As of Thursday, the IAB’s multistate privacy agreement (MSPA) is available for advertisers, publishers and ad tech partners to sign and begin using to track their data flows.
What is the MSPA?
(Forgive me in advance.)
The MSPA is a contractual framework built off of the IAB’s limited service provider agreement that aims to help companies share Global Privacy Platform consent signals with their partners in the online ad supply chain while also complying with state privacy laws, including the CPRA in California (which is itself an evolution of the CCPA) and others coming into effect in Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA) and Utah (UCPA).
That sentence actually means something to an ad tech lawyer.
Unpacking the MSPA
In English: The IAB is twisting itself into a pretzel to develop specs and legal contracts that strike a balance between privacy law compliance and maintaining a version of the status quo with online advertising.
Specifically, the MSPA is an evolution of the limited service provider agreement (LSPA), which is a standard contract that the IAB created to help with CCPA compliance by, in theory, ensuring downstream companies respect opt-out signals.
But since there are five other state privacy laws going into effect in 2023, the IAB has had to devise a solution that deals with the nuances of these regulations in different states and regions.
The IAB also adapted the MSPA “to take a more modular approach,” said Tony Ficarrotta, assistant general counsel at the IAB Tech Lab, speaking during a webinar about the MSPA on Thursday.
“If new state privacy laws do get passed in the future,” he said, “we won’t have to go through a year-long process of overhauling many aspects of the agreement.”
The hard sell
But there are more than enough challenges to deal with in the here and now, and one of the biggest is understanding the definition of what constitutes a sale.
Over the summer, Sephora agreed to pay a $1.2 million fine to settle a case under CCPA for failing to respect the Global Privacy Control as an opt-out, failing to disclose to consumers that it “sells” their personal information to third parties to create profiles for targeted advertising and failing to have the proper service provider contracts with its partners.
In California, a business can disclose personal information to a service provider so long as customers are notified of what’s happening, the service provider only processes the data to perform a necessary “business purpose” and there’s a contract in place specifying that purpose.
It’s an exception of sorts, meaning that a business can contract a third party to act as a service provider for a limited and specific purpose, like providing customer service, analytics, handling payments or verifying customer information.
Still, the Sephora settlement should be a wake-up call to the online advertising industry.
Any business that makes personal information available to a partner, whether that’s a cookie ID, a device ID or an IP address, and gets some kind of benefit in return – “that’s going to be considered a sale,” Ficarrotta said, and “includes activities that we previously might not have thought required an opt-out,” such as frequency capping.
“That’s a big change and something we need to be prepared to respond to as an industry,” he said.
Which is where the MSPA comes in. It’s meant to function as contractual air cover that springs into place when needed so third parties can act as a service provider for specific purposes, such as frequency capping and measurement.
The framework also allows companies to perform a restricted version of most online advertising activities while ostensibly remaining in compliance.
Take real-time bidding. In an RTB transaction, publishers share information like device ID and IP address with ad tech vendors as part of the bid request. The vendor then matches that information with third-party audience segments to serve personalized (aka cross-context behavioral) advertising.
(The CPRA, by the way, specifically excludes “cross-context behavioral advertising” from the definition of a business purpose.)
People legally have the right to opt out of cross-context behavioral advertising and, if they do, their choice needs to be respected up and down the chain.
The MSPA provides a standardized way for publishers to signal someone’s opt-out choice to their ad tech vendors while still allowing those publishers to use their own first-party data to do a more limited form of processing, like to support contextual targeting.
But the main takeaway is this: The CPRA and other state privacy laws have specific requirements for third-party contracts, and putting them in place is a nontrivial challenge for the online advertising ecosystem because the digital supply chain is a morass of hops between many different partners.
“There is a large scale of companies you have to worry about getting into these contractual relationships with,” Ficarrotta said. “Everyone is going to have a big task getting ahead of these requirements coming online next year to get all of the contracts they have updated with sufficient terms.”