On December 1, 2022, IAB and IAB Tech Lab released a comprehensive framework to help advertisers comply with provisions in upcoming privacy laws that give consumers the ability to opt out of targeted advertising.
The IAB Multi-State Privacy Agreement (MSPA) creates a common vocabulary for advertisers, technology vendors, and publishers for implementing the new laws taking effect in 2023 in California, Colorado, Connecticut, Virginia, and Utah. The laws grant consumers the ability to opt out when their personal information will be “sold” to a third party or “shared” or “processed” for purposes of targeted advertising.
The MSPA solves for a variety of challenges introduced by these laws that impact advertisers. For one, the agreement gives companies the option of following a “national standard” approach to compliance based on the highest common denominator across the five state privacy laws. Although the MSPA retains the flexibility for a company to comply on a state-by-state basis, this national standard approach removes to a degree the complexity that stems from implementing five different legal frameworks at once. In addition, the MSPA provides significant contractual compliance and liability avoidance benefits by helping advertisers solve for contractual obligations at scale, filling gaps where contracts are missing but needed and providing greater certainty that downstream businesses will fulfill their legal obligations. The contractual gap-filling function is particularly important given that, in many cases, advertisers run campaigns with the understanding that their partners do not have contracts with the websites displaying their ads – a prerequisite under CPRA. The MSPA solves for this lack of privity by filling the contract gap with legally required terms, for example, when pixels placed in the ad creative by advertisers or their agencies fire and result in a sale. Similarly, when an advertiser’s ad server delivers the ad creative to the publisher’s ad server, the consumer’s IP address is made available to the ad server. Yet, no such contracts typically exist between ad servers, so the MSPA fills that gap too.
Another benefit to advertisers is that the MSPA causes, only where necessary, advertisers and publishers to engage ad-tech companies as their limited joint service providers solely to run measurement or frequency capping analytics. These joint controller relationships allow signatories to leverage these services on a service provider basis without running afoul of CRPA’s prohibition on service providers combining personal information and without triggering a “sale” or “share.”
Advertisers can also avoid all “sales” or “shares” by operating exclusively in “Service Provider Mode,” if that is their preference, although they must abide by certain data use limitations such as CPRA’s prohibition on service providers from engaging in cross-context behavioral advertising.
A critical innovation of the IAB’s framework is its use of a standard method of signaling consumer preferences through the IAB Tech Lab’s Global Privacy Platform (GPP). When a consumer submits his or her opt-out request to an advertiser, the advertiser in turn can leverage the GPP and MSPA to signal the consumer’s privacy decision to the full network of downstream vendors, partners, and publishers involved in displaying the ad. This signaling mechanism protects the privacy of opted-out consumers, while also providing flexibility to advertisers to continue to utilize ad-tech offerings to serve consumers who have not chosen to opt out.
With the new privacy laws coming into effect throughout 2023, now is the time for advertisers to become familiar with the MSPA, sign onto the agreement and operationalize the GPP. In this article, we walk through how advertisers can implement these frameworks in an effort to fulfill consumer opt-out preferences and address compliance with the new state privacy laws.
How the MSPA Works at Each Step
Step 1: Do the state privacy laws apply?
Targeted Advertising Services
Many types of advertising fall within the purview of the state privacy laws, including building interest-based segments, retargeting website visitors, capturing activity via cookies or pixel tags, and building custom audiences.
The laws apply to these forms of advertising in two ways. First, the laws cover sharing personal information for “cross-context behavioral advertising” or processing personal information for “targeted advertising” – both involving targeting ads based on the consumer’s personal information obtained from the consumer’s activity across different contexts. This includes the use of advertiser first-party data to target ads to a consumer visiting an unaffiliated publisher’s site.
Second, the laws continue to regulate the “sale” of personal information, which may be interpreted to include making available personal information such as unique identifiers or consumer activity information to third parties.
In these cases, advertisers engaged in targeted advertising activities can leverage the IAB framework to give consumers meaningful options to opt-out and be confident that consumer preferences are being honored downstream.
Services Offered on a Service Provider Basis
For ad delivery and reporting services that do not fall into the definitions of “targeted advertising” or “cross-context behavioral advertising, such as frequency capping, negative targeting, ad performance measurement, campaign insights, ad fraud detection, and ad viewability services, advertisers are not required to offer an option to opt-out if they use service providers to carry those services out. Advertisers choosing to operate in Service Provider Mode will ensure they only disclose personal information to service providers for these permitted digital advertising activities.
When a consumer submits an opt-out request, this triggers Service Provider Mode, telling downstream providers they can use personal information only for limited business purposes. If the consumer submits the request to a publisher, the advertiser and ad-tech intermediaries can only serve contextual ads or ads based on first party data to the consumer.
An important exception in California is that a service provider cannot combine personal information it receives from a customer with other personal information, subject to statutory exceptions. To address this prohibition , the MSPA enables service providers in the areas of measurement and frequency capping to act as “joint service providers” on behalf of advertisers and publishers.
Step 2: How do I sign up for the MSPA?
Advertisers can sign on to the MSPA even if they are not members of the IAB. To sign the MSPA, visit iabprivacy.com, review the agreement with legal counsel, and follow the prompts to sign the agreement. As a signatory, your company will be listed as a signatory on the IAB’s website, indicating to other industry members that your business participates in the MSPA framework. An API available at https://tools.iabtechlab.com/mspa enables advertisers to track whether ad tech partners are signatories to the MSPA.
Step 3: What technology solutions do I need to “activate” the IAB framework?
When an advertiser determines that the state privacy laws apply, the advertiser will be required to offer a mechanism for accepting consumer requests, including requests to opt out of sales, sharing, and targeted advertising, except when operating in “Service Provider Mode.”
The MSPA provides rules of the road for how the mechanism should operate consistent with state law requirements, but leaves the advertiser with a good deal of discretion on how to present the consumer with choices. Often, to keep things simple, advertisers will simply ask consumers to read a short privacy notice and choose whether the consumer wishes to opt-out.
On the backend, advertisers can leverage the helpful documentation about using the GPP, which is now available from IAB Tech Lab, for the purpose of implementing code that signals consumer preferences to downstream partners, or they can utilize a turnkey consent management solution from a technology vendor that integrates the GPP. The MSPA also supports a transition period as companies update from the US Privacy String to the GPP, which is replacing the US Privacy String as the technical mechanism for sending privacy preferences through the bidstream.
Keep in mind that an advertiser is required to ensure that a request to opt out of the sale of personal information is fulfilled for all potential “sales” and “shares,” not just those that may occur through the bidstream. As an example, opt-out requests also apply when advertisers leverage partners to generate and match audience segments for targeted advertising (including secondary uses of data such as to integrate a match file into the service provider’s identity graph). It is always a good idea to consult privacy counsel to ensure that a business’s compliance plan fully addresses its opt-out obligations.
Step 4: How can consumers submit opt-out requests?
The privacy laws generally discuss two different ways for consumers to submit opt-out requests.
First, consumers can click on a link to open an opt-out mechanism built to address the opt-out requirements of the five state laws (such as a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” button). The link may open a new page or a pop-up, but either way, the state privacy laws encourage presenting a simple opt-out mechanism after just one click. The mechanism should avoid gimmicks that could dissuade a consumer from opting-out, such as using different color choices or providing a benefit to consumers who do not opt-out.
Second, states like California, Colorado, and Connecticut are leading an effort to give consumers the ability to opt-out at the global level using an opt-out preference mechanism on their device or web browser. The idea of these “global privacy controls” (GPCs) is to allow a consumer to choose to opt-out for all websites to avoid the requirement of submitting an opt-out preference to each website the consumer visits. The draft CPRA regulations encourage confirming to the user that the opt-out preference signal has been honored.
A challenge of both options is how to persist the consumer’s privacy preferences across devices, browsers, and interactions- whether online or offline. In theory, a consumer request extends to all contexts in which the consumer interacts with an advertiser, and companies should make a reasonable effort to implement these requests. For example, advertisers can provide logged-in consumers a way to set their preferences within the consumer’s account. That said, advertisers should be careful not to collect more information than is necessary merely to fulfill a privacy-related request, including requiring consumers to create an account in order to submit their request.
Step 5: What happens when a consumer opts out?
When an advertiser passes an opt-out signal to downstream ad-tech vendors for a specific consumer, recipients have agreed – via the MSPA – to honor the opt-out request by limiting the ways in which they use the consumer’s data. For example, when a consumer submits a request to opt-out of sales, downstream companies are prohibited from engaging in targeted advertising and building third-party segments.
Rather, those downstream companies can operate as service providers to provide advertising services utilizing first-party data, use personal information for frequency capping or to support negative targeting where consistent with applicable law, and engage in ad reporting activities such as conversion measurement or fraud detection. Each of these functions falls outside the definition of “targeted advertising” and can be provided on a service provider basis for purposes of California law based on the inclusion of appropriate service provider contract terms embedded in the MSPA.
Downstream providers that are signatories to the MSPA are required by the contract to honor opt-out signals. If advertisers do not become signatories, they must undertake scaled contracting efforts – at times entering into contracts with parties they have never contracted with before – to honor opt-out signals through the GPP or other bespoke mechanisms.
Step 6: What does ongoing compliance look like?
Each of the state privacy laws is enforceable by government agencies with the authority to review a business’ conduct, require remediation of noncompliance, and seek civil penalties or statutory penalties for non-compliance.
So what happens if a regulator investigates a business based on concerns around opt-out requests? Participation in the IAB’s industry compliance framework and active use of the GPP can be part of how the business demonstrates reasonable efforts to comply with consumer requests to opt-out and meet the business’s contractual obligations with downstream participants. The MSPA provides a layer of transparency in the privacy terms that apply to a consumer’s personal information by all parties in the distribution chain that advertisers can rely on for diligence purposes (which is far superior to daisy-chaining privacy obligations on a one-to-one basis with partners).
The MSPA also grants advertisers the right to audit downstream uses of their first-party data, as required by state privacy law, to confirm compliance. This contractual right gives advertisers the ability to demonstrate concrete audit results to enforcement authorities.
These benefits are significant, particularly when many advertisers do not have a contract with (or any accompanying oversight of) downstream ad tech vendors and publishers.
In walking through how advertisers can implement the MSPA, this article seeks to de-mystify the IAB’s new framework for tackling compliance with the state privacy laws. Advertisers can sign on to the MSPA and use the IAB’s GPP signaling mechanism to indicate consumer opt-out preferences to downstream ad tech vendors and publishers in order to fulfill their obligations under the state privacy laws.