Explore cutting-edge technical solutions and standards available today, along with emerging technologies and concepts, all dedicated to addressing the never-ending privacy conundrum while preserving consumer privacy and nurturing open internet and advertising marketplaces. Past events have delved into topics like, Privacy Sandbox, data clean rooms, identity resolution solutions, Privacy Enhancing Technologies (PETs), and consent signaling frameworks (TCF, GPP). Plus, enjoy multiple networking opportunities to foster vital conversations with key decision-makers from your business partners and solution providers.

The post IAB Tech Lab, Privacy & Addressability, “As The Cookie Crumbles” West Coast appeared first on IAB.

We’ll cover releases across all of our strategic pillars including privacy, addressability & privacy enhancing technologies, advanced tv and supply chain foundations.

This event will take place at the IAB Tech Lab office in New York City. A virtual option is available.

The post 2024 IAB Tech Lab Council Meeting appeared first on IAB.

When we first announced the launch of the IAB Diligence Platform, we emphasized the importance of working smarter to solve the complex process of managing privacy diligence with the numerous vendors in the digital advertising industry. The Platform is compatible with any privacy program management solution and assesses privacy compliance in the context of actual data flows and uses in the digital advertising industry. Moreover, it’s fully auditable, making it an invaluable tool for effective and efficient privacy compliance management for your business.

The IAB Diligence Platform includes questions that are specifically drafted for a publisher’s state privacy law diligence of a Supply-Side Platform (SSP); an advertiser’s diligence of a demand-side platform (DSP); an SSP’s diligence of a DSP; and everyone’s diligence of data brokers.  The Platform also includes SafeGuard Privacy’s US State Law assessments that can be leveraged for self-assessment, and for additional vendor assessment.

The IAB Diligence Platform is a critical step in standardizing privacy due diligence for the digital advertising industry.  We encourage all IAB members, and the industry more broadly, to use it to satisfy their privacy diligence obligations.

To learn more about the IAB Diligence Platform, please visit https://safeguardprivacy.com/iab-diligence-platform/.

The post OneTrust Becomes First Privacy Vendor to Integrate with IAB Diligence Platform Powered by SafeGuard Privacy appeared first on IAB.

The post Ad Ops Workshop for Advanced TV appeared first on IAB.

The US National Privacy String was specifically designed to support the MSPA. The Tech Lab’s github repository makes that purpose clear with the naming convention: “IAB Privacy’s [the IAB entity that holds the MSPA] US National Privacy Technical Specification.” The preface in github states:

This document outlines the technical specification for using the GPP specifications with the IAB Privacy Multi-State Privacy Agreement legal requirements. . . . The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach [a defined term in Section 1.81 of the MSPA] for their processing of a consumer’s personal data.

While we believe that this language is clear, we’ll provide even more qualifying language in the coming weeks to make it doubly clear – the US National Privacy String must only be used by MSPA signatories or MSPA-certified partners who have agreed to comply with the “National Approach” as defined in the MSPA.

For those who are not an MSPA signatory or certified partner, there are several reasons why they should not send or receive IAB Privacy’s MSPA US National String and use it for their own purposes. First, if publishers or advertisers send the US National String when they are not a signatory to the MSPA or a certified partner, they run the risk of making material misrepresentations that they are an MSPA signatory or certified partner and adhere to the MSPA’s National Approach as the means of reconciling the differences in the state privacy laws. Regulators such as the FTC and State Attorneys General have previously enforced misleading certification advertising claims. Second, if adtech providers induce or knowingly receive and open the US National Privacy String and are not a signatory to the MSPA or a certified partner, they run the risk of potentially assisting and facilitating false advertising for which there is joint and several liability. It also raises the risk of a tortious interference claim being brought by another MSPA signatory.

We certainly appreciate the desire for a single string to cover the U.S., but alas we do not have a federal privacy law that we can simply cite to in the string, as we do for the state-specific strings. Some have asked, “Why can’t we just list the relevant provisions of all the state laws in a US national string and not connect it to the MSPA?” The problem is that the string would be of little privacy value – no better than a general representation and warranty to comply with applicable provisions of all relevant state privacy laws. The outcome is the senders and recipients of the string would have different views and implementations around reconciling the different state privacy laws. So, receipt of the same signal would lead to different implementation outcomes.

Some have similarly asked, “What if I have privacy terms in my contracts with my partners, could I use the US National Privacy String then?” The problem is that there are potential variations in terms across partnership agreements, resulting in the same outcome of differing views and implementations. Our industry can do better than that to protect consumer privacy and we doubt that regulators would ever accept such an approach.

That is why we created the MSPA, and the corresponding U.S. National Privacy String, in the first place – to serve as a central and transparent set of privacy terms for the industry to point to that brings a consistent set of privacy outcomes and generally aligns with the highest common denominator across the privacy laws.

It is more imperative than ever for our industry to be compliant to the letter of the law. If you’re an MSPA signatory or certified partner, go ahead and send either IAB Privacy’s US National Privacy String or a state-specific string; the MSPA accommodates both approaches. But if you’re not an MSPA signatory, you should only send or receive state-specific strings with your partners.

The post Multi-State Privacy Agreement and Global Privacy Platform Update appeared first on IAB.

Learn more about new CTV events signals, including:

• Identifying CTV Traffic: Know the environment in which a native app is running.
• Last Activity: Signal that an event occurred indicating someone is “still watching”.
• Display Connection Status: Understand when the TV display is off, but applications may still be running.
• Video Pod Measurement: Enable measurement of video ad pods with gapless playback for “javascript” session types.

The post Expanded Coverage for OMSDK for CTV appeared first on IAB.

Note: This is not a CLE-eligible workshop

Topics will include:

• How the digital supply chain works and how data flows through the ecosystem
• Changes in the digital advertising status quo caused by operating systems, browser, regulation, and concerns around “data leakage”
• Evolution of new privacy technologies including PETs to address the changes
• Other approaches to addressability

*Save the date! More to come soon!

The post Privacy Tech Workshop for Lawyers and Cross-Functional Privacy Teams – D.C. appeared first on IAB.

Throughout this Webcast, they will discuss:
– Privacy Sandbox Fit Gap Analysis study results
– Areas where adjustments and improvements may be needed
– To what extent Privacy Sandbox prioritizes user privacy

Don’t miss this full-on virtual chat from ExchangeWire in association with IAB Tech Lab, keeping you up-to-date in these unprecedented times.

Agenda:
15 minute presentation by Shailley Singh, IAB Tech Lab
30 minute panel discussion

The post Navigating the Divide: Privacy Sandbox Fit-Gap Analysis and Industry Solutions appeared first on IAB.

With more than a dozen privacy laws in effect or coming into effect, each of which provides for an opt-out of “sales” and targeted advertising, digital advertising is increasingly becoming a regulated industry. This change in the law must be met with a change in business practices, including how we conduct diligence around privacy in digital ad transactions.

Liability is shifting

One of the fundamental changes in state privacy laws is the inclusion of accountability. There are new requirements around what partners can and cannot do with the personal information you provide them. Indeed, you must take “reasonable and appropriate steps” to make sure that your partner uses that personal information consistent with the law — for example, by including mandatory audit provisions in your contracts.

Perhaps the most significant change is the California Privacy Protection Agency’s (CPPA) regulation stating that whether you conduct diligence of your partners with whom you disclose personal information is a material factor in determining whether you will be liable for their wrongdoing.  In other words, due diligence and third-party risk management should now be integral aspects of your data privacy program.

Enforcement is getting tougher — and digital advertising will face new scrutiny

Not only is liability shifting, but enforcement is too. Upon the effective dates of the dozen-plus privacy laws, each vests enforcement in its attorney general’s office. In California, both the Attorney General’s Office and the CPPA each have enforcement powers.

Those enforcers have shown a clear intent to protect consumers under their privacy laws.  On January 26, the California Attorney General’s announced a sweep of streaming services under the CCPA.  The Connecticut Attorney General’s Office announced its enforcement priorities for the digital advertising industry at the IAB State Privacy Law Summit on November 15, including setting bright lines on the right to opt-out of the disclosure of personal information to vendors for measurement and frequency capping (where those vendors do not serve as your processors), as well as parameters on the categorizing information as deidentified.

Colorado’s Attorney General Phil Weiser has said “Enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy (…) If we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

Finally, the CPPA has a fully staffed enforcement division to investigate possible violations, and it’s hard to imagine digital advertising won’t be one of its key focus areas. Importantly, you can expect announced or unannounced audits to commence soon, particularly: for companies who’ve had any history of non-compliance with any privacy law; where there are potential violations of the law; or where the subject’s “collection or processing of personal information presents significant risk to consumer privacy or security”.  And there is no longer a mandatory 30-day “cure period” — no guaranteed second chances — under the CCPA.

Companies should not underprice state privacy risk because doing so could become a big — and very costly — mistake.

Industry diligence must improve

Historically, privacy diligence has relied on two things. First, you obtained a representation and warranty in the contract that the business partner would comply with applicable law and then indemnity if it failed to do so.  Second, you typically sent out a generic questionnaire.

This approach will no longer do.

For a fully digital industry, diligence is woefully analog and outdated. It’s underfunded, understaffed, and in an underdeveloped state. Companies send out and receive dozens of questionnaires monthly in connection with transactions and partnerships. These often ask the same questions in multiple different ways, which makes responding to them a rote exercise of managing answers in spreadsheets and cutting and pasting. Worse, these questionnaires are often generic and out of date, and the majority fail to address the actual uses of personal information contemplated by the business arrangement and the entirety of each state law. Sometimes, the surveys come back incomplete — if they come back at all.

The industry must solve for privacy diligence, and it can’t do so by doubling down on its current approach. Rather, what’s needed are standards around privacy diligence that can achieve effectiveness and efficiency so that all industry participants are speaking the same language. We need standardized privacy diligence questions that address both the letter of the law and the specific data flows and business use cases for every vendor and sub-vendor. We also need a more effective and efficient means of managing the diligence process.

It’s a digital problem that demands a digital solution.

Introducing the IAB Diligence Platform

To proactively meet the needs of regulators, the IAB convened a Privacy Implementation and Accountability Taskforce (PIAT), composed of publishers, advertisers, agencies and ad tech companies.  The group highlighted the need for an effective and efficient solution: the IAB Diligence Platform.

The Platform provides a privacy diligence solution that is purpose-built for the digital advertising industry. This solution will combine new industry vertical business questions with US state law assessments in one collaborative platform to make the diligence workflow effective and efficient for both sides of the partnership.

Leading industry privacy lawyers and law firms are collaborating in the PIAT initiative to draft the right business and privacy questions of each digital advertising use case and vendor type. We know that the right questions that a publisher should ask an SSP aren’t the right questions for an advertiser or its agency to ask a DSP.  These questions will be complemented by questions specifically tailored to assess compliance with each state privacy law.

The IAB Diligence Platform will be built on the SafeGuard Privacy Platform, which features robust state law assessments and a vendor compliance hub.  Users will be able to complete the diligence questionnaire once and share it with the partners on the platform as they engage in digital ad transactions.  By moving the industry towards use of the Platform, there will be a strong network effect to drive efficiency and improve deal speed.  In fact, IAB members that are already on the SafeGuard Privacy platform are seeing 80%+ efficiency gains by managing multiple laws concurrently and automating vendor compliance. They have a single source of truth for members to handle their diligence efficiently, and they’re saving dozens of FTE hours a month.

The solution provides:

• Standardized privacy questions that will be leveraged by the industry.
• Ability to fill out assessments and questionnaires once and easily share with partners many times.
• Ability to update compliance as new laws come online or existing laws and regulations evolve.

It’s better for vendors. Automated sharing means significant time and labor savings for vendors — they answer the right set of questions once and share everywhere. Deals close faster when there are no overlapping, inappropriate, out of date, and repetitive questions to wrestle with.

It’s better for accountability. It’s auditable, fully accountable, and provides a clear record of compliance: companies that are audited can show the actions they’ve taken to ensure that control and privacy of company data was assured. The combination of SafeGuard Privacy assessments and IAB PIAT (Privacy Implementation & Accountability Task Force) questionnaires delivers what the heightened regulatory landscape calls for.

Of inertia, lack of budgets, and finger-pointing

The first challenge is for the industry to overcome inertia. We must recognize that we are now becoming a regulated industry, and expect that regulators will do their job diligently. What worked in the past will not work in the future.

Despite this, few budgets have a line item for a diligence platform. This must change.

Company leaders must not allow this to devolve into finger-pointing about which budget this should come from — especially since nobody’s going to point at their own budget first.

This needs to be a priority driven by top management, with real effort to find the resources and get a real solution in place. The good news is, the cost is lower than it might appear — and certainly lower than the financial and reputational cost of an enforcement action arising from your partner failing to properly process personal information you provided to it.

Additionally, the costs of the industry’s current approach are high, but largely hidden. Every hour that employees spend sending out questionnaires, working with vendors to fill in the inevitable gaps, and chasing down vendors who are too overwhelmed to reply has a hard-dollar cost. This is to say nothing of the opportunity cost of executives stepping in to push through contracts that have been held up in the process.

What to do now

We encourage everyone to understand the new legal landscape, and prepare for smarter diligence. If you’re not already a member of IAB PIAT (Privacy Implementation & Accountability Task Force), you can email michael.hahn@iab.com. You can also contact SafeGuard Privacy here to see a demo of the IAB Diligence Platform.

The new regulations are real, and we expect them to be enforced. The most important thing to do is to start today to prepare for new state privacy law diligence requirements.

The post Working Harder Won’t Solve Privacy Diligence. It’s Time to Work Smarter. appeared first on IAB.

The post The Accountability Platform Explained appeared first on IAB.