Why the IAB Tech Lab and IAB Legal Affairs Council Are Coming Together for the Privacy Implementation & Accountability Task Force (PIAT)

Why the IAB Tech Lab and IAB Legal Affairs Council are coming together for the Privacy Implementation & Accountability Task Force (PIAT) 3

Consumers and legislators have made two things abundantly clear.

First, getting privacy right is a fundamental obligation of all companies participating in the digital advertising industry.

And second, progress cannot wait.

The time to set down the standards and best practices for privacy implementation and accountability is now, but it’s easier said than done.

Implementation issues abound, both for consumer-facing and business-facing obligations.

Everyone agrees that consumers should be informed about how their data is used for advertising and how to make choices about those uses in a way that minimizes friction. But there’s no consensus about how to do it well. The result? The consumer’s privacy experience is fragmented with too many different approaches, leading to consumer confusion and frustration with ad-supported media.

As another example, businesses seeking to responsibly process consumer data and honor consumer privacy rights must conduct data discovery within their organizations. However, the many different data mapping tools available in the market today are not one size fits all and often do not neatly account for the kinds of data processed for digital advertising. The digital advertising industry would benefit from greater consensus about what level of automated and non-automated data discovery should be performed across multiple structured and complex unstructured data containers.

At the same time, the digital advertising industry faces a critical accountability inflection point. Too often, our industry has relied solely on contract language, whether representation and warranties or indemnification provisions, to manage partner behavior. But new state privacy laws require more forceful action. For example, these new laws create accountability requirements between businesses and their service providers, and the CCPA now imposes material legal risk on a company for the wrongdoing of its partners (regardless of whether those partners are service providers) unless the company conducts sufficient due diligence.

To address these challenges and continue raising the bar for privacy, ​​PIAT will bring together leading privacy technology vendors, media companies, advertisers, and the supporting ad tech ecosystem to create the shared understanding, best practices, and standards the industry needs to move forward. However, we cannot move forward on everything at once. We need to set priorities.

Putting accountability first

A survey of PIAT working group participants provided clear direction that the creation of standards around accountability needs to be our first priority.

Every new privacy law in the US includes language about accountability, and regulators have been very clear that they expect real action. All parties subject to the state-level privacy laws must be able to demonstrate their privacy compliance to enforcers and to each other. That means every service provider or processor must make a contractual commitment to demonstrate its privacy compliance to the business or controller. There are rules for subcontractors and third parties, too, including due diligence of third parties when there is a “sale” of personal information for cross-context behavioral advertising.

Our first effort will be The Diligence Project. Today, vendor due diligence is most often done by way of lengthy questionnaires that are not tailored to digital advertising data flows and that take a disproportionately large amount of time and effort to complete — all while providing only questionable value or insight into relevant privacy practices. Clearly, we must move beyond such basic efforts.

The Diligence Project will seek to define a set of standards or best practices around what steps publishers and advertisers can reasonably undertake today, based on a review of all the currently available technologies, to ensure that their partners are acting in compliance with state privacy laws and contractual obligations. We’ll examine all of the accountability and diligence requirements that apply and provide a roadmap about how they can be implemented in the digital advertising industry using privacy technology tools that are available today.

We’ll also begin our Privacy Taxonomy Project. Underlying this project is a necessity to move from first generation to second generation technology in vetting partner privacy compliance.  Marketing, media and other consumer-facing organizations must have a more refined tool set than exists today to demonstrate to regulators that their service providers are complying with the limitations imposed under state privacy laws; vendors are complying with “do not sell” requests; and vendors are meeting the contracting and subcontracting requirements that relate to “sales” under CCPA.

But the next generation of privacy tools can’t solve these problems if industry participants lack a shared language to define them.

The industry needs a common data taxonomy for publishers and advertisers to be able to organize their data and communicate with partners around its use limitations, as well as receive data validating its use.

For example, today every SSP (supply side platform) works with multiple demand side platforms (DSPs). But since everyone’s data is organized differently, to make real accountability work you’d need a mapping table for each and every vendor and then another for their client specific customizations. Hence the need for the Privacy Taxonomy Project. We first need common language around how we organize personal information before we can push the privacy vendor marketplace to build a new suite of tools that will need to be interoperable across the industry.

Bringing legal, product and technology together is critical to success.

The privacy challenges facing the digital advertising industry require collaboration between legal and technology stakeholders. The IAB Legal Affairs Council has deep experience with state level legal compliance — in particular, through its Multi-State Privacy Agreement. The IAB Tech Lab has deep experience setting technical standards that undergird the industry, including with respect to privacy. By working together across functions, we’re confident we can turn privacy challenges into privacy solutions.

Moving forward together

Getting accountability right is a fundamental part of our compliance obligations and foundational to maintaining trust with consumers. We’re committed to getting this right.

But we won’t stop there. Over time, working together, we’ll solve the thorniest privacy challenges that are embedded in industry technology, including driving consensus on privacy implementation, improving guidance or best practices involved in data discovery and mapping, developing a low-friction user interface, and more.

We’re committed to getting this right and started now.

So far, our joint effort comprises more than 100 people from across the entire digital ecosystem. We’d like to see even more people participate from legal, product, and engineering. If you’re interested in shaping the future, we hope you’ll read more and join us by sending an email to [email protected].