Home

Multi-State Privacy Agreement and Global Privacy Platform Update

Working Harder Won’t Solve Privacy Diligence. It’s Time to Work Smarter. 14

The IAB Tech Lab’s Global Privacy Platform (GPP) is a technical protocol designed to streamline the transmission of privacy and consumer choice signals across the digital advertising ecosystem (e.g., between publishers, advertisers, and adtech intermediaries) and help its participants adapt to regulatory demands across markets. The GPP currently supports the following privacy strings: the IAB Europe TCF, the IAB Canada TCF, U.S. state-specific privacy strings for California, Virginia, Utah, Colorado, and Connecticut (other states forthcoming), and a US National Privacy String that is specifically designed to support IAB Privacy, Inc.’s Multi-State Privacy Agreement (MSPA). The IAB Tech Lab looks to the IAB Legal Affairs Council to provide the legal inputs for U.S.-related strings, IAB Europe for the legal inputs to the TCF string, and to local market participants and local IAB’s for the legal inputs to those jurisdictions’ strings.

The US National Privacy String was specifically designed to support the MSPA. The Tech Lab’s github repository makes that purpose clear with the naming convention: “IAB Privacy’s [the IAB entity that holds the MSPA] US National Privacy Technical Specification.” The preface in github states:

This document outlines the technical specification for using the GPP specifications with the IAB Privacy Multi-State Privacy Agreement legal requirements. . . . The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach [a defined term in Section 1.81 of the MSPA] for their processing of a consumer’s personal data.

While we believe that this language is clear, we’ll provide even more qualifying language in the coming weeks to make it doubly clear – the US National Privacy String must only be used by MSPA signatories or MSPA-certified partners who have agreed to comply with the “National Approach” as defined in the MSPA.

For those who are not an MSPA signatory or certified partner, there are several reasons why they should not send or receive IAB Privacy’s MSPA US National String and use it for their own purposes. First, if publishers or advertisers send the US National String when they are not a signatory to the MSPA or a certified partner, they run the risk of making material misrepresentations that they are an MSPA signatory or certified partner and adhere to the MSPA’s National Approach as the means of reconciling the differences in the state privacy laws. Regulators such as the FTC and State Attorneys General have previously enforced misleading certification advertising claims. Second, if adtech providers induce or knowingly receive and open the US National Privacy String and are not a signatory to the MSPA or a certified partner, they run the risk of potentially assisting and facilitating false advertising for which there is joint and several liability. It also raises the risk of a tortious interference claim being brought by another MSPA signatory.

We certainly appreciate the desire for a single string to cover the U.S., but alas we do not have a federal privacy law that we can simply cite to in the string, as we do for the state-specific strings. Some have asked, “Why can’t we just list the relevant provisions of all the state laws in a US national string and not connect it to the MSPA?” The problem is that the string would be of little privacy value – no better than a general representation and warranty to comply with applicable provisions of all relevant state privacy laws. The outcome is the senders and recipients of the string would have different views and implementations around reconciling the different state privacy laws. So, receipt of the same signal would lead to different implementation outcomes.

Some have similarly asked, “What if I have privacy terms in my contracts with my partners, could I use the US National Privacy String then?” The problem is that there are potential variations in terms across partnership agreements, resulting in the same outcome of differing views and implementations. Our industry can do better than that to protect consumer privacy and we doubt that regulators would ever accept such an approach.

That is why we created the MSPA, and the corresponding U.S. National Privacy String, in the first place – to serve as a central and transparent set of privacy terms for the industry to point to that brings a consistent set of privacy outcomes and generally aligns with the highest common denominator across the privacy laws.

It is more imperative than ever for our industry to be compliant to the letter of the law. If you’re an MSPA signatory or certified partner, go ahead and send either IAB Privacy’s US National Privacy String or a state-specific string; the MSPA accommodates both approaches. But if you’re not an MSPA signatory, you should only send or receive state-specific strings with your partners.

Authors

Author
Michael Hahn
Executive Vice President, General Counsel
at IAB & IAB Tech Lab

Author
Rowena Lam
Senior Director, Privacy & Data
at IAB Tech Lab