One year has passed since India enacted its comprehensive privacy law, the Digital Personal Data Protection Act (DPDPA), with additional regulations expected in the next few months. To address the changes in India’s regulatory landscape, IAB convened a multidisciplinary group of experts from across India’s legal and digital advertising ecosystem to assess the DPDPA and its potential impact on the industry.
CJPP COMPENDIUM
Taking a step back, the Cross-Jurisdiction Privacy Project (“CJPP”) was initially organized as a comparative law working group. CJPP consisted of two phases:
- The first phase encompassed the convening of the CJPP working group and drafting of the CJPP Compendium in August 2020 to explore how the privacy laws of Australia, Brazil, Canada, China, India, Israel, Japan, Mexico, Nigeria, Singapore, and South Korea apply to the digital advertising industry.
- The second phase involved compiling a set of CJPP Legal Specifications, representing those elements of the applicable privacy laws that digital advertising counterparties need to communicate to one another to demonstrate their compliance with such laws. These legal specifications are instrumental to creating the technical specifications for the Global Privacy Platform (“GPP”).
The previous compendium chapter on India covered the 2000 Information Technology Act (“IT Act”) and 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information). The IT Act and the Privacy Rules governed two categories of data: (i) personal information; and (ii) sensitive personal data or information, however the DPDPA brings India closer to the APAC privacy paradigm (although significant differences exist between the two) and as such, requires careful attention.
While the DPDPA more closely resembles other APAC regulatory regimes, the amended compendium chapter does some useful benchmarking between the DPDPA and GDPR, particularly as it relates to definitions. For example, the DPDPA conspicuously avoids defining the term “collect” or “joint controller,” but does refer to “Data Fiduciaries” in a similar vein to the GDPR’s definition of controller, i.e., as any person who determines the purpose and means of processing personal data. So, what happens when a publisher allows a social media pixel on its web properties? The amended compendium chapter goes into use cases like this under the DPDPA.
LEGAL SPECIFICATIONS
The IAB Tech Lab’s Global Privacy Platform (“GPP”) is a set of technical specifications that facilitate the communication of user preferences throughout the ad supply chain. It outlines methods for encoding, decoding, and locating signals that represent consumers choices. Moreover, the GPP was designed to provide a common technical framework to communicate consumer choice while allowing for the flexibility to accommodate specific regulatory requirements of different markets. This adaptability positions the GPP as a suitable signaling option to comply with India’s DPDPA.
The GPP technical specifications can make use of the Legal Specifications that represent those elements of the applicable privacy laws that digital advertising counterparties must communicate to one another to demonstrate their compliance with such laws through a privacy string. The CJPP Legal Specs serve as the input for the GPP Technical Specifications. Legal teams that are reexamining their compliance programs in light of the DPDPA’s enactment will be able to leverage the anticipated GPP-India specification when entering into contracts. In particular, industry participants can request that their partners send consent and opt-out signals based on the forthcoming technical specifications.
Together, the Legal Specifications and amended compendium chapter should serve as resources for the industry to leverage when examining their privacy compliance programs. Please reach out to [email protected] or [email protected] with questions about the chapter, working group, or legal specs.
