IAB Introduces a Diligence Platform To Help Modernize Privacy Compliance

An Exclusive Q&A with Michael Hahn and Richy Glassberg on complying with the new privacy regulations and the ins and outs of the IAB Diligence Platform. 

How often have you been in this scenario: Your sales team receives an RFI for a campaign, and everyone is under pressure to complete the deal. But there’s a pending due diligence form that’s not quite complete. Do you go forward with the deal? Cut-and-paste answers from past privacy questionnaires? Walk away from the deal?

To the IAB, none of these options are ideal. In a perfect world, all players in the ecosystem can submit accurate and complete answers with a push of a button, which is just one of the many reasons the IAB announced the IAB Diligence Platform last week at its Annual Leadership Meeting. Powered by comprehensive questions designed to answer state regulations and a vendor compliance hub created by SafeGuard Privacy, the platform seeks to standardize, modernize, and improve privacy diligence practices for the digital advertising industry.

To learn more about how the IAB Diligence Platform can benefit AdOps teams and the industry, we sat down with Michael Hahn, EVP and General Counsel, IAB, and Richy Glassberg, co-founder and CEO of SafeGuard Privacy.

Susie Stulz: The industry has been adapting to privacy regulations for five years or more. Why launch a new platform now?

Michael Hahn: Digital advertising is quickly becoming a regulated industry under state privacy laws. These laws expect more from us than they ever have. This is particularly true regarding the diligence of one’s counterparties. 

For instance, the California Privacy Protection Agency (CPPA) has rulemaking authority and the power to enforce the CCPA (as does the California Attorney General’s Office concerning enforcement). This coming March, a critical CPPA regulation goes into effect. Namely, whether you conduct diligence on your partners with whom you disclose personal information will become a material factor in determining whether you will be liable for their wrongdoing.  

Historically, privacy diligence around a counterparty was ultimately embedded in the contract. Publishers worked with parties they assumed to be trustworthy, and agreements were in place that included representations and warranties that the partner complied with the applicable law and an indemnification obligation if something went wrong. Perhaps the publisher sent out a questionnaire about privacy practices. 

But new privacy laws require us to do more than that. Publishers, SSPs, DSPs, marketers, and their agencies now have increasing responsibility for what their partners do with their shared data.

SS: How does the IAB Diligence Platform address that new reality?

MH: The goal of the IAB Diligence Platform is to help all players in the industry achieve more effective and efficient diligence between partners. To do this, we have a multiple-pronged process.

First, we created standardized questions for partners to answer. Some of these questions are tied to the specific tech services that are leveraged (SSPs, DSPs, etc.), while others, developed by SafeGuard privacy, are tied to each state privacy law. 

The other significant prong is the vendor compliance hub, built on the SafeGuard Privacy Compliance Vendor Hub. This is a SaaS-based tool that allows platform users to share the compliance questionnaires upon request with IAB members and non-members who opt to use the IAB Diligence Platform.

SS: So if I, as a publisher, answer these questions, whenever I receive an RFI with privacy questions, I can share the answers through the vendor compliance hub.

Richy Glassberg: Yes, the goal is to make it very easy. Going further, let’s say you’ve shared your answers with the account team of a specific media agency. Those answers are also available to other account teams within the same agency. Your AdOps team doesn’t need involvement because the answers are available automatically to the agency.

SS: How are AdOps teams answering these questions currently?

RG: Historically, it’s been a manual process that is far from standard, by which I mean the questions themselves aren’t even standard. 

Typically, the AdOPs team works with an internal GC, internal privacy leader, or an outside law firm, who will write what they consider good, but rather broad, answers. Keep in mind that the RFIs themselves often contain broad questions. Then, it’s up to the AdOps team members to apply those answers to the RFIs they receive as best as they can. 

All questions and answers vary from RFI to RFI and company to company. Some companies use an industry framework or select questions from multiple frameworks. The challenge is that those responses aren’t always tied to specific State laws or appropriate to the use case.

Now consider that a publisher can receive 50 RFIs a month, and a platform can receive 2,000, none of which have the same privacy questions. That’s tremendous friction for the AdOps teams, who must respond. 

The goal is to eliminate that friction by standardizing the questions, covering the entirety of the laws, and providing questions purpose-built for the appropriate vertical, whether that’s an SSP, DSP, media agency, data provider, or publisher.

SS: So the idea is, if you’re a user of the IAB Diligence Platform, your internal lawyer or law firm answers these questions once, and as the RFPs come in, rather than answer each separately, pulling answers from past RFIs, you share the completed questionnaire?

RG: That’s the vision. The platform’s benefit is that users can answer the questions once and share them as many times as needed.

Ultimately, we’d like to get to a point where we have as many IAB members as possible adopt the platform. The more that do, the more the AdOps teams can reduce their workloads because sharing the answers — providing accurate and complete information on how the publisher complies with every State regulation and the appropriate IAB vertical — is pressing one button.

MH: Right now, the AdOps teams often use a cut-and-paste process that needs more in-depth questions and answers. This is not a criticism; it’s just a reality that needs to change. 

As we’ve discussed, we need more effective questions, specific to the vertical and jurisdiction. We also want more efficiency, which we want to achieve through a network-based approach.

As Richy said, if the lawyer fills it out once, they can focus on the intricacies of the questions rather than answer generic questions dozens and dozens of times.

SS: Presumably, it also makes it easier for publishers and other ad tech players to understand what their partners are doing with their data.

MH: Absolutely. You have all these pixels on your site if you’re a publisher. You have partners who receive your users’ PII data in the bidstream, and you want to know what they’re doing with that data. 

For publishers, this is one of the most compelling reasons to use the platform. You have a vast network of companies who have access to your data. The idea is that you can go to the platform and push a button, which then sends to a partner a set of questions that are designed for the specific services the partner provides so that you can understand how the partner processes your PII data and complies with the privacy regulations in each jurisdiction.

Right now, people ask very generic questions. But if you’re a publisher, you want to know what your SSP partner is doing when they receive your Global Privacy Platform (GPP) signal, what information it’s adding to its identity graph, what data it’s using for measurement purposes, and so on.

It’s important to realize that the laws expect you to do more to understand what your partners are doing with the data you send them in the course of doing business together.

SS: Are the questions and answers on the platform auditable?

RG: Yes, the platform has comprehensive, secure auditing capabilities based on the event trail, which is tracked by answering questions and adding supporting comments and documents.

Any publisher that uses the platform can engage a third-party auditor or reviewer to review and verify their assessments. Today, for instance, the SafeGuard Privacy platform supports the COPPA Children’s Advertising Review Unit (CARU) assessment conducted by BBB CARU, and children’s focused publishers that are part of that program can be confident that they will stand up to a CARU audit. That’s the benefit of the platform; it lets publishers feel confident about the assessments completed by counterparties who also use it.

MH: In addition to doing due diligence on your counterparties, publishers can follow up based on what you’ve learned doing that diligence, which is something that is built into these privacy laws, as reflected in the audit requirements.

SS: Any parting thoughts for our readers in the changing regulatory landscape?

RG: Michael’s point at the beginning of this discussion bears repeating. We are in an increasingly regulated industry, and those regulations have teeth. There are real consequences to falling out of compliance, and doing business with a counterparty you haven’t vetted properly is a risk not worth taking. 

This industry needs diligence, standardization, and interoperability, and the IAB Diligence platform delivers just that. It will drive efficiency and help ensure that all parts of the ecosystem, IAB Members and non-IAB members, can meet their obligations under the law. This is an industry solution.