With so many regional privacy laws around the world, and more on the way, compliance is complicated. Rube Goldberg comes to mind.
On Wednesday, the IAB Tech Lab announced the launch of its Global Privacy Platform (GPP), which is a protocol designed to standardize the sharing of consent signals so companies can more easily comply with global privacy regulations.
The GPP is now open for public comment for the next 60 days.
GPP is the second spec to come out of Project Rearc, IAB Tech Lab’s overarching initiative to deal with signal loss, including the deprecation of third-party cookies in Chrome. Seller-defined audiences was the first.
The IAB Tech Lab has been working on the Global Privacy Platform for the past two years.
The best way to think of the GPP is as a technical framework for compliance as opposed to any sort of policy, CEO Anthony Katsur told AdExchanger.
“It’s a protocol for streamlining and managing cross-jurisdictional privacy compliance,” he said.
First steps
The platform works by inspecting data before it’s been transmitted between partners to make sure it abides by local privacy law and has been gathered with the proper consent.
The GPP also acts as a “transport mechanism” to move vetted data between publishers, advertisers and ad tech companies, Katsur said. “It’s basically a communication layer to ensure you’re carrying a valid consent string.”
Down the line, the IAB Tech Lab plans to also check on and transmit other parameters, such as how long data has been retained.
The other piece of the GPP is a global vendors list that serves as a centralized record of IAB Tech Lab partners and the vendors they work with. The list also includes whether a company has registered at a regional or global level.
IAB Europe and IAB Canada are developing user interfaces for certification programs that will vet and approve vendors that are hoping to join the ranks of regional data bases, Katsur said.
Fragmentation nation
As data privacy regulations splinter across the globe and even regionally within one country – the US has five state privacy laws and counting – it raises new questions about how to approach compliance across borders.
Privacy protection is “inherently a cross-jurisdictional regulatory challenge,” Katsur said.
“If I’m a California citizen reading CNN and sipping espresso in Italy … is my data collection simultaneously compliant with both the CPRA and the GDPR?” he said.
Not a question you’re likely to ask yourself every day, but a critical one to answer nonetheless.
The GPP localizes consent string formats based on region and has APIs that can match and authenticate consent across centralized databases to check for compliance.
The current GPP framework supports the management of multiple consent strings, including those of the US and of IAB Europe’s embattled Transparency & Consent Framework (TCF) solution for GDPR compliance in Europe and Canada. You can expect more regional versions of privacy frameworks to come as additional US states pass their own privacy laws.
Katsur said the Tech Lab also plans to work with the governing bodies of other countries, such as Brazil, which isn’t on everyone’s radar despite having its own strong data protection law.
The GPP is designed to be extensible and easily integrated with existing compliance frameworks as new laws come into force, Katsur said, which is especially important because continued fragmentation is far more likely than a global data privacy consensus.
And that includes in the US. The Tech Lab “doesn’t foresee any sort of legislation at the federal level anytime in the near future,” Katsur said. “It could take until 2025.”
Until then, adding and authenticating a regional consent string is just a matter of building within the already existing framework. “It’s not hard to add a new strain to this,” Katsur said.
Which is why Katsur says the IAB Tech Lab can brave any additional changes to the TCF that may come following another pending decision by the Belgian Data Protection Authority. In February, the Belgians found the TCF to be illegal in its current form under the GDPR and called on IAB Europe to develop a plan to bring it into compliance. (The irony of a compliance mechanism being found to be uncompliant.)
Accountability
In addition to the GPP, IAB Tech Lab is also working on a separate but related platform to make sure the companies receiving consent signals actually follow them.
The Global Accountability Platform, which IAB Tech Lab hopes to launch later this year, will check to make sure companies are following the consent signals they throughout the entire supply chain, from the inception of the data to the delivery of the impression, Katsur said.
The purpose of the platform is to audit the supply chain and ensure the “integrity of the consent string” remains intact, Katsur said.
Auditing for compliance is “inherently more invasive,” he said, “and there are some people in the room who aren’t going to like it.”
“But we’re not the internet police,” Katsur said. “Either the advertising industry gets together and regulates tools like this, or someone else is going to do it for us.”
This article has been edited.