this end, IAB is a key supporter of Privacy for America, a broad industry coalition of top trade organizations and companies representing a wide cross-section of the American economy that advocates for federal omnibus privacy legislation. Privacy for America has released a detailed policy framework to provide members of Congress with a new option to consider as they develop data privacy legislation for the United States.

Download Testimony

See Hearing Details

Additional Answers to Congress Questions

The post IAB Testifies Before Senate Commerce Committee Examining Big Data and COVID-19 appeared first on IAB.

Download Full Comments

More About CCPA

The post IAB Weighs in on CCPA Regulations appeared first on IAB.

• Updated guidance on the definition of “personal information” to encourage privacy by design.
• Flexibility around obligations for businesses to comply with browser settings and similar mechanisms.
• Clarity on the notice obligations for data brokers.

Download Full Comments

CCPA Compliance Framework 

More About CCPA

The post IAB Proposes Changes to CCPA Regulations appeared first on IAB.

• A request for additional clarity on the concept of “household” and a request for instructions on how businesses can reasonably comply with household data requests.
• A request that the AG remove the requirement for businesses to honor browser plugins or settings.
• A request that the AG update the proposed service provider limitations to conform with the permissible business purposes enumerated in the text of the CCPA.
• A request that the AG remove the requirement to treat deletion requests as requests to opt-out of the sale of personal information if a requestor’s identity cannot be verified.
• A request that businesses may rely on signed attestations that a consumer was given notice of personal information sale and an opportunity to opt-out only, and need not obtain samples of the notices that were provided to consumers, retain them, or make them available to consumers upon request.

Download Full Comments

CCPA Compliance Framework 

More About CCPA

The post IAB Submits Comments to the California Attorney General on the Proposed CCPA Regulations appeared first on IAB.

NEW YORK, NY (October 22, 2019) – IAB, the trade association for the digital media and marketing industries, and its affiliated standard-setting organization, the IAB Technology Laboratory, today released for public comment the IAB California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies to help digital publishers and their supply chain partners comply with California’s data privacy legislation.

IAB and the IAB Tech Lab are asking publishers, technology intermediaries, ad agencies, brands, data companies, and all other participants in the digital advertising supply chain to provide input on the draft framework by November 5, 2019, after which the trade bodies intend to release a final version for companies to adopt before the California law takes effect on January 1, 2020.

The CCPA Compliance Framework was developed by the IAB Privacy and Compliance Unit, which over four months brought together more than 350 legal, public policy, and technical experts from publishers, agencies, brands, platforms, advertising technology companies, and law firms to craft a compliance mechanism that will advance consumers’ privacy rights under the new California law, while enabling the tens of thousands of web publishers and intermediaries that comprise the open internet to continue to provide free advertising-supported content and services in the state.

CCPA was passed in June 2018 without public hearings. Its aim is to provide California consumers with greater transparency and control over how their personal information is collected, used, and sold. Earlier this month, California Attorney General Xavier Becerra released draft regulations to enable the legislation. Because of the law’s complexity and lack of clarity, IAB member companies and other stakeholders asked the trade bureau and the Tech Lab to collaborate on a standardized solution that would help them comply with the law’s provisions, even as those specifications continue to be revised.

Because California is the largest state, its regulations are often seen as a surrogate for Federal regulation, and as a model for other states to follow.

The proposed IAB CCPA Compliance Framework establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies. It focuses on:

1. How publishers communicate information about California residents’ rights, including the ability to opt-out of the “sale” of their personal information
2. How to communicate to partners across the open internet supply chain that a California resident has opted out of the sale of his or her personal information
3. How partner companies must operate after a consumer has opted out of the sale of their personal information

The IAB CCPA Compliance Framework consists of two components: a master contract that binds supply chain partners to specific behaviors that meet the law’s provisions; and a set of technical specifications that guide companies on how to implement the contract mechanically in their operations. The “Industry Limited Service Provider Contract” defines what a publisher and its partners must do when a consumer clicks “Do Not Sell My Personal Information” on a website or app. The use of this new contract will enhance consumer protection by reducing hundreds of separate contracts to only one that imposes meaningful guardrails concerning the use of data. IAB will provide the legal agreement to companies across the advertising landscape later this quarter.

“The IAB CCPA Compliance Framework is designed to help publishers protect consumers’ privacy, while fueling the free internet,” said Michael Hahn, Senior Vice President and General Counsel, IAB and IAB Tech Lab, who led the IAB Privacy and Compliance Unit working groups that designed the framework. “Hundreds of thousands of companies support their businesses with advertising on the internet, because it enables them to effectively reach new and existing customers at scale. Publishers bear the brunt of responsibility for compliance because of their direct relationship with consumers.”

“IAB has been a strong advocate for increasing consumer trust and transparency, and this framework is another example of that commitment,” said Dave Grimaldi, Executive Vice President, Public Policy, IAB. “What IAB is creating will help companies, both large and small, comply with the CCPA legislation in a manner that allows them to continue to innovate and offer the products and services that consumers love.”

“CCPA will become a reality in the new year and this framework will deliver a real solution for the industry and for consumers,” said Dennis Buchheim, Executive Vice President and General Manager, IAB Tech Lab, which has been designing the technical specifications for implementing the framework in companies’ operations. “Tech Lab is at the center of developing standards and technologies that improve the digital marketing supply chain and promote the responsible use of data. The partnership with IAB on the CCPA solution has been similar to our work with IAB Europe and respective member companies on the Transparency and Consent Framework for GDPR, and we’re committed to evolving privacy solutions in the U.S. and globally.”

This framework provides an initial solution for publishers and other parties to comply with CCPA in a timely manner, given the January 1st deadline. CCPA regulations are still being finalized by the California Attorney General. As rules evolve, IAB and IAB Tech Lab will work with stakeholders across the industry to adjust the framework and continue to iterate the approach as needed to meet any revised requirements, ensuring that there are comprehensive solutions for CCPA and other forthcoming privacy laws. Once the final version 1.0 of the IAB CCPA Compliance Framework for Publishers and Technology Companies is released, the trade groups will provide educational support to encourage rapid marketplace adoption.

IAB and the IAB Tech Lab have been developing industry standards and best practices since the organizations’ founding in 1996. Among the industry standards now embedded in the operations of the open internet ecosystem are the VAST standards for digital video advertising distribution, the ads.txt standard helping internet publishers and advertisers identify and eliminate fraudulent inventory, the IAB Europe GDPR Transparency and Consent Framework, the OpenRTB protocols for managing programmatic advertising transactions, and more solutions to enable brand safety, consumer privacy, and transparency.

To review the proposed framework and provide feedback, please go to iab.com/CCPA. The final framework will be released next month to prepare the ecosystem before CCPA goes into effect.

About IAB
The Interactive Advertising Bureau (IAB) empowers the media and marketing industries to thrive in the digital economy. Its membership is comprised of more than 650 leading media companies, brands, and the technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members and promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

About IAB Technology Laboratory
Established in 2014, the IAB Technology Laboratory (Tech Lab) is a non-profit consortium that engages a member community globally to develop foundational technology and standards that enable growth and trust in the digital media ecosystem. Comprised of digital publishers, ad technology firms, agencies, marketers, and other member companies, IAB Tech Lab focuses on solutions for brand safety and ad fraud; identity, data, and consumer privacy; ad experiences and measurement; and programmatic effectiveness. Its work includes the OpenRTB real-time bidding protocol, ads.txt anti-fraud specification, Open Measurement SDK for viewability and verification, VAST video specification, and DigiTrust identity service. Board members/companies are listed at https://iabtechlab.com/about-the-iab-tech-lab/tech-lab-leadership/. For more information, please visit https://iabtechlab.com.

IAB & IAB Tech Lab Media Contact
Laura Goldberg
347.683.1859
laura.goldberg@iab.com

The post IAB & IAB Tech Lab Release CCPA Compliance Framework for Public Comment appeared first on IAB.