The privacy legal landscape for third-party risk management is evolving fast. The digital advertising industry is pivoting to meet the challenge with the launch of the IAB Diligence Platform – a data privacy platform containing standardized privacy diligence questions designed for digital advertising participants. The IAB Diligence Platform was designed not only to meet changes in privacy laws around partner diligence but also to improve deal efficiency by leveraging a standard industry vendor compliance hub.
Since we uploaded IAB’s diligence questions to the platform this Summer, we have been pleased with its traction in the marketplace. We’re particularly excited to have our first major holding company join the platform, which just commenced the privacy diligence of its partners.
Many industry participants should have received or may soon receive requests from their partners who have signed onto the IAB Diligence Platform to complete the industry standardized privacy diligence questionnaires. The platform is designed to create a network effect so that once you complete the questionnaire for one partner, you can share it with other partners through the platform – saving time, money and improving deal speed in the process. To encourage that network effect, IAB established parameters for the platform, such that when a partner-IAB member receives a diligence request from an existing platform subscriber, that partner-IAB member must also subscribe to the platform. The platform’s subscription fees are tied to the company’s size, as reported to IAB for the purpose of calculating membership dues.
How the IAB Diligence Platform Works
The platform, which SafeGuard Privacy powers, contains a baseline questionnaire, standardized U.S. State law assessments, and seven industry-specific modules designed to cover common digital advertising use cases and data flows. The baseline module includes 27 questions that cover the categories of personal information collected, practices concerning the retention of personal information, and the adequacy of privacy notices. The industry-specific modules include:
- 65 Publisher to supply-side platform (SSP) questions: e.g., processing and propagating Global Privacy Platform (GPP) strings;
- 43 SSP to demand-side platform (DSP) questions: e.g., use of PI when the DSP’s customer does not win the bid;
- 69 Advertiser/Agency to DSP questions: e.g., whether the DSP ingests CRM data into the DSP’s identity graph;
- 58 Advertiser/Agency to Publisher questions (direct deal): e.g., whether PI disclosed by an Advertiser is combined with other attributes upon receipt; and
- 46 Data Broker questions: e.g., steps undertaken to validate that consumers whose PI is being purchased were provided with the required consumer rights.
The platform also includes an IAB Multi-State Privacy Agreement (MSPA) module for MSPA signatories and a module to address compliance with the Protecting Americans’ Data from Foreign Adversaries Act.
These questions were drafted by a large number of industry lawyers from across the digital ad distribution chain, as well as by leading law firms, through the IAB Privacy Implementation & Accountability Taskforce (PIAT). The working group output, now included in the platform, represents a dramatic step forward beyond the all-too-common practices of solely relying on contractual representations and warranties without any validation mechanisms, as well as generic privacy questionnaires that fail to account for different industries’ uses, data flows and deal types. The platform can also be used to help members manage their own internal compliance; as the privacy laws change, the questionnaires are updated.
Increasing Scalability & What to Expect
A key feature of the IAB Diligence Platform is a vendor compliance hub that allows each responding company to complete the diligence materials once and share them with other platform participants, who may or may not be IAB members. Participating companies choose with whom they want to share their privacy diligence responses.
As Steve Sullivan, Walmart’s Senior Director of Digital Infrastructure (Advertising, Privacy, Technology), recently pointed out at the IAB Privacy Compliance Salon on September 22, operationalizing third-party privacy risk management and bringing scalability and standardization to the ad tech industry is critical.
A Reminder of Why IAB Undertook this Important Initiative
Since 2020, nineteen states have enacted state privacy laws, most of which contain third-party risk management requirements. Businesses and controllers are required to include in their contracts with service providers, contractors, processors, and third parties the right to take reasonable and appropriate steps to ensure these parties use the personal information in a manner consistent with the business’s obligations under the privacy laws. See, e.g., Cal. Code § 1798.100(d), VCDPA § 59.1-579(b)(4), CPA § 6-1-1305(b), TXDPA 541.104 § (b)(6)(D). In addition, the California Consumer Privacy Rights Act (CCPA) and its regulations contain a liability shifting mechanism, such that whether a business conducts due diligence of its service providers, contractors, and third parties factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and the regulations. See Cal. Code Regs. Tit. 11, § 7051(c) and 7053(b).
Enforcers are making clear that they take privacy diligence obligations seriously. For example, the recent DoorDash settlement requires the company to document its compliance program, including “[a] detailed description of the technical and operational controls implemented related to assessing CCPA compliance for service providers and contractors who provide marketing and related services or who provide analytics or measurements services, including, without limitation, a description of any diligence undertaken or completed by Defendant.” Final Judgment and Permanent Injunction, People v. DoorDash, *6. Additionally, at IAB’s recent Privacy Compliance Salon, a Texas Attorney General’s Office representative encouraged businesses to consider privacy diligence, like third-party risk management in the cybersecurity field where the data disclosing party conducts due diligence of the recipient. Companies “burying their heads in the sand” by entering into a contract with data privacy provisions but never enforcing or conducting due diligence will likely not be shielded from liability caused by the data recipient.
However, the industry still has a lot of catch-up to do. Today, it is not uncommon for companies to rely heavily on contractual representations, warranties and indemnification provisions. Additionally, in developing the IAB Diligence Platform, IAB sampled current due diligence questionnaires and found they’re often generic, failing to account for industry specific needs, actual uses of personal information and deal types. Moreover, many approaches fail to fully cover the requirements of evolving state privacy laws, quickly becoming outdated as legislation changes. This results in privacy diligence becoming little more than a procurement box-checking exercise rather than a thorough assessment of privacy compliance risks. In other words, the industry called for a due diligence framework that speaks the industry language and provides for standardization and industry scalability. The IAB Diligence Platform solves for this challenge.
The Road Ahead
Our goal is to ensure that privacy remains at the forefront of scalable solutions, helping to safeguard consumer privacy while also enhancing deal speed. The IAB remains committed to enhancing the IAB Diligence Platform to meet the changing privacy landscape.
