Project Crosswalk: IAB’s Guidelines for CTV Privacy Compliance

IAB created Project Crosswalk to help publishers and advertisers who want to participate in the CTV boom but are worried about privacy compliance guidelines. The project is a working group of the IAB Legal Affairs Council that identifies privacy complications in CTV and develops solutions to these compliance issues. The project launched in 2020 after the IAB Legal Affairs Council created a forum for CTV publishers and advertisers to address CTV privacy concerns raised by the CCPA. 

“The CCPA was the first comprehensive consumer privacy law passed in the United States, and even though it’s a California state law, there was nothing like it on the books that generally applied to consumer personal information,” said Tony Ficarrotta, Assistant General Counsel, IAB. “The CCPA was the first one that said we don’t care what industry you’re in. If you’re processing consumer personal information, then you have certain requirements. In digital media and advertising, there are many questions about how that law applies to the data often processed to select and deliver digital ads.” 

The initial white paper, released in 2020, detailed which companies were involved in the CTV process, explained how to define and use personal information in the CTV space, and how companies can comply with privacy laws. Project Crosswalk 2.0 builds on that study. 

How Is CTV Unique? The Remote Control and the Identity Conundrum 

The Remote Control: With several state-wide privacy laws in place and on the way, CTV providers must offer consumers residing in those states the option to opt out of selling or sharing their personal information for ad targeting. Platforms have years of experience implementing these regulations on mobile and desktop devices, but these regulations have caused user experience issues for CTV providers. 

Remote controls are the primary interface used to navigate connected TVs, and they generally have limited functionality compared to mobile and desktop devices. When consumers hope to enact their privacy rights on CTV devices, they spend longer durations using the remote to enter the necessary information to complete the request. Thus, hindering the UX. 

In response, CTV providers created a pathway for consumers to review privacy notices and exercise their rights to privacy outside of the CTV space. They provide a URL or QR code that leads to a website, and consumers can exercise their right to privacy on a desktop or mobile device. Although regulators are urging platforms to move away from this practice:

According to the FTC report, Bringing Dark Patterns to Light, “Consumers should not have to navigate through multiple screens to find privacy settings … [privacy settings] should be presented at a time and in a context where the consumer is deciding their data.” 

The Identity Conundrum: Identifying consumers with regard to privacy compliance is difficult, especially in a space that is so fragmented. Many ID solutions have worked in desktop and mobile devices, even with third-party cookie deprecation, but that has not always translated to CTV platforms. 

The most common identifier in the CTV space is a user’s internet protocol (IP) address. It allows CTV platforms to bridge identity signals to activate advertising audiences and measure the effectiveness of advertising in CTV. Although, IP addresses are generally network-level IDs instead of user or device-level IDs, which causes some issues in the identification process. For example: 

  • Very few ad-tech providers have built IP-based opt-out mechanisms. In the past, it was not necessary because of the reliability of cookie-based opt-outs.  
  • Even if IP-based opt-outs became commonplace, the reliability of their opt-out signals would be uncertain because internet service providers (ISPs) periodically rotate IP addresses, and users often engage with the same businesses using multiple IP addresses.

The IAB Project Crosswalk whitepaper suggests using internal development resources and first parties that can store user privacy choices made on a CTV user interface directly on the CTV or on their servers, using the GPP. First parties can subsequently make those choices available in bid requests that third parties can apply to identifiers they leverage for advertising. 

CTV Privacy Compliance Considerations

In CTV advertising, processing and transferring consumer information is essential for ad selection and delivery, measurement, and audience creation. Due to the complexity of processing personal information in the connected TV space, platforms must understand their obligations under state privacy laws. Here is what IAB suggests companies consider. 

1st Consideration: Leverage partnerships between cross-functional privacy teams to understand compliance regulations. 

Privacy lawyers, product experts, and privacy operations and governance professionals should work together to tackle the complexities of the data flow process in CTV advertising balanced with compliance regulations. They can each help identify when personal information is processed, when consumers request opt-outs activity, and how to apply rules to these processes. 

2nd Consideration: Clearly define your role in the CTV advertising process.

Every entity in the CTV advertising process should define clear roles for participating, whether they are a business and controller, third party, or service provider and processor. Companies may need to be flexible in their roles in different circumstances, depending on how consumers interact with the company and whether they have opted out. 

The IAB’s Multi-State Privacy Agreement (MSPA) provides an efficient way to define each party’s role in a transaction for privacy compliance while giving the flexibility to play different roles in different circumstances. CTV platforms are often a first-party business or controller, but they may be a third-party or service provider and processor, depending on the circumstances. The MSPA can help companies enter into the required contractual privity with all parties to the transaction. 

3rd Consideration: Create opt-out signals that communicate consumers’ choices in CTV platforms

Businesses and controllers must provide consumers with ways to opt out of certain activities. This responsibility also applies to CTV platforms, app publishers, and advertisers in the CTV environment. Privacy technology vendors offer a way to block information transfer if a user opts out, but using a privacy signaling framework like the GPP is better. Downstream vendors receiving an opt-out signal can comply with appropriate signaling, MSPA, or other contractual mechanisms to prevent sales that the consumer opted out of while allowing limited data processing for advertising.

4th Consideration: Evaluate use cases involving ACR data

When using ACR data, CTV platforms should consider specific compliance steps to ensure the user’s privacy and data protection rights are respected. One of the most important steps is to obtain the user’s opt-in consent before collecting, using, or sharing their ACR data. This is in line with FTC precedent and industry self-regulatory guidelines