Since we uploaded IAB’s diligence questions to the platform this Summer, we have been pleased with its traction in the marketplace. We’re particularly excited to have our first major holding company join the platform, which just commenced the privacy diligence of its partners.

Many industry participants should have received or may soon receive requests from their partners who have signed onto the IAB Diligence Platform to complete the industry standardized privacy diligence questionnaires. The platform is designed to create a network effect so that once you complete the questionnaire for one partner, you can share it with other partners through the platform – saving time, money and improving deal speed in the process. To encourage that network effect, IAB established parameters for the platform, such that when a partner-IAB member receives a diligence request from an existing platform subscriber, that partner-IAB member must also subscribe to the platform. The platform’s subscription fees are tied to the company’s size, as reported to IAB for the purpose of calculating membership dues.

How the IAB Diligence Platform Works
The platform, which SafeGuard Privacy powers, contains a baseline questionnaire, standardized U.S. State law assessments, and seven industry-specific modules designed to cover common digital advertising use cases and data flows. The baseline module includes 27 questions that cover the categories of personal information collected​, practices concerning the retention of personal information​, and the adequacy of privacy notices. The industry-specific modules include:

• 65 Publisher to supply-side platform (SSP) questions: e.g., processing and propagating Global Privacy Platform (GPP) strings;
• 43 SSP to demand-side platform (DSP) questions: e.g., use of PI when the DSP’s customer does not win the bid;
• 69 Advertiser/Agency to DSP questions: e.g., whether the DSP ingests CRM data into the DSP’s identity graph;
• 58 Advertiser/Agency to Publisher questions (direct deal): e.g., whether PI disclosed by an Advertiser is combined with other attributes upon receipt; and
• 46 Data Broker questions: e.g., steps undertaken to validate that consumers whose PI is being purchased were provided with the required consumer rights.

The platform also includes an IAB Multi-State Privacy Agreement (MSPA) module for MSPA signatories and a module to address compliance with the Protecting Americans’ Data from Foreign Adversaries Act.

These questions were drafted by a large number of industry lawyers from across the digital ad distribution chain, as well as by leading law firms, through the IAB Privacy Implementation & Accountability Taskforce (PIAT). The working group output, now included in the platform, represents a dramatic step forward beyond the all-too-common practices of solely relying on contractual representations and warranties without any validation mechanisms, as well as generic privacy questionnaires that fail to account for different industries’ uses, data flows and deal types. The platform can also be used to help members manage their own internal compliance; as the privacy laws change, the questionnaires are updated.

Increasing Scalability & What to Expect
A key feature of the IAB Diligence Platform is a vendor compliance hub that allows each responding company to complete the diligence materials once and share them with other platform participants, who may or may not be IAB members. Participating companies choose with whom they want to share their privacy diligence responses.

As Steve Sullivan, Walmart’s Senior Director of Digital Infrastructure (Advertising, Privacy, Technology), recently pointed out at the IAB Privacy Compliance Salon on September 22, operationalizing third-party privacy risk management and bringing scalability and standardization to the ad tech industry is critical.

A Reminder of Why IAB Undertook this Important Initiative
Since 2020, nineteen states have enacted state privacy laws, most of which contain third-party risk management requirements. Businesses and controllers are required to include in their contracts with service providers, contractors, processors, and third parties the right to take reasonable and appropriate steps to ensure these parties use the personal information in a manner consistent with the business’s obligations under the privacy laws. See, e.g., Cal. Code § 1798.100(d), VCDPA § 59.1-579(b)(4)​, CPA § 6-1-1305(b), TXDPA 541.104 § (b)(6)(D). In addition, the California Consumer Privacy Rights Act (CCPA) and its regulations contain a liability shifting mechanism, such that whether a business conducts due diligence of its service providers, contractors, and third parties factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and the regulations. See Cal. Code Regs. Tit. 11, § 7051(c) and 7053(b).

Enforcers are making clear that they take privacy diligence obligations seriously. For example, the recent DoorDash settlement requires the company to document its compliance program, including “[a] detailed description of the technical and operational controls implemented related to assessing CCPA compliance for service providers and contractors who provide marketing and related services or who provide analytics or measurements services, including, without limitation, a description of any diligence undertaken or completed by Defendant.” Final Judgment and Permanent Injunction, People v. DoorDash, *6. Additionally, at IAB’s recent Privacy Compliance Salon, a Texas Attorney General’s Office representative encouraged businesses to consider privacy diligence, like third-party risk management in the cybersecurity field where the data disclosing party conducts due diligence of the recipient. Companies “burying their heads in the sand” by entering into a contract with data privacy provisions but never enforcing or conducting due diligence will likely not be shielded from liability caused by the data recipient.

However, the industry still has a lot of catch-up to do. Today, it is not uncommon for companies to rely heavily on contractual representations, warranties and indemnification provisions. Additionally, in developing the IAB Diligence Platform, IAB sampled current due diligence questionnaires and found they’re often generic, failing to account for industry specific needs, actual uses of personal information and deal types. Moreover, many approaches fail to fully cover the requirements of evolving state privacy laws, quickly becoming outdated as legislation changes. This results in privacy diligence becoming little more than a procurement box-checking exercise rather than a thorough assessment of privacy compliance risks. In other words, the industry called for a due diligence framework that speaks the industry language and provides for standardization and industry scalability. The IAB Diligence Platform solves for this challenge.

​The Road Ahead
Our goal is to ensure that privacy remains at the forefront of scalable solutions, helping to safeguard consumer privacy while also enhancing deal speed. The IAB remains committed to enhancing the IAB Diligence Platform to meet the changing privacy landscape.

The post An Update on How the IAB Diligence Platform is Streamlining Third-Party Risk Management for Digital Advertising appeared first on IAB.

Stay at the forefront of modernizing television standards. Our discussions will revolve around the foundational building blocks emerging from the Advanced TV Commit Group, as well as the latest digital video standards found within the OpenRTB, VAST, and suite of specifications. It’s your chance to shape the future of TV interoperability.

The post IAB Tech Lab, I Want My CTV: AdvancedTV Tech appeared first on IAB.

Explore cutting-edge technical solutions and standards available today, along with emerging technologies and concepts, all dedicated to addressing the never-ending privacy conundrum while preserving consumer privacy and nurturing open internet and advertising marketplaces. Past events have delved into topics like, Privacy Sandbox, data clean rooms, identity resolution solutions, Privacy Enhancing Technologies (PETs), and consent signaling frameworks (TCF, GPP). Plus, enjoy multiple networking opportunities to foster vital conversations with key decision-makers from your business partners and solution providers.

The post IAB Tech Lab, Privacy & Addressability, “As the Cookie…Lingers” West Coast appeared first on IAB.

We’ll cover releases across all of our strategic pillars including privacy, addressability & privacy enhancing technologies, advanced tv and supply chain foundations.

This event will take place at the IAB Tech Lab office in New York City. A virtual option is available.

The post 2024 IAB Tech Lab Council Meeting appeared first on IAB.

When we first announced the launch of the IAB Diligence Platform, we emphasized the importance of working smarter to solve the complex process of managing privacy diligence with the numerous vendors in the digital advertising industry. The Platform is compatible with any privacy program management solution and assesses privacy compliance in the context of actual data flows and uses in the digital advertising industry. Moreover, it’s fully auditable, making it an invaluable tool for effective and efficient privacy compliance management for your business.

The IAB Diligence Platform includes questions that are specifically drafted for a publisher’s state privacy law diligence of a Supply-Side Platform (SSP); an advertiser’s diligence of a demand-side platform (DSP); an SSP’s diligence of a DSP; and everyone’s diligence of data brokers.  The Platform also includes SafeGuard Privacy’s US State Law assessments that can be leveraged for self-assessment, and for additional vendor assessment.

The IAB Diligence Platform is a critical step in standardizing privacy due diligence for the digital advertising industry.  We encourage all IAB members, and the industry more broadly, to use it to satisfy their privacy diligence obligations.

To learn more about the IAB Diligence Platform, please visit https://safeguardprivacy.com/iab-diligence-platform/.

The post OneTrust Becomes First Privacy Vendor to Integrate with IAB Diligence Platform Powered by SafeGuard Privacy appeared first on IAB.

The post Ad Ops Workshop for Advanced TV appeared first on IAB.

The US National Privacy String was specifically designed to support the MSPA. The Tech Lab’s github repository makes that purpose clear with the naming convention: “IAB Privacy’s [the IAB entity that holds the MSPA] US National Privacy Technical Specification.” The preface in github states:

This document outlines the technical specification for using the GPP specifications with the IAB Privacy Multi-State Privacy Agreement legal requirements. . . . The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach [a defined term in Section 1.81 of the MSPA] for their processing of a consumer’s personal data.

While we believe that this language is clear, we’ll provide even more qualifying language in the coming weeks to make it doubly clear – the US National Privacy String must only be used by MSPA signatories or MSPA-certified partners who have agreed to comply with the “National Approach” as defined in the MSPA.

For those who are not an MSPA signatory or certified partner, there are several reasons why they should not send or receive IAB Privacy’s MSPA US National String and use it for their own purposes. First, if publishers or advertisers send the US National String when they are not a signatory to the MSPA or a certified partner, they run the risk of making material misrepresentations that they are an MSPA signatory or certified partner and adhere to the MSPA’s National Approach as the means of reconciling the differences in the state privacy laws. Regulators such as the FTC and State Attorneys General have previously enforced misleading certification advertising claims. Second, if adtech providers induce or knowingly receive and open the US National Privacy String and are not a signatory to the MSPA or a certified partner, they run the risk of potentially assisting and facilitating false advertising for which there is joint and several liability. It also raises the risk of a tortious interference claim being brought by another MSPA signatory.

We certainly appreciate the desire for a single string to cover the U.S., but alas we do not have a federal privacy law that we can simply cite to in the string, as we do for the state-specific strings. Some have asked, “Why can’t we just list the relevant provisions of all the state laws in a US national string and not connect it to the MSPA?” The problem is that the string would be of little privacy value – no better than a general representation and warranty to comply with applicable provisions of all relevant state privacy laws. The outcome is the senders and recipients of the string would have different views and implementations around reconciling the different state privacy laws. So, receipt of the same signal would lead to different implementation outcomes.

Some have similarly asked, “What if I have privacy terms in my contracts with my partners, could I use the US National Privacy String then?” The problem is that there are potential variations in terms across partnership agreements, resulting in the same outcome of differing views and implementations. Our industry can do better than that to protect consumer privacy and we doubt that regulators would ever accept such an approach.

That is why we created the MSPA, and the corresponding U.S. National Privacy String, in the first place – to serve as a central and transparent set of privacy terms for the industry to point to that brings a consistent set of privacy outcomes and generally aligns with the highest common denominator across the privacy laws.

It is more imperative than ever for our industry to be compliant to the letter of the law. If you’re an MSPA signatory or certified partner, go ahead and send either IAB Privacy’s US National Privacy String or a state-specific string; the MSPA accommodates both approaches. But if you’re not an MSPA signatory, you should only send or receive state-specific strings with your partners.

The post Multi-State Privacy Agreement and Global Privacy Platform Update appeared first on IAB.

Learn more about new CTV events signals, including:

• Identifying CTV Traffic: Know the environment in which a native app is running.
• Last Activity: Signal that an event occurred indicating someone is “still watching”.
• Display Connection Status: Understand when the TV display is off, but applications may still be running.
• Video Pod Measurement: Enable measurement of video ad pods with gapless playback for “javascript” session types.

The post Expanded Coverage for OMSDK for CTV appeared first on IAB.

Note: This is not a CLE-eligible workshop

Topics will include:

• How the digital supply chain works and how data flows through the ecosystem
• Changes in the digital advertising status quo caused by operating systems, browser, regulation, and concerns around “data leakage”
• Evolution of new privacy technologies including PETs to address the changes
• Other approaches to addressability

*Save the date! More to come soon!

The post Privacy Tech Workshop for Lawyers and Cross-Functional Privacy Teams – D.C. appeared first on IAB.

Throughout this Webcast, they will discuss:
– Privacy Sandbox Fit Gap Analysis study results
– Areas where adjustments and improvements may be needed
– To what extent Privacy Sandbox prioritizes user privacy

Don’t miss this full-on virtual chat from ExchangeWire in association with IAB Tech Lab, keeping you up-to-date in these unprecedented times.

Agenda:
15 minute presentation by Shailley Singh, IAB Tech Lab
30 minute panel discussion

The post Navigating the Divide: Privacy Sandbox Fit-Gap Analysis and Industry Solutions appeared first on IAB.