Last month the IAB Tech Lab introduced a draft for a Multi-State Privacy Agreement (MSPA), which aims to unify compliance across a variety of state laws. Whilst MOW agrees in principle with a rationalisation of the complex compliance landscape, there are some clear and fundamental issues with the proposal as it stands.
Chief amongst them is that this “National Approach” would in effect require the strictest state rules to be combined. This overrides the decision of some states to not introduce the strictest regulation, based on the calculus that free content provided by data processing might be more important than certain user opt ins and opt outs. Valid reasoning, considering there is no evidence to suggest that regulated data processing and ad personalisation is at all detrimental to consumer privacy.
MOW proposes that the national approach should be adopted on an opt-in basis until such time as there is a federal US law. Many states have chosen not to regulate innocuous data use and instead take a more targeted approach, and it is important not to lose the insight that data ought not to be restricted unless there is harm from its handling.
The MSPA envisages treatment as “First Party” vendor or publisher or a “Downstream Participant” vendor. First parties can then elect either to be pure service providers, who do not sell or share data, or they can engage “opt-out option mode”, which is jargon for delegating the handling of opted out site users.
The gaping hole left is delegating opted in data handling to third party vendors, which helps publishers across a wide range of low-risk use cases:
- Frequency capping: The ability to cap frequency across different websites could be impeded by data handling restrictions.
- Measurement: Advertising measurement will be impeded.
- Content tailoring restrictions based on applying the strictest law everywhere would mean less revenue for both publishers and ad tech.
So, although, as IAB notes, some measurement and frequency capping remains available, the ability to use a range of vendors for the best solutions is badly impeded. The policies as drafted would harm the open web as noted by the W3C TAG in rejecting Google’s First Party Sets and the similar rejection by UK CMA and ICO of the “corporate ownership” exemption that relies on who processes data rather than what data is being processed to evaluate privacy risk to specific individuals.
MOW notes that whilst these standards do not constitute law, if adopted by the largest industry players and IAB take a position to exclude other standards, which is likely, they are de facto mandatory and individual vendors will not have a practical choice other than compliance. National and regional IABs risk becoming part of the anti-trust landscape if they advocate IAB Tech Lab’s MSPA over others.
MOW has submitted detailed commentary to IAB Tech Lab. The full version is available below.