The ad industry is facing one of its biggest regulatory fears: a patchwork of distinct state privacy laws.
California, Colorado, Virginia, Connecticut and Utah have privacy laws that have either recently taken effect or will come into effect this year. To help businesses operate in this complicated legislative landscape, the IAB released the Multi-State Privacy Agreement (MSPA), which offers a contractual framework and consent management guidance for compliance.
The goal is to obey the law while maintaining as much of the digital advertising status quo as possible.
But what do publishers need to know about implementing the MSPA?
Contractual arrangements
The IAB has been tinkering with compliance frameworks since before the California Consumer Privacy Act (CCPA) came online in 2020.
The MSPA is an updated version of the IAB’s Limited Service Provider Agreement framework originally designed to enable CCPA compliance. New privacy laws, including the California Privacy Rights Act (CPRA), which amends CCPA, require an expanded approach.
The CPRA defines common practices, such as ad delivery, measurement and frequency capping, as involving a “sale” of user data between partners. And whenever a business sells a user’s personal information, the law requires that transaction to happen within the confines of a contractual relationship.
But not every aspect of a digital ad transaction is currently covered by contracts, said Michael Hahn, EVP and general counsel for the IAB and IAB Tech Lab. And “you might not even have any relationship with that other party to whom you’re selling the information.”
There typically isn’t a contract in place to cover the transfer of information every time a pixel fires, which is how advertisers track impressions and on-site behavior. Crafting separate contracts for every data partner would be impractical, because it means creating thousands of contracts.
“Publishers directly work on a contractual basis with maybe 20 or 30 companies, mostly SSPs, data companies and Google,” said Scott Messer, an ad industry consultant and former SVP of media at Leaf Group. “But there are over 1,000 vendors on the global vendor list, and any of them could be buying or measuring on your site through a media pixel.”
The purpose of the MSPA is to spring into action using specific contractual language in cases where contracts don’t normally exist, including between publishers and pixel providers, publishers and DSPs, and publisher ad servers and advertiser ad servers.
The key piece of contractual language at play in the MSPA is the distinction between “third parties” and “service providers.”
Third parties are entities that receive personal data but don’t collect it directly from customers, like a website analytics provider. Service providers process personal information on behalf of a business that is acting as a first party. Both third parties and services providers have contract requirements.
When classified as a service provider by a first party, a company is allowed to receive personal data for measurement, ad delivery confirmation and frequency capping. Service providers can also receive an IP address for contextual ad targeting even if a user opts out. But if there’s an opt-out, they can’t receive data for “cross-context behavioral advertising,” including ad targeting based on a user’s personal information.
Consent management and user opt-outs
State laws require companies to give users an easy way to opt out of having their data sold.
In turn, the MSPA calls for publishers to build a consent management interface for their websites. (Publishers don’t have to work with a third-party consent management platform, but they do have to provide some form of opt-out mechanism.)
Publishers should explain to site visitors how they use the data they collect and allow people to opt out of data sharing for advertising purposes.
“Put [an opt-out] link in the footer of every page on your site where data is being collected, any place where you have pixels that are involved in programmatic advertising,” said Gerald Ferguson, a partner and co-founder of the privacy and data protection team at law firm BakerHostetler, which represents several publishers.
The CPRA also requires that publishers convey a user’s consent status to their downstream partners, which is why the MSPA contains a framework for conveying opt-outs through the IAB Tech Lab’s Global Privacy Platform (GPP).
To target or not to target?
Although state privacy laws allow some data sharing among service providers for measurement and ad delivery purposes, ad targeting is handled differently.
In the event of an opt-out, user-level targeting that uses third-party data is not covered by a service provider relationship.
If a user opts out of having their data sold, DSPs and ad tech intermediaries have to ignore all bid requests associated with that user, said Fiona Campbell-Webster, associate general counsel and chief privacy officer at MediaMath.
But publishers can continue sharing IP address data with advertisers, DSPs, SSPs and measurement providers for limited purposes so long as those entities are MSPA signatories.
Take contextual advertising.
Say a publisher wants to programmatically serve a contextual ad to someone who’s opted out of targeted advertising. It’s possible to do that and still comply if the publisher’s SSP and the advertiser’s DSP are both acting as service providers.
If the publisher, SSP and DSP are all signed on to the MSPA, they’re able to share a user’s IP address for the limited purpose of serving a contextual ad – and that’s it.
State by state vs. national
As more state privacy laws go into effect, publishers must decide if they want to attack compliance on a state-by-state basis or apply the strictest data usage guidelines across their business nationally. The MSPA offers guidance for both options.
State-based privacy laws apply to where a consumer resides, not where a company or its partners are based, Hahn said.
“It’s really hard to organize your data on the state-by-state approach and put all the processes in place,” Hahn said. “Having one approach nationally is organizationally simpler.”
Taking a national tack also means not having to determine where a consumer is based.
The MSPA’s national approach option adopts the highest common denominator for compliance, Hahn said, and is often based on California’s privacy laws, which were used as a template by multiple states.
But there is a catch. Although the national approach might be considered easier, it could also have an adverse effect on revenue since 45 states haven’t yet passed privacy laws, said Messer.
Regardless, Messer said, it’s important for publishers and their partners to seriously consider supporting the MSPA and GPP.
The MSPA only works if everyone is signed on, he said.
